Jira (PUP-11457) CSR Custom Attributes / Extensions issue

54 views
Skip to first unread message

Simon Baker (Jira)

unread,
Feb 16, 2022, 9:45:03 AM2/16/22
to puppe...@googlegroups.com
Simon Baker created an issue
 
Puppet / Bug PUP-11457
CSR Custom Attributes / Extensions issue
Issue Type: Bug Bug
Affects Versions: PUP 7.13.1
Assignee: Unassigned
Created: 2022/02/16 6:44 AM
Priority: Normal Normal
Reporter: Simon Baker

I'm trying to use the CSR extensions to pass data across in the request, via the documented extensions process.

I've (programatically) created csr_attributes.yaml files, an example of which is shown below:

custom_attributes:
 
  1.2.840.113549.1.9.7: RNo6/fdbnbQsPt8zn0uP3IWWGhAMYsjVVs9erOv+veY=
 
extension_requests:
 
  pp_preshared_key: RNo6/fdbnbQsPt8zn0uP3IWWGhAMYsjVVs9erOv+veY=
 
  pp_hostname: a-322vcjyt8x22e.portswigger.internal
 
  1.3.6.1.4.1.34380.1.2.2: ewogICJhY2NvdW50SWQiIDogIjM2ODMyMTAyMDI5MCIsCiAgImFyY2hpdGVjdHVyZSIgOiAieDg2XzY0IiwKICAiYXZhaWxhYmlsaXR5Wm9uZSIgOiAiZXUtd2VzdC0xYSIsCiAgImJpbGxpbmdQcm9kdWN0cyIgOi
 
BudWxsLAogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAibWFya2V0cGxhY2VQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAiaW1hZ2VJZCIgOiAiYW1pLTAxZTYwNDNlYjBmZmFjMzM2IiwKICAiaW5zdGFuY2VJZCIgOiAiaS0wYzkxMmRhY2F
 
lNzUwMDRiNiIsCiAgImluc3RhbmNlVHlwZSIgOiAidDMubWVkaXVtIiwKICAia2VybmVsSWQiIDogbnVsbCwKICAicGVuZGluZ1RpbWUiIDogIjIwMjItMDItMTRUMTM6MDM6MjRaIiwKICAicHJpdmF0ZUlwIiA6ICIxOTIuMTY4Ljk1LjEyNCIsCiAg
 
InJhbWRpc2tJZCIgOiBudWxsLAogICJyZWdpb24iIDogImV1LXdlc3QtMSIsCiAgInZlcnNpb24iIDogIjIwMTctMDktMzAiCn0=
 
  1.3.6.1.4.1.34380.1.2.3: TUlBR0NTcUdTSWIzRFFFSEFxQ0FNSUFDQVFFeER6QU5CZ2xnaGtnQlpRTUVBZ0VGQURDQUJna3Foa2lHOXcwQkJ3R2dnQ1NBQklJQgozM3NLSUNBaVlXTmpiM1Z1ZEVsa0lpQTZJQ0l6Tmpnek1qRXdNakF5T1RBaU
 
xBb2dJQ0poY21Ob2FYUmxZM1IxY21VaUlEb2dJbmc0Ck5sODJOQ0lzQ2lBZ0ltRjJZV2xzWVdKcGJHbDBlVnB2Ym1VaUlEb2dJbVYxTFhkbGMzUXRNV0VpTEFvZ0lDSmlhV3hzYVc1blVISnYKWkhWamRITWlJRG9nYm5Wc2JDd0tJQ0FpWkdWMmNHRjV
 
VSEp2WkhWamRFTnZaR1Z6SWlBNklHNTFiR3dzQ2lBZ0ltMWhjbXRsZEhCcwpZV05sVUhKdlpIVmpkRU52WkdWeklpQTZJRzUxYkd3c0NpQWdJbWx0WVdkbFNXUWlJRG9nSW1GdGFTMHdNV1UyTURRelpXSXdabVpoCll6TXpOaUlzQ2lBZ0ltbHVjM1Jo
 
