You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Anders Blomdell <an...@control.lth.se> on 2004/02/10 12:03:56 UTC
svn fails to handle certificates with non-ascii characters
When svn is presented a certificate that contains non ASCII characters, it
fails to present a proper user override.
> svn list https://server/svn/repos
svn: PROPFIND request failed on '/svn/repos'
svn: PROPFIND of '/svn/repos': Server certificate verification failed:
certificate issued for a different hostname, issuer is not trusted (https:
//server)
>
The problem seems to be that svn_utf_cstring_from_utf8 returns with an
error, and that aborts the user override dialogue (unfortunately without
stating that the coding of the certificate is in error).
Here is a failing key/certificate pair:
-----BEGIN CERTIFICATE-----
MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJTRTEN
MAsGA1UEBxMETHVuZDEgMB4GA1UEChQXTHVuZHMgVGVrbmlza2EgSPZnc2tvbGEx
JzAlBgNVBAsUHkluc3RpdHV0aW9uZW4gZvZyIFJlZ2xlcnRla25pazETMBEGA1UE
AxMKZXJyb3IuZGVtbzAeFw0wNDAyMTAxMTQ1MzJaFw0wNTAyMDkxMTQ1MzJaMHwx
CzAJBgNVBAYTAlNFMQ0wCwYDVQQHEwRMdW5kMSAwHgYDVQQKFBdMdW5kcyBUZWtu
aXNrYSBI9mdza29sYTEnMCUGA1UECxQeSW5zdGl0dXRpb25lbiBm9nIgUmVnbGVy
dGVrbmlrMRMwEQYDVQQDEwplcnJvci5kZW1vMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDDnec/1lBaBrcgv0QrCrQm1X+4vPBRXMbLPAEDrmalPDXkTJJ9SUcq
P0YHu4aFOkZo+fbYqAw3tEaBl95UcX0vao+9BZ/59CR/yeZxx+tKZ5CpZf6iKTTv
uKryPS5H6HX4YAauyskCpqyH7PibBSxQtwMSRjf3bHbiFFGPIxKetQIDAQABo4Ha
MIHXMB0GA1UdDgQWBBThn8L81a01JiLObveazt/t5D7EOjCBpwYDVR0jBIGfMIGc
gBThn8L81a01JiLObveazt/t5D7EOqGBgKR+MHwxCzAJBgNVBAYTAlNFMQ0wCwYD
VQQHEwRMdW5kMSAwHgYDVQQKFBdMdW5kcyBUZWtuaXNrYSBI9mdza29sYTEnMCUG
A1UECxQeSW5zdGl0dXRpb25lbiBm9nIgUmVnbGVydGVrbmlrMRMwEQYDVQQDEwpl
cnJvci5kZW1vggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAm63f
KD5ecVSAio0y7w5AD6ygsy8/EN5xJrCTqsC4D2GHrjaZnLfYLNQG8WDcsQl8sciD
KYTLPubzTN150v9muTuAApRS+j0kS9VuLsW13Nu3opeeBOipIIxEnMaTZzz7T9Vd
a7Hyo6IdnNlKYUM5FTLwZm+c/JItlovtTgjsoxw=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDDnec/1lBaBrcgv0QrCrQm1X+4vPBRXMbLPAEDrmalPDXkTJJ9
SUcqP0YHu4aFOkZo+fbYqAw3tEaBl95UcX0vao+9BZ/59CR/yeZxx+tKZ5CpZf6i
KTTvuKryPS5H6HX4YAauyskCpqyH7PibBSxQtwMSRjf3bHbiFFGPIxKetQIDAQAB
AoGAHqkBNeBBd9rVmSxhYt2qnuuXuTzj7dy8y937yrfrHrrxN3dI/podrWF9eHjL
/NXFc266Yfr070YyRt2m21VuaVoBeC70hhhzjOkJCL0GUFxinP2wpuO11FONE3e2
rFii7OkkER65McUy/R6jM7LcIpIo/MsiWY1vyg0xdfwRIAECQQDjk1qKmbPR9xIC
zDBJPXECAShjSAcA8K+fP37KcDW6V+or7FGsOqbpQfK93PkSSmpAm2VIvAsf/3QU
cZDTtJx1AkEA3Ayt1Z+rF/fct2crz6ZWicXmSVn7JfSytOYXnY4ejwhicEpbdG4M
B3dI+0MND/7fueezqpCKm/wHMjrUgKKxQQJAM6gS+TsCUjqe3/uxSi6kJCxXGpIS
5Oe9NYyYHyNxTqb+BJJTx6BYmsHZc7dg4gH6NEgRqXzlmZHGq41LroJksQJAZgFK
o/h8K4QuwKYG3R9ShlNCyUX48kNYhBsVX2f+KnfMihkuA+7vjJZzMmaGq5+OvnL2
Cl8uodhWzaYP1AGXAQJASRwcp+VX0KbfY0teX4ylVokN8Gi4T7erBfHDcsKC9IbH
7YtXz51BjrjN2px/rCMML2pfUqhZEEG4H8SzHWIWVQ==
-----END RSA PRIVATE KEY-----
Regards
Anders Blomdell
------------------------------------------------------------------------------
Anders Blomdell
Department of Automatic Control Email: anders.blomdell@control.lth.se
Lund Institute of Technology Phone: +46 46 222 4625
Box 118, S-221 00 Lund, Sweden Fax: +46 46 138118
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svn fails to handle certificates with non-ascii characters
Posted by Joe Orton <jo...@manyfish.co.uk>.
