Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 462488

Summary: IPAddress in SubjAltNameExt incorrectly padded with extra bytes in cert
Product: [Retired] Dogtag Certificate System Reporter: Christina Fu <cfu>
Component: Certificate ManagerAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: benl, jmagne
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:29:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    
Attachments:
Description Flags
subjAltName IPAddress fix none

Description Christina Fu 2008-09-16 17:37:21 UTC 
In RFC3280, it is specified:

   When the subjectAltName extension contains a iPAddress, the address
   MUST be stored in the octet string in "network byte order," as
   specified in RFC 791 [RFC 791].  The least significant bit (LSB) of
   each octet is the LSB of the corresponding byte in the network
   address.  For IP Version 4, as specified in RFC 791, the octet string
   MUST contain exactly four octets.  For IP Version 6, as specified in
   RFC 1883, the octet string MUST contain exactly sixteen octets [RFC
   1883].

However, our IPAddress in the cert is coded with 8 bytes with 4 bytes of
 trailing 0's.

528   35:         SEQUENCE {
 530    3:           OBJECT IDENTIFIER subjectAltName (2 5 29 17)
         :             (X.509 id-ce (2 5 29))
 535   28:           OCTET STRING, encapsulates {
 537   26:             SEQUENCE {
 539   14:               [1] 'cfu'
 555    8:               [7] AC 10 18 4F 00 00 00 00
         :               }
         :             }
         :           }
         :         }
Comment 1 Christina Fu 2008-09-16 18:10:38 UTC 
Created attachment 316872 [details]
subjAltName IPAddress fix
Comment 2 Christina Fu 2008-09-16 18:12:32 UTC 
Jack please review.  thanks.
Comment 3 Jack Magne 2008-09-16 18:31:33 UTC 
Attachment (id=316872) +jmagne
Comment 4 Christina Fu 2008-09-16 19:55:40 UTC 
[cfu@jaw pki]$ pwd
/home/cfu/dogtag/src4/pki
[cfu@jaw pki]$ svn update base/util/src/netscape/security/x509/IPAddressName.java base/common/src/com/netscape/cms/profile/def/EnrollDefault.java linux/util/pki-util.spec linux/common/pki-common.spec
At revision 110.
At revision 110.
At revision 110.
At revision 110.
[cfu@jaw pki]$ svn commit base/util/src/netscape/security/x509/IPAddressName.java base/common/src/com/netscape/cms/profile/def/EnrollDefault.java linux/util/pki-util.spec linux/common/pki-common.spec
Sending        base/common/src/com/netscape/cms/profile/def/EnrollDefault.java
Sending        base/util/src/netscape/security/x509/IPAddressName.java
Sending        linux/common/pki-common.spec
Sending        linux/util/pki-util.spec
Transmitting file data ....
Committed revision 111.
Comment 5 Chandrasekar Kannan 2009-06-09 14:20:34 UTC 
for ipv4 address, 10.16.78.150, I get,

 493   15: . . . . SEQUENCE {
 495    3: . . . . . OBJECT IDENTIFIER subjectAltName (2 5 29 17)
         : . . . . . . (X.509 id-ce (2 5 29))
 500    8: . . . . . OCTET STRING, encapsulates {
 502    6: . . . . . . SEQUENCE {
 504    4: . . . . . . . [7] 0A 10 4E 96
         : . . . . . . . }

for ipv6 address,3ffe:1111:2222:2000:230:48ff:fe8b:fffc/64, I get,

498   43: . . . . SEQUENCE {
 500    3: . . . . . OBJECT IDENTIFIER subjectAltName (2 5 29 17)
         : . . . . . . (X.509 id-ce (2 5 29))
 505   36: . . . . . OCTET STRING, encapsulates {
 507   34: . . . . . . SEQUENCE {
 509   32: . . . . . . . [7]
         : . . . . . . . . 3F FE 11 11 22 22 20 00 02 30 48 FF FE 8B FF FC
         : . . . . . . . . FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
         : . . . . . . . }
         : . . . . . . }
         : . . . . . }
         : . . . . }
         : . . . }
         : . . }
Comment 6 Chandrasekar Kannan 2009-06-09 18:06:39 UTC 
for ipv6 address,3ffe:1111:2222:2000:230:48ff:fe8b:fffc, I get,

         : . . . . . }
 502   27: . . . . SEQUENCE {
 504    3: . . . . . OBJECT IDENTIFIER subjectAltName (2 5 29 17)
         : . . . . . . (X.509 id-ce (2 5 29))
 509   20: . . . . . OCTET STRING, encapsulates {
 511   18: . . . . . . SEQUENCE {
 513   16: . . . . . . . [7]
         : . . . . . . . . FE 80 00 00 00 00 00 00 02 30 48 FF FE 8B FF FC
         : . . . . . . . }
         : . . . . . . }
         : . . . . . }
         : . . . . }
         : . . . }
         : . . }