Ym1ObFNXUWlJRG9nSW1rdE1HTTVNVEprWVdOaFpUYzFNREEwWWpZaUxBb2dJQ0pwYm5OMFlXNWoKWlZSNWNHVWlJRG9nSW5RekxtMWxaR2wxYlNJc0NpQWdJbXRsY201bGJFbGtJaUE2SUc1MWJHd3NDaUFnSW5CbGJtUnBibWRVYVcxbApJaUE2SUNJe
 
U1ESXlMVEF5TFRFMFZERXpPakF6T2pJMFdpSXNDaUFnSW5CeWFYWmhkR1ZKY0NJZ09pQWlNVGt5TGpFMk9DNDVOUzR4Ck1qUWlMQW9nSUNKeVlXMWthWE5yU1dRaUlEb2diblZzYkN3S0lDQWljbVZuYVc5dUlpQTZJQ0psZFMxM1pYTjBMVEVpTEFvZ0
 
lDSjIKWlhKemFXOXVJaUE2SUNJeU1ERTNMVEE1TFRNd0lncDlBQUFBQUFBQU1ZSUNMekNDQWlzQ0FRRXdhVEJjTVFzd0NRWURWUVFHRXdKVgpVekVaTUJjR0ExVUVDQk1RVjJGemFHbHVaM1J2YmlCVGRHRjBaVEVRTUE0R0ExVUVCeE1IVTJWaGRIUnN
 
aVEVnTUI0R0ExVUVDaE1YClFXMWhlbTl1SUZkbFlpQlRaWEoyYVdObGN5Qk1URU1DQ1FEcTVxaDdtbExkTHpBTkJnbGdoa2dCWlFNRUFnRUZBS0NCbURBWUJna3EKaGtpRzl3MEJDUU14Q3dZSktvWklodmNOQVFjQk1Cd0dDU3FHU0liM0RRRUpCVEVQ
 
RncweU1qQXlNVFF4TXpBek1qWmFNQzBHQ1NxRwpTSWIzRFFFSk5ERWdNQjR3RFFZSllJWklBV1VEQkFJQkJRQ2hEUVlKS29aSWh2Y05BUUVMQlFBd0x3WUpLb1pJaHZjTkFRa0VNU0lFCklFSnltOEVnYzV6R2pXOXNsbk43dFpwS05wMnVYUVYzdUVSY
 
zd5QzJvb2xuTUEwR0NTcUdTSWIzRFFFQkN3VUFCSUlCQUJ6bzdjRk4KTksvRnM3UEJSTnYwV1FueWh5K1pYYlVNUngxYmtER2E5bDBUTVB4Um9xL0diVXU2TnhGN3NvakFncUNWWGZLNVlSRzFYZ0R5Q243UwovN3dvUjREOW5MWUg4WFk3ZVlqVEJZQ0
 
JRcmcydVdYeUpUQUtGVWhhd2JNaFk4VmVnQzRhUjV2K3c3YnZ2QUJWT2t6Z0k1Q1RGOHl6CnVGeTh5Q3NNM0s3NDNIYUhiM2dkc3FkR3hsYUgzcGE2MDduYlFZTHUweE1ub0JRQzBLNkdVakpvYVYydFhJRCtoTXQvQnMrRmpQL0sKcm5QbEZzT3dRV2Z
 
BOUl0K0FoalNSQ1Vwd0ZTYnlPUWdseit0aXN5emNEM1EzUFdrVGxMWEpldGFQY0xjMkFBVE1PM015QW5hRG5PcQpWdkVWWjlNd041Yk40ZVlKR3hWdkRieVRaS21vcWNRQUFBQUFBQUE9
 
  pp_cost_center: "368321020290"
 
  pp_region: eu-west-1a
 
  pp_instance_id: i-0c912dacae75004b6
 
  pp_image_name: ami-01e6043eb0ffac336
 
  pp_cloudplatform: AWS

When running puppet, it successfully generates the CSR and includes the data in the extensions I expect.  However, this data is not the same as the data it should be - there are extra bytes at the beginning.  For example, the OID 1.2.840.113549.1.9.7 which I'm using for a PSK, in bytes, should be:

