I have recently been getting errors like UnicodeDecodeEr

Not sure if this is relevant: <a class="issue-link js-issue-link" data-error-text=

Parsing x509 certificates with non-utf-8 encoded email addresses causes parser to crash with UnicodeDecodeError about jc HOT 10 CLOSED

sumezulike commented on June 2, 2024

Parsing x509 certificates with non-utf-8 encoded email addresses causes parser to crash with UnicodeDecodeError

from jc.

Comments (10)

kellyjonbrazil commented on June 2, 2024 1

Released in v1.23.3

from jc.

kellyjonbrazil commented on June 2, 2024

Thank you for reporting this! I’ll see if there is a fix for this in the upstream library, otherwise I may need to figure this out. I won’t be able to get to this for a few days.

from jc.

kellyjonbrazil commented on June 2, 2024

Not sure if this is relevant:
wbond/asn1crypto#144

from jc.

sumezulike commented on June 2, 2024

I don't think it is directly related, but I did some more digging and found RFC 5280 7.5 that states that internationalized domain names must be converted to an ascii-compatible format.

This means this is not a bug with jc. Whoever is generating these certificates is just not adhering to the RFC.

One might still want to consider a way to gracefully handle incorrect encodings, maybe a parser argument.
For my usecase, a full stop because of one incorrectly encoded field is not good, I'd rather have the fields that could be decoded and some sort of warning about the invalid one.

from jc.

kellyjonbrazil commented on June 2, 2024

Yep, I think we can definitely do something like that.

from jc.

sumezulike commented on June 2, 2024

Awesome! Thanks a lot for the quick responses!

from jc.

kellyjonbrazil commented on June 2, 2024

I have a fix in the dev branch that allows for less-strict parsing of email addresses. Email addresses that don't meet the spec will be decoded into a bytestring and a warning message will be printed to STDERR.