Anders, here's a patch to fix handling of non-ASCII DNs in neon, let me
know if this doesn't solve the problem:
Index: src/ne_openssl.c
===================================================================
RCS file: /home/cvs/neon/src/ne_openssl.c,v
retrieving revision 1.30
diff -u -r1.30 ne_openssl.c
--- src/ne_openssl.c 13 Nov 2003 22:47:18 -0000 1.30
+++ src/ne_openssl.c 15 Feb 2004 12:32:06 -0000
@@ -1,6 +1,6 @@
/*
neon SSL/TLS support using OpenSSL
- Copyright (C) 2002-2003, Joe Orton <jo...@manyfish.co.uk>
+ Copyright (C) 2002-2004, Joe Orton <jo...@manyfish.co.uk>
Portions are:
Copyright (C) 1999-2000 Tommi Komulainen <To...@iki.fi>
@@ -86,10 +86,34 @@
* attribute in dname. */
if ((OBJ_cmp(ent->object, cname) && OBJ_cmp(ent->object, email)) ||
(!flag && n == 1)) {
- if (flag)
+ if (flag++)
ne_buffer_append(dump, ", ", 2);
- ne_buffer_append(dump, ent->value->data, ent->value->length);
- flag = 1;
+
+ switch (ent->value->type) {
+ case V_ASN1_UTF8STRING:
+ case V_ASN1_IA5STRING: /* definitely ASCII */
+ case V_ASN1_VISIBLESTRING: /* probably ASCII */
+ case V_ASN1_PRINTABLESTRING: /* subset of ASCII */
+ ne_buffer_append(dump, ent->value->data, ent->value->length);
+ break;
+ case V_ASN1_UNIVERSALSTRING:
+ case V_ASN1_T61STRING: /* let OpenSSL convert it as ISO-8859-1 */
+ case V_ASN1_BMPSTRING: {
+ unsigned char *tmp = ""; /* initialize to workaround 0.9.6 bug */
+ int len;
+
+ len = ASN1_STRING_to_UTF8(&tmp, ent->value);
+ if (len > 0) {
+ ne_buffer_append(dump, tmp, len);
+ OPENSSL_free(tmp);
+ break;
+ }
+ /* else fallthrough */
+ }
+ default:
+ ne_buffer_zappend(dump, "???");
+ break;
+ }
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svn fails to handle certificates with non-ascii characters
Posted by Joe Orton <jo...@manyfish.co.uk>.
On Tue, Feb 10, 2004 at 01:03:56PM +0100, Anders Blomdell wrote:
> When svn is presented a certificate that contains non ASCII characters, it
> fails to present a proper user override.
Yes, really it's a neon issue, neon completely ignores the ASN.1 types
of the attributes in the cert DN, so will pass back UCS-4 or ASCII or
whatever the cert uses. neon should define ne_ssl_readable_dname() to
return only UTF-8 strings, and convert, reject, or strip input
appropriately.
Note that PKIX now mandates use of UTF-8 in newly created certs from
2004 onwards... and that technically your cert is badly encoded (like
many others), since it puts an ISO-8859-1 string in a T61String object.
Bottom line: if you stick to ASCII or UTF-8 in your cert DNs, it will
happen to work correctly; otherwise, all bets are off.
Regards,
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org