1451107 – subscription-manager does not see the the identity name when it is 255 chars

Bug 1451107 - subscription-manager does not see the the identity name when it is 255 chars

Summary: subscription-manager does not see the the identity name when it is 255 chars

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	candlepin-bugs
QA Contact:	Red Hat subscription-manager QE Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2170446
TreeView+	depends on / blocked

Reported:	2017-05-15 19:49 UTC by John Sefler
Modified:	2023-08-02 07:28 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2170446 (view as bug list)
Environment:
Last Closed:	2023-08-02 07:28:19 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1395747	low	CLOSED	Candlepin consumer certificate subject alternative name uses URI incorrectly	2021-02-22 00:41:40 UTC
Red Hat Issue Tracker	CRYPTO-9466	None	None	None	2023-02-07 17:56:50 UTC
Red Hat Issue Tracker	RHELPLAN-147444	None	None	None	2023-02-02 12:50:38 UTC

Internal Links: 1395747

Description John Sefler 2017-05-15 19:49:49 UTC

Description of problem:
After the fix for Bug 1395747 was merged to candlepin master, creating a consumer from subscription-manager fails to see the identity name when the value is 255 chars long.  (Note: 251 chars works as expected, but 252-to-255 chars fails, and 256+ chars is blocked as expected).

  


Version-Release number of selected component (if applicable):
[root@jsefler-rhel7 ~]# subscription-manager version 
server type: Red Hat Subscription Management
subscription management server: 2.1.0-1
subscription management rules: 5.23
subscription-manager: 1.19.12-1.el7
python-rhsm: 1.19.6-1.el7


How reproducible:


Steps to Reproduce:
[root@jsefler-rhel7 ~]# subscription-manager register --username=testuser1 --password=password --org=admin --name="255_characters_678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345" --force
Unregistering from: jsefler-candlepin7.usersys.redhat.com:8443/candlepin
The system with UUID 62809bb0-82f0-42b4-a1e1-d68911cdba35 has been unregistered
All local data removed
Registering to: jsefler-candlepin7.usersys.redhat.com:8443/candlepin
The system has been registered with ID: dc7d3c74-c64e-4fec-87ee-2d4177a46f6b 


[root@jsefler-rhel7 ~]# subscription-manager identity
system identity: dc7d3c74-c64e-4fec-87ee-2d4177a46f6b
name: dc7d3c74-c64e-4fec-87ee-2d4177a46f6b, DirName:    <======= EMPTY DIRNAME; EXPECTED THE 255 CHAR NAME
org name: Admin Owner
org ID: admin


[root@jsefler-rhel7 ~]# rct cat-cert /etc/pki/consumer/cert.pem 

+-------------------------------------------+
	Identity Certificate
+-------------------------------------------+

Certificate:
	Path: /etc/pki/consumer/cert.pem
	Version: 1.0
	Serial: 7844783663829513587
	Start Date: 2017-05-15 18:42:50+00:00
	End Date: 2033-05-15 19:42:50+00:00
	Alt Name: DirName:/CN=dc7d3c74-c64e-4fec-87ee-2d4177a46f6b, DirName:     <======= EMPTY DIRNAME; EXPECTED THE 255 CHAR NAME