% cat x509-cert-bad-email.pem | jc --x509-cert 
Invalid email address found: m\xe4x@m\xfcstermann.de
[{"tbs_certificate":{"version":"v1","serial_number":"","signature":{"algorithm":"sha512_rsa","parameters":null},"issuer":{"country_name":"DE","state_or_province_name":"stateOrProvinceName","locality_name":"localityName","organization_name":"organizationName","organizational_unit_name":"organizationUnitName","common_name":"commonName","email_address":"emailAddress"},"validity":{"not_before":1686181858,"not_after":2001541858,"not_before_iso":"2023-06-07T23:50:58+00:00","not_after_iso":"2033-06-04T23:50:58+00:00"},"subject":{"country_name":"DE","state_or_province_name":"stateOrProvinceName","locality_name":"localityName","organization_name":"organizationName","organizational_unit_name":"organizationUnitName","common_name":"commonName","email_address":"emailAddress"},"subject_public_key_info":{"algorithm":{"algorithm":"rsa","parameters":null},"public_key":{"modulus":"aa:72:23:53:97:a6:e4:4e:7b:08:82:35:a5:3d:3a:83:f9:63:38:07:df:b8:38:61:7f:99:92:c8:31:6f:7f:ac:91:a4:47:64:7e:f9:2f:e0:9e:fd:d6:35:ee:50:78:55:47:fa:63:d4:b9:64:dc:d6:1d:f6:d6:67:4f:45:d1:96:81:3b:28:28:5f:c7:91:2f:a3:d5:a2:8d:3b:a0:21:91:25:6b:a9:40:5c:a4:8d:66:17:2a:3f:6e:61:74:fb:f4:35:25:e1:d1:64:aa:15:6c:6d:33:b6:f9:07:f2:a2:29:83:1c:b1:e5:97:3b:3e:14:ea:48:d6:c7:31:ea:3a:79:c1:28:a0:a7:ea:a6:7e:cf:c7:a3:00:d5:0d:70:00:f4:34:28:ab:f6:a3:80:7a:6f:01:9c:43:4a:a8:37:13:16:11:8f:e2:57:80:1d:df:50:4f:a3:2b:35:d9:d2:7d:1e:b6:b1:e4:b5:86:f2:a3:1c:63:c0:c2:e9:3e:f0:cf:23:e8:33:b4:da:ee:59:73:e9:94:16:1b:dd:33:8a:44:31:de:36:e2:58:1f:0e:75:fd:54:4b:6d:83:5f:a6:a1:dc:b6:1d:fc:45:1d:c9:1b:7a:01:d6:cc:0c:3d:1a:96:8b:0d:3b:20:a8:40:07:e0:c5:df:ad:1a:a2:86:47:f9:ca:f6:c5:a8:99:b8:60:e8:e2:09:ea:f5:0e:97:86:07:a6:ac:50:6b:19:06:f4:37:39:9a:0d:65:bb:89:e6:ae:eb:f3:a9:cd:72:c3:31:36:ef:ac:90:48:19:d0:84:df:b2:6d:9d:ef:6c:fd:9a:ff:3c:26:68:72:80:c2:c0:40:04:ba:84:39:69:5c:e9:b1:10:98:61:3d:1a:5c:a8:9e:79:48:2e:51:d0:c3:69:27:74:c1:ef:e2:98:2a:38:3c:6e:ea:7e:36:75:d3:3c:12:f5:cd:b2:a0:8a:0a:19:68:59:30:15:e3:cf:d3:4b:f4:99:a1:5a:3c:1f:c0:34:a3:e0:88:7a:44:6d:27:a9:87:2f:91:71:b4:c7:bb:c7:01:e2:fa:53:ef:09:1b:46:7b:df:52:f8:7a:cf:03:36:f9:b6:ce:a1:1c:3f:65:46:f8:13:cd:ac:9a:e2:19:43:26:b7:4a:2b:bd:da:94:d1:18:26:41:6e:19:2d:e1:6f:df:c4:c1:43:f6:8e:1e:99:d9:da:b2:8a:58:5e:5e:e8:a9:0c:4c:1d:a0:0f:50:b8:79:4b:3a:8a:4d:7a:7f:f4:10:b3:e8:d6:41:ec:57:e3:d1:c0:e1:fc:50:20:1c:f5:ad:84:a8:f6:af:2e:f4:cb:45:b7:4a:40:af:63:66:39:9b:73","public_exponent":65537}},"issuer_unique_id":null,"subject_unique_id":null,"extensions":[{"extn_id":"subject_alt_name","critical":false,"extn_value":["m\\xe4x@m\\xfcstermann.de"]}],"serial_number_str":"0"},"signature_algorithm":{"algorithm":"sha512_rsa","parameters":null},"signature_value":"78:ca:9f:d4:e7:e0:e9:95:6d:99:8f:ba:ca:69:ff:bd:2e:db:9f:4b:15:e5:ea:b8:c2:58:16:29:c2:2d:24:a3:62:36:91:61:ec:4b:99:e4:09:f9:a9:9b:fa:03:73:c1:ea:05:a9:ef:29:28:29:f6:00:aa:82:f8:53:1c:f0:6e:c0:87:ad:b2:93:24:ae:ba:56:f8:1c:62:54:23:d4:d5:66:a5:e1:36:cd:48:13:ad:fd:7b:4d:ff:c1:ee:de:fe:2f:d9:af:0e:82:7b:b0:58:2d:0c:e5:86:70:97:40:a5:ee:99:9a:96:59:14:8b:63:37:c5:04:07:17:58:04:56:d3:d9:71:a8:9c:c3:2f:21:77:19:ac:4d:95:83:f1:9f:91:0c:a3:8b:9c:1d:0e:0a:45:ed:e2:84:f9:57:6a:fa:5b:20:a8:15:26:d2:d8:34:2a:60:a7:d3:54:70:71:c3:17:aa:d7:3d:65:f5:5f:4e:a9:41:a2:e3:a7:c0:b4:5e:af:0b:48:64:f5:3a:08:0b:ec:c3:77:42:f8:13:19:45:19:7f:f8:09:79:1b:32:e2:9c:c2:91:b3:8d:e0:f4:e5:3f:9d:36:ae:22:a4:a8:d1:53:5b:c6:e3:ff:cb:a3:c0:47:ef:fd:b6:08:07:7a:97:1b:bf:cf:08:e0:5d:d1:4a:19:8a:14:c2:22:d0:79:b7:dc:76:d2:35:08:40:f8:33:80:8e:91:39:16:89:f5:51:18:d7:09:62:8d:47:ed:c6:e6:07:9d:d4:a8:3c:7a:df:e0:0d:bb:9a:a8:42:44:59:5d:f7:7b:f7:53:54:5f:0b:7f:1b:65:8d:df:bd:78:c9:e5:f8:57:e3:6b:e7:1f:d4:20:20:c3:0a:18:e2:6e:fa:10:e8:49:54:c7:25:6e:a1:5d:28:5f:45:f2:f1:c5:52:0e:28:c6:64:3a:4b:a6:d2:aa:66:e3:4d:fd:b2:3d:9c:30:b5:35:85:c8:44:93:53:f6:98:21:22:7c:36:8d:12:d9:d2:05:84:d0:22:b6:db:92:59:81:ea:26:3f:53:7b:a8:e8:34:c6:64:21:c0:e6:5b:3e:2b:23:6a:8b:dd:2d:63:25:46:ab:e7:a5:e4:1c:53:f0:e5:46:bb:80:17:da:ee:45:cf:da:34:34:3c:f4:61:a4:9e:00:92:a0:72:42:52:d9:9c:31:d0:90:6d:a7:90:53:9c:6a:49:83:55:f8:45:4a:1b:0c:da:65:1b:a3:d4:8c:b2:36:88:c3:c9:e2:ac:e2:93:e6:7c:fc:f6:e6:1b:35:21:26:d6:75:32:dc:98:dd:ba:7d:90:d8:48:25:36:7b:2e:f6:a1:72:bd:01"}]

This is ready to ship in the next release.

from jc.

sumezulike commented on June 2, 2024

Thanks a lot for the fix!
I can't think of any good way to report the warning back to the caller when used in code, but I guess one would just need to check the email address afterwards.
It is not repressed by the quiet argument though, is that intended?

from jc.

kellyjonbrazil commented on June 2, 2024

I would have liked to have more control over how the warning message is presented, but since this is an external library I'm not able to (without some effort) inject the --quiet state into the library or have it use the standard warning library used in jc to print the message. Maybe I'll take another look and see if it's not too hard to do with a global variable or something.

from jc.

kellyjonbrazil commented on June 2, 2024

I was able to get the quiet option working in the latest dev commit.

from jc.

Parsing x509 certificates with non-utf-8 encoded email addresses causes parser to crash with UnicodeDecodeError about jc HOT 10 CLOSED

Comments (10)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent