You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Anders Blomdell <an...@control.lth.se> on 2004/02/10 12:03:56 UTC

svn fails to handle certificates with non-ascii characters

When svn is presented a certificate that contains non ASCII characters, it 
fails to present a proper user override.

 > svn list https://server/svn/repos
svn: PROPFIND request failed on '/svn/repos'
svn: PROPFIND of '/svn/repos': Server certificate verification failed: 
certificate issued for a different hostname, issuer is not trusted (https:
//server)
 >

The problem seems to be that svn_utf_cstring_from_utf8 returns with an 
error, and that aborts the user override dialogue (unfortunately without 
stating that the coding of the certificate is in error).

Here is a failing key/certificate pair:

-----BEGIN CERTIFICATE-----
MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJTRTEN
MAsGA1UEBxMETHVuZDEgMB4GA1UEChQXTHVuZHMgVGVrbmlza2EgSPZnc2tvbGEx
JzAlBgNVBAsUHkluc3RpdHV0aW9uZW4gZvZyIFJlZ2xlcnRla25pazETMBEGA1UE
AxMKZXJyb3IuZGVtbzAeFw0wNDAyMTAxMTQ1MzJaFw0wNTAyMDkxMTQ1MzJaMHwx
CzAJBgNVBAYTAlNFMQ0wCwYDVQQHEwRMdW5kMSAwHgYDVQQKFBdMdW5kcyBUZWtu
aXNrYSBI9mdza29sYTEnMCUGA1UECxQeSW5zdGl0dXRpb25lbiBm9nIgUmVnbGVy
dGVrbmlrMRMwEQYDVQQDEwplcnJvci5kZW1vMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDDnec/1lBaBrcgv0QrCrQm1X+4vPBRXMbLPAEDrmalPDXkTJJ9SUcq
P0YHu4aFOkZo+fbYqAw3tEaBl95UcX0vao+9BZ/59CR/yeZxx+tKZ5CpZf6iKTTv
uKryPS5H6HX4YAauyskCpqyH7PibBSxQtwMSRjf3bHbiFFGPIxKetQIDAQABo4Ha
MIHXMB0GA1UdDgQWBBThn8L81a01JiLObveazt/t5D7EOjCBpwYDVR0jBIGfMIGc
gBThn8L81a01JiLObveazt/t5D7EOqGBgKR+MHwxCzAJBgNVBAYTAlNFMQ0wCwYD
VQQHEwRMdW5kMSAwHgYDVQQKFBdMdW5kcyBUZWtuaXNrYSBI9mdza29sYTEnMCUG
A1UECxQeSW5zdGl0dXRpb25lbiBm9nIgUmVnbGVydGVrbmlrMRMwEQYDVQQDEwpl
cnJvci5kZW1vggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAm63f
KD5ecVSAio0y7w5AD6ygsy8/EN5xJrCTqsC4D2GHrjaZnLfYLNQG8WDcsQl8sciD
KYTLPubzTN150v9muTuAApRS+j0kS9VuLsW13Nu3opeeBOipIIxEnMaTZzz7T9Vd
a7Hyo6IdnNlKYUM5FTLwZm+c/JItlovtTgjsoxw=
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDDnec/1lBaBrcgv0QrCrQm1X+4vPBRXMbLPAEDrmalPDXkTJJ9
SUcqP0YHu4aFOkZo+fbYqAw3tEaBl95UcX0vao+9BZ/59CR/yeZxx+tKZ5CpZf6i
KTTvuKryPS5H6HX4YAauyskCpqyH7PibBSxQtwMSRjf3bHbiFFGPIxKetQIDAQAB
AoGAHqkBNeBBd9rVmSxhYt2qnuuXuTzj7dy8y937yrfrHrrxN3dI/podrWF9eHjL
/NXFc266Yfr070YyRt2m21VuaVoBeC70hhhzjOkJCL0GUFxinP2wpuO11FONE3e2
rFii7OkkER65McUy/R6jM7LcIpIo/MsiWY1vyg0xdfwRIAECQQDjk1qKmbPR9xIC
zDBJPXECAShjSAcA8K+fP37KcDW6V+or7FGsOqbpQfK93PkSSmpAm2VIvAsf/3QU
cZDTtJx1AkEA3Ayt1Z+rF/fct2crz6ZWicXmSVn7JfSytOYXnY4ejwhicEpbdG4M
B3dI+0MND/7fueezqpCKm/wHMjrUgKKxQQJAM6gS+TsCUjqe3/uxSi6kJCxXGpIS
5Oe9NYyYHyNxTqb+BJJTx6BYmsHZc7dg4gH6NEgRqXzlmZHGq41LroJksQJAZgFK
o/h8K4QuwKYG3R9ShlNCyUX48kNYhBsVX2f+KnfMihkuA+7vjJZzMmaGq5+OvnL2
Cl8uodhWzaYP1AGXAQJASRwcp+VX0KbfY0teX4ylVokN8Gi4T7erBfHDcsKC9IbH
7YtXz51BjrjN2px/rCMML2pfUqhZEEG4H8SzHWIWVQ==
-----END RSA PRIVATE KEY-----