Subject:
	CN: dc7d3c74-c64e-4fec-87ee-2d4177a46f6b

Issuer:
	C: US
	CN: jsefler-candlepin7.usersys.redhat.com
	L: Raleigh


[root@jsefler-rhel7 ~]# openssl x509 -noout -text -in /etc/pki/consumer/cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7844783663829513587 (0x6cde452dc6587573)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=jsefler-candlepin7.usersys.redhat.com, C=US, L=Raleigh
        Validity
            Not Before: May 15 18:42:50 2017 GMT
            Not After : May 15 19:42:50 2033 GMT
        Subject: CN=dc7d3c74-c64e-4fec-87ee-2d4177a46f6b
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:93:b5:37:22:ab:46:65:d7:b5:7c:d5:40:a1:
                    05:c2:97:e2:33:b1:91:ae:11:fc:c4:16:65:01:1b:
                    5b:1b:e4:02:9a:6a:de:b5:99:a7:db:dc:b9:3d:b2:
                    e4:62:17:59:6e:6a:2e:ec:b0:41:4a:3b:37:1a:0d:
                    e6:4c:b5:f9:60:9b:84:a3:f1:1e:0e:d7:32:bb:03:
                    f9:78:4d:5f:93:88:45:25:d4:a0:80:4c:92:bf:2a:
                    19:40:81:fa:c4:ba:f7:fd:c9:b6:2f:05:7e:c4:ee:
                    7d:8c:ff:0f:9f:5c:72:43:07:21:98:58:40:8d:d6:
                    62:b1:e3:b0:9a:8b:da:a1:78:50:bc:05:47:85:3b:
                    e7:17:36:fb:fb:3b:07:63:ac:1d:61:ba:d6:a4:22:
                    5b:e1:b4:37:a4:b0:37:1f:e1:2d:64:7a:7b:27:65:
                    e5:d1:73:21:de:0c:e7:cd:e7:d8:0d:5b:c1:9e:c7:
                    b9:fb:f3:c2:e3:21:74:6d:cb:d0:ed:94:55:7a:d4:
                    e3:47:42:b1:c0:8e:51:a8:66:e4:41:f9:bb:3f:65:
                    1a:ee:aa:86:2b:59:12:eb:a2:89:a7:8d:6e:c1:c9:
                    db:77:9a:e9:8b:85:50:59:d5:9b:0e:ef:35:2b:e1:
                    25:84:7f:a4:ad:20:16:e5:3a:4d:6c:32:70:90:3c:
                    74:e5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: 
                SSL Client, S/MIME
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Authority Key Identifier: 
                keyid:8E:64:24:7D:D5:89:E1:59:E4:6F:17:E2:7B:45:19:F4:0F:E3:F7:C3
                DirName:/CN=jsefler-candlepin7.usersys.redhat.com/C=US/L=Raleigh
                serial:DE:59:83:F4:94:F7:72:14

            X509v3 Subject Key Identifier: 
                99:D6:2D:D6:35:50:45:4E:3E:B2:3D:07:92:07:07:E6:E9:9F:39:91
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DirName:/CN=dc7d3c74-c64e-4fec-87ee-2d4177a46f6b, DirName:   <======= EMPTY DIRNAME; EXPECTED THE 255 CHAR NAME
    Signature Algorithm: sha1WithRSAEncryption
         0d:4e:e9:5b:03:37:75:b9:f2:ac:16:2d:06:b1:f6:0a:e8:76:
         8e:1b:dd:8c:c3:b8:8e:16:69:b0:a6:84:3a:18:49:dd:36:f9:
         e9:3c:b8:d5:7c:69:2e:67:09:ed:d2:47:d0:fd:a6:b2:33:41:
         b3:57:a2:ae:58:e0:65:0e:d3:19:9a:8c:ca:e2:e1:d8:99:78:
         60:21:74:87:5a:18:27:d9:49:d4:8c:f8:b4:d7:a0:84:d8:17:
         1e:15:ae:b9:53:cc:7e:b4:8a:10:dd:c4:ef:5e:7c:f2:fa:fe:
         b5:a7:6d:6e:de:82:27:a1:ac:6b:48:ac:6f:43:c9:26:68:37:
         85:db


