[ECA-6510] Cannot create certificate with a plus sign in SAN URI field - PrimeKey Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: EJBCA 6.12.0
Component/s: None
Labels:
- SpecialCharacters
- SubjectAltName

Sprint:
EJBCA Sprint 7, EJBCA Sprint 8

Description

It is not possible to create a certificate with a plus sign in the SAN URI field. If you try to issue the certificate through the Admin GUI and you use the EMPTY certificate profile, EJBCA will complain about "Illegal characters". If you use an existing certificate profile with SAN URI enabled, either using the Admin GUI or the RA web, you can create the certificate ~~but the '+' character is escaped twice, e.g. prepended by a '\' character.~~ Here is an example of such a certificate, created using EJBCA 6.12.0.Alpha.0

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6786157221212547782 (0x5e2d4609c0536ac6)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=Stormhub ECDSA Staging G1
        Validity
            Not Before: Jan 12 10:10:16 2018 GMT
            Not After : Jan 12 10:10:16 2019 GMT
        Subject: description=This certificate contains a plus in the SAN URI field./pseudonym=EJBCA 6.12, CN=ECASUP-XXXX/name=QA
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (521 bit)
                pub: 
                    04:01:42:33:30:cb:dd:ed:30:33:85:40:5f:7a:d2:
                    70:92:1e:30:d2:7f:96:8c:ff:1e:64:bb:d5:d6:29:
                    93:01:c8:80:8c:40:17:45:f9:88:21:f6:89:c9:4a:
                    15:e5:6c:2b:d4:81:a3:12:c9:0c:d9:1e:70:98:d3:
                    ba:a5:d7:25:f9:3c:f6:00:d8:e8:2a:d2:62:88:0f:
                    4a:8b:66:84:5b:1e:d3:0f:8d:f6:d1:57:e3:52:52:
                    30:b5:68:98:32:08:01:1c:a3:a5:58:32:66:6c:e3:
                    60:b8:11:f4:5f:9d:ab:df:7c:a9:5c:51:91:f6:1b:
                    28:12:f8:79:fc:95:c6:c7:08:69:10:84:61
                ASN1 OID: secp521r1
                NIST CURVE: P-521
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:F4:78:8A:EB:92:28:C3:43:40:B7:4E:BB:FB:85:41:E0:BD:1F:D4:B1

            X509v3 Subject Alternative Name: 
                URI:https://primekey.com/foo\+bar
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
            X509v3 Subject Key Identifier: 
                29:62:C1:83:A1:06:5D:99:91:91:59:36:CA:1A:26:EB:BB:C1:62:AA
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:af:5a:d1:ee:bc:89:38:99:7a:c7:76:0f:dc:
         7f:f5:0d:bf:f7:3e:96:41:fe:ef:3f:97:4b:5f:6d:21:46:c1:
         48:02:20:7a:f4:1c:f6:26:7d:03:7d:0c:21:72:9f:92:de:d8:
         08:0f:a3:f0:e5:f0:0d:1f:c2:60:a0:48:1c:2e:45:e0:36

This is of course wrong since plus is perfectly legal in a URI. This may be an unusual use-case but at least one customer have asked about this recently.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

ECAQA-XXXX.crt
0.6 kB
2018-01-16 11:25

Issue Links

implements

ECA-6705 Unescape escaped '+' from URI in SubjectAltName

Closed

ECA-5683 Unescape escaped characters in SubjectAltName

Closed

is related to

ECA-5682 Unescape + character before generating a certificate

Closed

ECA-3934 Support for multi-valued Relative Distinguisher Name (RDNs)

In Development

Activity

People

Assignee:: Bastian Fredriksson

Reporter:: Bastian Fredriksson

Verified by:: Samuel Lidén Borell

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2018-01-12 11:29

Updated:: 2019-05-13 13:10

Resolved:: 2018-02-02 18:46

Time Tracking

Estimated:

Remaining:

Logged: