Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6510

Cannot create certificate with a plus sign in SAN URI field

    Details

    • Sprint:
      EJBCA Sprint 7, EJBCA Sprint 8

      Description

      It is not possible to create a certificate with a plus sign in the SAN URI field. If you try to issue the certificate through the Admin GUI and you use the EMPTY certificate profile, EJBCA will complain about "Illegal characters". If you use an existing certificate profile with SAN URI enabled, either using the Admin GUI or the RA web, you can create the certificate but the '+' character is escaped twice, e.g. prepended by a '\' character. Here is an example of such a certificate, created using EJBCA 6.12.0.Alpha.0

      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number: 6786157221212547782 (0x5e2d4609c0536ac6)
          Signature Algorithm: ecdsa-with-SHA256
              Issuer: CN=Stormhub ECDSA Staging G1
              Validity
                  Not Before: Jan 12 10:10:16 2018 GMT
                  Not After : Jan 12 10:10:16 2019 GMT
              Subject: description=This certificate contains a plus in the SAN URI field./pseudonym=EJBCA 6.12, CN=ECASUP-XXXX/name=QA
              Subject Public Key Info:
                  Public Key Algorithm: id-ecPublicKey
                      Public-Key: (521 bit)
                      pub: 
                          04:01:42:33:30:cb:dd:ed:30:33:85:40:5f:7a:d2:
                          70:92:1e:30:d2:7f:96:8c:ff:1e:64:bb:d5:d6:29:
                          93:01:c8:80:8c:40:17:45:f9:88:21:f6:89:c9:4a:
                          15:e5:6c:2b:d4:81:a3:12:c9:0c:d9:1e:70:98:d3:
                          ba:a5:d7:25:f9:3c:f6:00:d8:e8:2a:d2:62:88:0f:
                          4a:8b:66:84:5b:1e:d3:0f:8d:f6:d1:57:e3:52:52:
                          30:b5:68:98:32:08:01:1c:a3:a5:58:32:66:6c:e3:
                          60:b8:11:f4:5f:9d:ab:df:7c:a9:5c:51:91:f6:1b:
                          28:12:f8:79:fc:95:c6:c7:08:69:10:84:61
                      ASN1 OID: secp521r1
                      NIST CURVE: P-521
              X509v3 extensions:
                  X509v3 Basic Constraints: critical
                      CA:FALSE
                  X509v3 Authority Key Identifier: 
                      keyid:F4:78:8A:EB:92:28:C3:43:40:B7:4E:BB:FB:85:41:E0:BD:1F:D4:B1
      
                  X509v3 Subject Alternative Name: 
                      URI:https://primekey.com/foo\+bar
                  X509v3 Extended Key Usage: 
                      TLS Web Client Authentication, E-mail Protection
                  X509v3 Subject Key Identifier: 
                      29:62:C1:83:A1:06:5D:99:91:91:59:36:CA:1A:26:EB:BB:C1:62:AA
                  X509v3 Key Usage: critical
                      Digital Signature, Non Repudiation, Key Encipherment
          Signature Algorithm: ecdsa-with-SHA256
               30:45:02:21:00:af:5a:d1:ee:bc:89:38:99:7a:c7:76:0f:dc:
               7f:f5:0d:bf:f7:3e:96:41:fe:ef:3f:97:4b:5f:6d:21:46:c1:
               48:02:20:7a:f4:1c:f6:26:7d:03:7d:0c:21:72:9f:92:de:d8:
               08:0f:a3:f0:e5:f0:0d:1f:c2:60:a0:48:1c:2e:45:e0:36
      

      This is of course wrong since plus is perfectly legal in a URI. This may be an unusual use-case but at least one customer have asked about this recently.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                bastianf Bastian Fredriksson
                Reporter:
                bastianf Bastian Fredriksson
                Verified by:
                Samuel Lidén Borell
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 day
                  1d
                  Remaining:
                  Time Spent - 4 hours Remaining Estimate - 4 hours
                  4h
                  Logged:
                  Time Spent - 4 hours Remaining Estimate - 4 hours
                  4h