[82 78 111 54 47 102 100 98 110 98 81 115 80 116 56 122 110 48 117 80 51 73 87 87 71 104 65 77 89 115 106 86 86 115 57 101 114 79 118 43 118 101 89 61]

However, extracting those from the CSR gives me two extra bytes for free smile.png

[12 44 82 78 111 54 47 102 100 98 110 98 81 115 80 116 56 122 110 48 117 80 51 73 87 87 71 104 65 77 89 115 106 86 86 115 57 101 114 79 118 43 118 101 89 61]

The solution I'm extracting those bytes with is written in Go, so I asked a colleague to try the same in Java - we got the same results sad.png

Please note, that it's all the extension fields that have extra bytes, with the first byte being 12 and the next byte being different.

The client which is generating this CSR is a Fedora box, running "Fedora release 35 (Thirty Five)".  It's running puppet 7.14.0, installed via the RPM "puppet-agent-7.14.0-1.fc34.x86_64"

 

 

 

 
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d)
Atlassian logo

Simon Baker (Jira)

unread,
Feb 16, 2022, 9:50:03 AM2/16/22
to puppe...@googlegroups.com
Simon Baker updated an issue
Change By: Simon Baker
Attachment: fedora-test.portswigger.internal.pem

Simon Baker (Jira)

unread,
Feb 16, 2022, 9:51:03 AM2/16/22
to puppe...@googlegroups.com
Simon Baker updated an issue
I'm trying to use the CSR extensions to pass data across in the request, via the documented extensions process.

I've (programatically) created csr_attributes.yaml files, an example of which is shown below:
{code:java}
{code}

When running puppet, it successfully generates the CSR and includes the data in the extensions I expect.  However, this data is not the same as the data it should be - there are extra bytes at the beginning.  For example, the OID 1.2.840.113549.1.9.7 which I'm using for a PSK, in bytes, should be:

[82 78 111 54 47 102 100 98 110 98 81 115 80 116 56 122 110 48 117 80 51 73 87 87 71 104 65 77 89 115 106 86 86 115 57 101 114 79 118 43 118 101 89 61]

However, extracting those from the CSR gives me two extra bytes for free :)


[12 44 82 78 111 54 47 102 100 98 110 98 81 115 80 116 56 122 110 48 117 80 51 73 87 87 71 104 65 77 89 115 106 86 86 115 57 101 114 79 118 43 118 101 89 61]

The solution I'm extracting those bytes with is written in Go, so I asked a colleague to try the same in Java - we got the same results :(

Please note, that it's *all* the extension fields that have extra bytes, with the first byte being 12 and the next byte being different.


The client which is generating this CSR is a Fedora box, running "Fedora release 35 (Thirty Five)".  It's running puppet 7.14.0, installed via the RPM "puppet-agent-7.14.0-1.fc34.x86_64"

  Output CSR attached.

 

 

 

Josh Cooper (Jira)

unread,
Feb 16, 2022, 2:56:02 PM2/16/22
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-11457
 
Re: CSR Custom Attributes / Extensions issue

SimonB cert extensions are encoded using ASN.1, so every entry is an array of tag, length, value (TLV). The tag 12 corresponds to a UTF8String: https://ruby-doc.org/stdlib-2.7.0/libdoc/openssl/rdoc/OpenSSL/ASN1.html#module-OpenSSL::ASN1-label-Tag+constants So whatever library you're using to parse the extensions should take the tag and length into account and return the appropriate type of object, such as UTF8String vs PrintableString. In Ruby, you'd want to use "OpenSSL::ASN1.decode" and then call the "value" on the returned object.

I'm going to close this as puppet is behaving as expected.

Simon Baker (Jira)

unread,
Feb 17, 2022, 4:55:01 AM2/17/22
to puppe...@googlegroups.com
Simon Baker commented on Bug PUP-11457

Excellent - thanks josh !  All working now smile.png
Reply all
Reply to author
Forward
0 new messages