[root@jsefler-rhel7 ~]# cat /etc/pki/consumer/cert.pem 
-----BEGIN CERTIFICATE-----
MIIEtTCCBB6gAwIBAgIIbN5FLcZYdXMwDQYJKoZIhvcNAQEFBQAwTzEuMCwGA1UE
AwwlanNlZmxlci1jYW5kbGVwaW43LnVzZXJzeXMucmVkaGF0LmNvbTELMAkGA1UE
BhMCVVMxEDAOBgNVBAcMB1JhbGVpZ2gwHhcNMTcwNTE1MTg0MjUwWhcNMzMwNTE1
MTk0MjUwWjAvMS0wKwYDVQQDEyRkYzdkM2M3NC1jNjRlLTRmZWMtODdlZS0yZDQx
NzdhNDZmNmIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCk7U3IqtG
Zde1fNVAoQXCl+IzsZGuEfzEFmUBG1sb5AKaat61mafb3Lk9suRiF1luai7ssEFK
OzcaDeZMtflgm4Sj8R4O1zK7A/l4TV+TiEUl1KCATJK/KhlAgfrEuvf9ybYvBX7E
7n2M/w+fXHJDByGYWECN1mKx47Cai9qheFC8BUeFO+cXNvv7OwdjrB1hutakIlvh
tDeksDcf4S1kensnZeXRcyHeDOfN59gNW8Gex7n788LjIXRty9DtlFV61ONHQrHA
jlGoZuRB+bs/ZRruqoYrWRLroomnjW7Bydt3mumLhVBZ1ZsO7zUr4SWEf6StIBbl
Ok1sMnCQPHTlAgMBAAGjggI0MIICMDARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0P
BAQDAgSwMH8GA1UdIwR4MHaAFI5kJH3VieFZ5G8X4ntFGfQP4/fDoVOkUTBPMS4w
LAYDVQQDDCVqc2VmbGVyLWNhbmRsZXBpbjcudXNlcnN5cy5yZWRoYXQuY29tMQsw
CQYDVQQGEwJVUzEQMA4GA1UEBwwHUmFsZWlnaIIJAN5Zg/SU93IUMB0GA1UdDgQW
BBSZ1i3WNVBFTj6yPQeSBwfm6Z85kTATBgNVHSUEDDAKBggrBgEFBQcDAjCCAVcG
A1UdEQSCAU4wggFKpDEwLzEtMCsGA1UEAwwkZGM3ZDNjNzQtYzY0ZS00ZmVjLTg3
ZWUtMmQ0MTc3YTQ2ZjZipIIBEzCCAQ8xggELMIIBBwYDVQQDDIH/MjU1X2NoYXJh
Y3RlcnNfNjc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3
ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1
Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz
NDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAx
MjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5
MDEyMzQ1MA0GCSqGSIb3DQEBBQUAA4GBAA1O6VsDN3W58qwWLQax9grodo4b3YzD
uI4WabCmhDoYSd02+ek8uNV8aS5nCe3SR9D9prIzQbNXoq5Y4GUO0xmajMri4diZ
eGAhdIdaGCfZSdSM+LTXoITYFx4VrrlTzH60ihDdxO9efPL6/rWnbW7egiehrGtI
rG9DySZoN4Xb
-----END CERTIFICATE-----







Additional info:

Here are some bugs that have historically shaped this scenario:

Bug 1065369 - Display error/warning message when tried to set a very long value for the release version in the activation key

Bug 1094492 - consumer cert does not appear to accept a consumer name greater than 251 chars

Bug 1065369 - Display error/warning message when tried to set a very long value for the release version in the activation key

Comment 1 ojanus 2019-01-18 14:31:29 UTC

I verified that the certificate is both correctly created by the Candlepin and correctly stored by Subscription-manager. Problem occurs during reading of certificate in subscription manager.

In python extension 'certificate.c' method 'get_all_extensions' it only detects length of 58 characters for certificates with long alt name (certificate.c:get_extension_by_object:260).

Comment 4 Nikos Moumoulidis 2023-02-02 12:48:44 UTC

Moving this to subscription-manager based on comment #1

Comment 6 Jiri Hnidek 2023-02-07 15:19:31 UTC

Hi,
I tried to display given consumer certificate with CLI tool provided by GnuTLS (http://gnutls.org) and this tools is able to display this certificate correctly.

You can install GnuTLS utils using: "dnf install gnutls-utils.x86_64"

Thus I believe that this bug belongs to openssl component.