Regards

Anders Blomdell


------------------------------------------------------------------------------
  Anders Blomdell
  Department of Automatic Control     Email: anders.blomdell@control.lth.se
  Lund Institute of Technology        Phone: +46 46 222 4625
  Box 118, S-221 00 Lund, Sweden      Fax:   +46 46 138118


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: svn fails to handle certificates with non-ascii characters

Posted by Joe Orton <jo...@manyfish.co.uk>.
Anders, here's a patch to fix handling of non-ASCII DNs in neon, let me
know if this doesn't solve the problem:

Index: src/ne_openssl.c
===================================================================
RCS file: /home/cvs/neon/src/ne_openssl.c,v
retrieving revision 1.30
diff -u -r1.30 ne_openssl.c
--- src/ne_openssl.c	13 Nov 2003 22:47:18 -0000	1.30
+++ src/ne_openssl.c	15 Feb 2004 12:32:06 -0000
@@ -1,6 +1,6 @@
 /* 
    neon SSL/TLS support using OpenSSL
-   Copyright (C) 2002-2003, Joe Orton <jo...@manyfish.co.uk>
+   Copyright (C) 2002-2004, Joe Orton <jo...@manyfish.co.uk>
    Portions are:
    Copyright (C) 1999-2000 Tommi Komulainen <To...@iki.fi>
 
@@ -86,10 +86,34 @@
          * attribute in dname. */
 	if ((OBJ_cmp(ent->object, cname) && OBJ_cmp(ent->object, email)) ||
             (!flag && n == 1)) {
-	    if (flag)
+ 	    if (flag++)
 		ne_buffer_append(dump, ", ", 2);
-	    ne_buffer_append(dump, ent->value->data, ent->value->length);
-	    flag = 1;
+
+            switch (ent->value->type) {
+            case V_ASN1_UTF8STRING:
+            case V_ASN1_IA5STRING: /* definitely ASCII */
+            case V_ASN1_VISIBLESTRING: /* probably ASCII */
+            case V_ASN1_PRINTABLESTRING: /* subset of ASCII */
+                ne_buffer_append(dump, ent->value->data, ent->value->length);
+                break;
+            case V_ASN1_UNIVERSALSTRING:
+            case V_ASN1_T61STRING: /* let OpenSSL convert it as ISO-8859-1 */
+            case V_ASN1_BMPSTRING: {
+                unsigned char *tmp = ""; /* initialize to workaround 0.9.6 bug */
+                int len;
+
+                len = ASN1_STRING_to_UTF8(&tmp, ent->value);
+                if (len > 0) {
+                    ne_buffer_append(dump, tmp, len);
+                    OPENSSL_free(tmp);
+                    break;
+                }
+                /* else fallthrough */
+            }
+            default:
+                ne_buffer_zappend(dump, "???");
+                break;
+            }                
 	}
     }
 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: svn fails to handle certificates with non-ascii characters

Posted by Joe Orton <jo...@manyfish.co.uk>.
On Tue, Feb 10, 2004 at 01:03:56PM +0100, Anders Blomdell wrote:
> When svn is presented a certificate that contains non ASCII characters, it 
> fails to present a proper user override.

Yes, really it's a neon issue, neon completely ignores the ASN.1 types
of the attributes in the cert DN, so will pass back UCS-4 or ASCII or
whatever the cert uses.  neon should define ne_ssl_readable_dname() to
return only UTF-8 strings, and convert, reject, or strip input
appropriately.

Note that PKIX now mandates use of UTF-8 in newly created certs from
2004 onwards...  and that technically your cert is badly encoded (like
many others), since it puts an ISO-8859-1 string in a T61String object.

Bottom line: if you stick to ASCII or UTF-8 in your cert DNs, it will
happen to work correctly; otherwise, all bets are off.

Regards,

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org