1402154 – Python fails to decode X.509 cert with GEN_RID subject alt name

Bug 1402154 - Python fails to decode X.509 cert with GEN_RID subject alt name

Summary: Python fails to decode X.509 cert with GEN_RID subject alt name

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	python
Sub Component:
Version:	24
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Charalampos Stratakis
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-06 22:58 UTC by Rich Megginson
Modified:	2017-01-26 10:03 UTC (History)
CC List:	16 users (show)
Fixed In Version:	python2-2.7.13-1.fc26 python-2.7.13-1.fc25 python-2.7.13-1.fc24
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1364444
Environment:
Last Closed:	2017-01-26 10:03:43 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Python	27691	0	None	None	None	2016-12-06 22:58:23 UTC

Description Rich Megginson 2016-12-06 22:58:23 UTC

+++ This bug was initially created as a clone of Bug #1364444 +++

Description of problem:
Python fails to decode X.509 certificate with a GEN_RID general name in subject alternative names. The problem makes it impossible to verify that a server certificate matches a host name. On the other hand registered id are required for SearchGuard 2.x with Elasticsearch 2.x. #1364268 has more information.

Version-Release number of selected component (if applicable):
All versions of Python in RHEL and Fedora are affected.

How reproducible:
The bug can be reproduced with any certificate that has a registered id (GEN_RID) in the X509v3 subject alt name extension.

Steps to Reproduce:
1. Download rid.pem from https://bugs.python.org/issue27691
2. python -c "import _ssl; print(_ssl._test_decode_cert('rid.pem'))"

Actual results:
Traceback (most recent call last):
  File "<string>", line 1, in <module>
SystemError: error return without exception set

Expected results:
{'OCSP': ('http://acme.test/ca/ocsp/tls-server-ca',), 'serialNumber': '01', 'crlDistributionPoints': ('http://acme.test/ca/tls-server-ca.crl',), 'version': 3, 'caIssuers': ('http://acme.test/ca/tls-server-ca.cer',), 'notAfter': 'Aug  5 09:13:13 2018 GMT', 'subjectAltName': (('Registered ID', '1.2.3.4.5.5'), ('DNS', 'localhost'), ('IP Address', '127.0.0.1'), ('IP Address', '0:0:0:0:0:0:0:1\n')), 'subject': ((('countryName', 'XX'),), (('organizationName', 'Acme Corp'),), (('organizationalUnitName', 'Acme Users'),), (('commonName', 'localhost'),)), 'issuer': ((('countryName', 'XX'),), (('organizationName', 'Acme Corp'),), (('organizationalUnitName', 'Acme Certificate Authority'),), (('commonName', 'Acme TLS Server CA'),)), 'notBefore': 'Aug  5 09:13:13 2016 GMT'}


Additional info:
The root cause of the Python bug is a bug in OpenSSL's GENERAL_NAME_print() function, see #1364268. The ticket on Python's bug tracker has a fix with unit tests.

--- Additional comment from Red Hat Bugzilla Rules Engine on 2016-08-05 07:26:30 EDT ---

Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Petr Viktorin on 2016-08-08 05:04:29 EDT ---

Fixing Python tracker ID.

I plan to add devel_ack as soon as the patch is upstream.

Comment 1 Charalampos Stratakis 2016-12-07 18:22:56 UTC

This is fixed in Python 2.7.13rc1

The final release will be out in approximately two weeks.

Comment 2 Charalampos Stratakis 2017-01-26 10:03:43 UTC

Python 2 is at version 2.7.13 (where this fix is contained) for all the current Fedora branches, so this issue is resolved.

Note You need to log in before you can comment on or make changes to this bug.