[jhnidek@localhost long_consumer_cert]$ certtool --certificate-info --infile ./cert.pem 
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 6cde452dc6587573
	Issuer: L=Raleigh,C=US,CN=jsefler-candlepin7.usersys.redhat.com
	Validity:
		Not Before: Mon May 15 18:42:50 UTC 2017
		Not After: Sun May 15 19:42:50 UTC 2033
	Subject: CN=dc7d3c74-c64e-4fec-87ee-2d4177a46f6b
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:c2:93:b5:37:22:ab:46:65:d7:b5:7c:d5:40:a1:05
			c2:97:e2:33:b1:91:ae:11:fc:c4:16:65:01:1b:5b:1b
			e4:02:9a:6a:de:b5:99:a7:db:dc:b9:3d:b2:e4:62:17
			59:6e:6a:2e:ec:b0:41:4a:3b:37:1a:0d:e6:4c:b5:f9
			60:9b:84:a3:f1:1e:0e:d7:32:bb:03:f9:78:4d:5f:93
			88:45:25:d4:a0:80:4c:92:bf:2a:19:40:81:fa:c4:ba
			f7:fd:c9:b6:2f:05:7e:c4:ee:7d:8c:ff:0f:9f:5c:72
			43:07:21:98:58:40:8d:d6:62:b1:e3:b0:9a:8b:da:a1
			78:50:bc:05:47:85:3b:e7:17:36:fb:fb:3b:07:63:ac
			1d:61:ba:d6:a4:22:5b:e1:b4:37:a4:b0:37:1f:e1:2d
			64:7a:7b:27:65:e5:d1:73:21:de:0c:e7:cd:e7:d8:0d
			5b:c1:9e:c7:b9:fb:f3:c2:e3:21:74:6d:cb:d0:ed:94
			55:7a:d4:e3:47:42:b1:c0:8e:51:a8:66:e4:41:f9:bb
			3f:65:1a:ee:aa:86:2b:59:12:eb:a2:89:a7:8d:6e:c1
			c9:db:77:9a:e9:8b:85:50:59:d5:9b:0e:ef:35:2b:e1
			25:84:7f:a4:ad:20:16:e5:3a:4d:6c:32:70:90:3c:74
			e5
		Exponent (bits 24):
			01:00:01
	Extensions:
		Unknown extension 2.16.840.1.113730.1.1 (not critical):
			ASCII: ....
			Hexdump: 030205a0
		Key Usage (not critical):
			Digital signature.
			Key encipherment.
			Data encipherment.
		Authority Key Identifier (not critical):
			directoryName: L=Raleigh,C=US,CN=jsefler-candlepin7.usersys.redhat.com
			serial: 00de5983f494f77214
			8e64247dd589e159e46f17e27b4519f40fe3f7c3
		Subject Key Identifier (not critical):
			99d62dd63550454e3eb23d07920707e6e99f3991
		Key Purpose (not critical):
			TLS WWW Client.
		Subject Alternative Name (not critical):
			directoryName: CN=dc7d3c74-c64e-4fec-87ee-2d4177a46f6b
			directoryName: CN=255_characters_678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345
	Signature Algorithm: RSA-SHA1
warning: signed using a broken signature algorithm that can be forged.
	Signature:
		0d:4e:e9:5b:03:37:75:b9:f2:ac:16:2d:06:b1:f6:0a
		e8:76:8e:1b:dd:8c:c3:b8:8e:16:69:b0:a6:84:3a:18
		49:dd:36:f9:e9:3c:b8:d5:7c:69:2e:67:09:ed:d2:47
		d0:fd:a6:b2:33:41:b3:57:a2:ae:58:e0:65:0e:d3:19
		9a:8c:ca:e2:e1:d8:99:78:60:21:74:87:5a:18:27:d9
		49:d4:8c:f8:b4:d7:a0:84:d8:17:1e:15:ae:b9:53:cc
		7e:b4:8a:10:dd:c4:ef:5e:7c:f2:fa:fe:b5:a7:6d:6e
		de:82:27:a1:ac:6b:48:ac:6f:43:c9:26:68:37:85:db
Other Information:
	Fingerprint:
		sha1:e6ce579355f50067b8080307f907a3a2ec6cfd2d
		sha256:2938efde69ec09ecb0b65e56201e9c6ad47ce429ebba9389f2ac3cb159762914
	Public Key ID:
		sha1:d3c76fc224ff66c72b2625401ac4055dc6b39cff
		sha256:53f4481f2486c372409508c393eaaa53d12880ba5fb6ab9099a77ea03b2cee4c
	Public Key PIN:
		pin-sha256:U/RIHySGw3JAlQjDk+qqU9EogLpftquQmad+oDss7kw=

