Bug 1455755 - Parsing large OIDs fails
Summary: Parsing large OIDs fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: python-cryptography
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Christian Heimes
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 1485898
TreeView+ depends on / blocked
 
Reported: 2017-05-26 03:09 UTC by Fraser Tweedale
Modified: 2018-04-10 11:37 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1485898 (view as bug list)
Environment:
Last Closed: 2018-04-10 11:36:43 UTC
Target Upstream Version:


Attachments (Terms of Use)
verification_steps (6.67 KB, text/plain)
2017-12-05 16:36 UTC, Michal Reznik
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 7300 0 None None None 2018-02-06 16:13:19 UTC
Red Hat Product Errata RHBA-2018:0720 0 None None None 2018-04-10 11:37:05 UTC

Description Fraser Tweedale 2017-05-26 03:09:10 UTC
Description of problem: when parsing a certificate that contains
a long oid (> 80 chars when stringified), parsing fails.

Active Directory creates OIDs long enough to trigger the failure.
This can cause e.g. ipa-server-install failure when installing
with an externally-signed CA.

Version-Release number of selected component (if applicable):


How reproducible: always


Steps to Reproduce:
1. Load a certificate with a large OID.  The following certificate can be used
to reproduce the issue:

-----BEGIN CERTIFICATE-----
MIIFiTCCBHGgAwIBAgITSAAAAAd1bEC5lsOdnQAAAAAABzANBgkqhkiG9w0BAQsF
ADBLMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEjAQBgoJkiaJk/IsZAEZFgJhZDEe
MBwGA1UEAxMVYWQtV0lOLVBQSzAxNUY5TURRLUNBMB4XDTE3MDUyNTIzNDg0NVoX
DTE5MDUyNTIzNTg0NVowNDESMBAGA1UEChMJSVBBLkxPQ0FMMR4wHAYDVQQDExVD
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDyyuty6irlL89hdaSW0UyAGLsOOMgAuJwBAeuRUorR159rsSnUXLcTHIsm
EszKhwxp3NkkawRWx/s0UN1m2+RUwMl6gvlw+G80Mz0S77C77M+2lO8HRmZGm+Wu
zBNcc9SANHuDQ1NISfZgLiscMS0+l0T3g6/Iqtg1kPWrq/tMevfh6tJEIedSBGo4
3xKEMSDkrvaeTuSVrgn/QT0m+WNccZa0c7X35L/hgR22/l5sr057Ef8F9vL8zUH5
TttFBIuiWJo8A8XX9I1zYIFhWjW3OVDZPBUnhGHH6yNyXGxXMRfcrrc74eTw8ivC
080AQuRtgwvDErB/JPDJ5w5t/ielAgMBAAGjggJ7MIICdzA9BgkrBgEEAYI3FQcE
MDAuBiYrBgEEAYI3FQiEoqJGhYq1PoGllQqGi+F4nacAgRODs5gfgozzAAIBZAIB
BTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUnSrC
yW3CR0e3ilJdN6kL06P3KHMwHwYDVR0jBBgwFoAUj69xtyUNwp8on+NWO+HlxKyg
X7AwgdgGA1UdHwSB0DCBzTCByqCBx6CBxIaBwWxkYXA6Ly8vQ049YWQtV0lOLVBQ
SzAxNUY5TURRLUNBLENOPVdJTi1QUEswMTVGOU1EUSxDTj1DRFAsQ049UHVibGlj
JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE
Qz1hZCxEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2Jq
ZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcQGCCsGAQUFBwEBBIG3MIG0
MIGxBggrBgEFBQcwAoaBpGxkYXA6Ly8vQ049YWQtV0lOLVBQSzAxNUY5TURRLUNB
LENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
Tj1Db25maWd1cmF0aW9uLERDPWFkLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFz
ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MDMGA1UdIAQsMCow
KAYmKwYBBAGCNxUIhKKiRoWKtT6BpZUKhovheJ2nAIEThrXzUYabpA4wDQYJKoZI
hvcNAQELBQADggEBAIsFS+Qc/ufTrkuHbMmzksOpxq+OIi9rot8zy9/1Vmj6d+iP
kB+vQ1u4/IhdQArJFNhsBzWSY9Pi8ZclovpepFeEZfXPUenyeRCU43HdMXcHXnlP
YZfyLQWOugdo1WxK6S9qQSOSlC7BSGZWvKkiAPAwr4zNbbS+ROA2w0xaYMv0rr5W
A4UAyzZAdqaGRJBRvCZ/uFHM5wMw0LzNCL4CqKW9jfZX0Fc2tdGx8zbTYxIdgr2D
PL25as32r3S/m4uWqoQaK0lxK5Y97eusK2rrmidy32Jctzwl29UWq8kpjRAuD8iR
CSc7sKqOf+fn3+fKITR2/DcSVvb0SGCr5fVVnjQ=
-----END CERTIFICATE-----

2. load the certificate.  Read the certificate policies extension:

  ext = cert.extensions.get_extension_by_class(x509.CertificatePolicies)
  print(ext.value[0].policy_identifier


Actual results: an exception gets thrown.


Expected results: OID (and whole cert) parses correctly.


Additional info: upstream PR: https://github.com/pyca/cryptography/pull/3612/files

The minimal change for a backport is just to enlarge the buffer size.

Comment 3 Christian Heimes 2017-05-29 06:01:39 UTC
The new patch looks good to me. I'll take care of it.

CPython's ssl module also contains problematic calls to obj2txt. I'll fix it, too.

Comment 11 Michal Reznik 2017-12-05 16:36:08 UTC
Created attachment 1363282 [details]
verification_steps

Comment 12 Michal Reznik 2017-12-05 16:36:38 UTC
Verified running python2-cryptography-1.7.2-2.el7.x86_64.

Comment 15 errata-xmlrpc 2018-04-10 11:36:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0720


Note You need to log in before you can comment on or make changes to this bug.