-----BEGIN CERTIFICATE-----
MIIEtTCCBB6gAwIBAgIIbN5FLcZYdXMwDQYJKoZIhvcNAQEFBQAwTzEuMCwGA1UE
AwwlanNlZmxlci1jYW5kbGVwaW43LnVzZXJzeXMucmVkaGF0LmNvbTELMAkGA1UE
BhMCVVMxEDAOBgNVBAcMB1JhbGVpZ2gwHhcNMTcwNTE1MTg0MjUwWhcNMzMwNTE1
MTk0MjUwWjAvMS0wKwYDVQQDEyRkYzdkM2M3NC1jNjRlLTRmZWMtODdlZS0yZDQx
NzdhNDZmNmIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCk7U3IqtG
Zde1fNVAoQXCl+IzsZGuEfzEFmUBG1sb5AKaat61mafb3Lk9suRiF1luai7ssEFK
OzcaDeZMtflgm4Sj8R4O1zK7A/l4TV+TiEUl1KCATJK/KhlAgfrEuvf9ybYvBX7E
7n2M/w+fXHJDByGYWECN1mKx47Cai9qheFC8BUeFO+cXNvv7OwdjrB1hutakIlvh
tDeksDcf4S1kensnZeXRcyHeDOfN59gNW8Gex7n788LjIXRty9DtlFV61ONHQrHA
jlGoZuRB+bs/ZRruqoYrWRLroomnjW7Bydt3mumLhVBZ1ZsO7zUr4SWEf6StIBbl
Ok1sMnCQPHTlAgMBAAGjggI0MIICMDARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0P
BAQDAgSwMH8GA1UdIwR4MHaAFI5kJH3VieFZ5G8X4ntFGfQP4/fDoVOkUTBPMS4w
LAYDVQQDDCVqc2VmbGVyLWNhbmRsZXBpbjcudXNlcnN5cy5yZWRoYXQuY29tMQsw
CQYDVQQGEwJVUzEQMA4GA1UEBwwHUmFsZWlnaIIJAN5Zg/SU93IUMB0GA1UdDgQW
BBSZ1i3WNVBFTj6yPQeSBwfm6Z85kTATBgNVHSUEDDAKBggrBgEFBQcDAjCCAVcG
A1UdEQSCAU4wggFKpDEwLzEtMCsGA1UEAwwkZGM3ZDNjNzQtYzY0ZS00ZmVjLTg3
ZWUtMmQ0MTc3YTQ2ZjZipIIBEzCCAQ8xggELMIIBBwYDVQQDDIH/MjU1X2NoYXJh
Y3RlcnNfNjc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3
ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1
Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz
NDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAx
MjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5
MDEyMzQ1MA0GCSqGSIb3DQEBBQUAA4GBAA1O6VsDN3W58qwWLQax9grodo4b3YzD
uI4WabCmhDoYSd02+ek8uNV8aS5nCe3SR9D9prIzQbNXoq5Y4GUO0xmajMri4diZ
eGAhdIdaGCfZSdSM+LTXoITYFx4VrrlTzH60ihDdxO9efPL6/rWnbW7egiehrGtI
rG9DySZoN4Xb
-----END CERTIFICATE-----

Comment 7 Jiri Hnidek 2023-02-07 15:35:10 UTC

I can prove that this bug is still valid on RHEL9 as you can see here:


[root@rhel9 long_consumer_cert]# openssl version
OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)

[root@rhel9 long_consumer_cert]# openssl x509 -noout -text -in ./cert.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7844783663829513587 (0x6cde452dc6587573)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN = jsefler-candlepin7.usersys.redhat.com, C = US, L = Raleigh
        Validity
            Not Before: May 15 18:42:50 2017 GMT
            Not After : May 15 19:42:50 2033 GMT
        Subject: CN = dc7d3c74-c64e-4fec-87ee-2d4177a46f6b
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:93:b5:37:22:ab:46:65:d7:b5:7c:d5:40:a1:
                    05:c2:97:e2:33:b1:91:ae:11:fc:c4:16:65:01:1b:
                    5b:1b:e4:02:9a:6a:de:b5:99:a7:db:dc:b9:3d:b2:
                    e4:62:17:59:6e:6a:2e:ec:b0:41:4a:3b:37:1a:0d:
                    e6:4c:b5:f9:60:9b:84:a3:f1:1e:0e:d7:32:bb:03:
                    f9:78:4d:5f:93:88:45:25:d4:a0:80:4c:92:bf:2a:
                    19:40:81:fa:c4:ba:f7:fd:c9:b6:2f:05:7e:c4:ee:
                    7d:8c:ff:0f:9f:5c:72:43:07:21:98:58:40:8d:d6:
                    62:b1:e3:b0:9a:8b:da:a1:78:50:bc:05:47:85:3b:
                    e7:17:36:fb:fb:3b:07:63:ac:1d:61:ba:d6:a4:22:
                    5b:e1:b4:37:a4:b0:37:1f:e1:2d:64:7a:7b:27:65:
                    e5:d1:73:21:de:0c:e7:cd:e7:d8:0d:5b:c1:9e:c7:
                    b9:fb:f3:c2:e3:21:74:6d:cb:d0:ed:94:55:7a:d4:
                    e3:47:42:b1:c0:8e:51:a8:66:e4:41:f9:bb:3f:65:
                    1a:ee:aa:86:2b:59:12:eb:a2:89:a7:8d:6e:c1:c9:
                    db:77:9a:e9:8b:85:50:59:d5:9b:0e:ef:35:2b:e1:
                    25:84:7f:a4:ad:20:16:e5:3a:4d:6c:32:70:90:3c:
                    74:e5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: 
                SSL Client, S/MIME
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Authority Key Identifier: 
                keyid:8E:64:24:7D:D5:89:E1:59:E4:6F:17:E2:7B:45:19:F4:0F:E3:F7:C3
                DirName:/CN=jsefler-candlepin7.usersys.redhat.com/C=US/L=Raleigh
                serial:DE:59:83:F4:94:F7:72:14
            X509v3 Subject Key Identifier: 
                99:D6:2D:D6:35:50:45:4E:3E:B2:3D:07:92:07:07:E6:E9:9F:39:91
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DirName:/CN=dc7d3c74-c64e-4fec-87ee-2d4177a46f6b, DirName:     <======= STILL EMPTY DIRNAME; EXPECTED THE 255 CHAR NAME
    Signature Algorithm: sha1WithRSAEncryption
    Signature Value:
        0d:4e:e9:5b:03:37:75:b9:f2:ac:16:2d:06:b1:f6:0a:e8:76:
        8e:1b:dd:8c:c3:b8:8e:16:69:b0:a6:84:3a:18:49:dd:36:f9:
        e9:3c:b8:d5:7c:69:2e:67:09:ed:d2:47:d0:fd:a6:b2:33:41:
        b3:57:a2:ae:58:e0:65:0e:d3:19:9a:8c:ca:e2:e1:d8:99:78:
        60:21:74:87:5a:18:27:d9:49:d4:8c:f8:b4:d7:a0:84:d8:17:
        1e:15:ae:b9:53:cc:7e:b4:8a:10:dd:c4:ef:5e:7c:f2:fa:fe:
        b5:a7:6d:6e:de:82:27:a1:ac:6b:48:ac:6f:43:c9:26:68:37:
        85:db

Comment 8 Pino Toscano 2023-02-07 15:37:47 UTC

Since the problem seems to be in openssl, reassigning the bug accordingly.

Comment 9 Clemens Lang 2023-02-07 17:41:35 UTC

https://www.ietf.org/rfc/rfc3280.txt defines an upper bound for common names: ub-common-name INTEGER ::= 64

This is copied into OpenSSL's source code at crypto/asn1/tbl_standard.h and include/openssl/asn1.h.in. I'm not sure why strings longer than 64 bytes would even work. Maybe I'm not looking at the correct field, but openssl asn1parse -in cert.pem -strparse 724 -strparse 63 -strparse 4 suggests it's a commonName object:

    0:d=0  hl=4 l= 263 cons: SEQUENCE
    4:d=1  hl=2 l=   3 prim: OBJECT            :commonName
    9:d=1  hl=3 l= 255 prim: UTF8STRING        :255_characters_678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345

Don't have time to investigate further at the moment, but in an effort to avoid duplicate work, I'll leave this information here.

Also note that the certificate uses a SHA-1 signature. Not sure if that is still the case on RHEL 9 or whether this signature is ever verified, though.

Comment 10 Dmitry Belyavskiy 2023-02-07 17:53:51 UTC

Yes, OpenSSL implements field lengths limitation so this certificate will not be displayed (and probably usable) in OpenSSL. We will not deviate from upstream in this area.

Could you please raise the issue against the software that issued this certificate? Otherwise we will consider it as not a bug.

Many thanks!

Comment 12 RHEL Program Management 2023-08-02 07:28:19 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.