[ssh_x509] X.509 Certificate Format Question, additional information

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue Dec 24 05:32:14 EET 2019


Roumen,
I am working with a co-worker on a scenario using the PKIX-SSH X.509 code that we integrated and they are creating a certificate with the following Organization name in the Subject, notice the comma:
-subj "/C=us/ST=was/L=se/O=Some Corp, Inc."
 

The code is stating the following when parsing the cert:
ssh_X509_NAME_add_entry_by_NID: escape sequence without data
x509key_from_subject: x509key_str2X509NAME fail
 

When I run a decode on the certificate with the online decoder https://certlogik.com/decoder/,  I get the following. I believe the comma is creating a backslash:
O = Some Corp\, Inc.
 

When I create a cert with openssl and use the Some Corp, Inc. and then decode it I do see the backslash in the name, in front of the comma. However, if I use openssl to decode it (not the online decoder https://certlogik.com/decoder/) then I do not see the escape character but I see “” around the line:
[root at 518b16e9cea7 /]# openssl x509 -in junk.pem -text | grep Subject
Subject: C = us, ST = was, L = se, O = " Some Corp, Inc."
 
 
Question:
I would like to verify what your code is actually doing. It does not look to me like the comma is the issue but that there is indeed a “\” character in the string because of the comma and that is what your code is complaining about. It is hard to discern since there is a difference between what the online decoder provides and what openssl decode provides, either way using the comma provides a \ for the online decode or a “” around the string for an openssl decode. Any clarification would be helpful, thanks.
 

Further details from investigation:
I was able to set up the connection to mirror the customers issue and it looks like it is an issue actually reading the host key contents on the client:
If I use the following in the cert on the server:   -subj "/C=us/ST=was/L=se/O=Some Corp, Inc." I can actually make the connection with no errors and the hostkey file looks like this:
salil_server,172.17.0.5 x509v3-rsa2048-sha256 Subject:C=us,ST=nc,L=rtp,O=" Some Corp, Inc.",OU=test,CN=salil_server
 
debug1: Server host key: x509v3-rsa2048-sha256 SHA256:s2j+MahYOfBm+6XERSbrcnQXhCTll71+B/hOG8hRv8k
The authenticity of host 'salil_server (172.17.0.5)' can't be established.
RSA+cert key fingerprint is SHA256:s2j+MahYOfBm+6XERSbrcnQXhCTll71+B/hOG8hRv8k.
Distinguished name is 'C=us,ST=nc,L=rtp,O="Some Corp, Inc.",OU=test,CN=salil_server'.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'salil_server,172.17.0.5' (RSA+cert) to the list of known hosts.
 

But if I have strictkeychecking on the client and try to connect again I get the following error:
x509key_from_subject: x509key_str2X509NAME fail
debug1: /root/.ssh/known_hosts:1: parse error in hostkeys file
x509key_str2X509NAME: cannot parse 'Inc."' ...
x509key_from_subject: x509key_str2X509NAME fail
debug1: /root/.ssh/known_hosts:1: parse error in hostkeys file
No RSA+cert host key is known for salil_server and you have requested strict checking.
Host key verification failed.
 

If I turn off strictkeychecking I get the following errors and I am able to get in to the server:
x509key_str2X509NAME: cannot parse 'Inc."' ...
x509key_from_subject: x509key_str2X509NAME fail
debug1: /root/.ssh/known_hosts:1: parse error in hostkeys file
x509key_str2X509NAME: cannot parse 'Inc."' ...
x509key_from_subject: x509key_str2X509NAME fail
debug1: /root/.ssh/known_hosts:1: parse error in hostkeys file
The authenticity of host 'salil_server (172.17.0.5)' can't be established.
RSA+cert key fingerprint is SHA256:s2j+MahYOfBm+6XERSbrcnQXhCTll71+B/hOG8hRv8k.
Distinguished name is 'C=us,ST=nc,L=rtp,O="Some Corp, Inc.",OU=test,CN=salil_server'.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'salil_server,172.17.0.5' (RSA+cert) to the list of known hosts.
 

And I get another entry in the hostkey file for the same server:
salil_server,172.17.0.5 x509v3-rsa2048-sha256 Subject:C=us,ST=nc,L=rtp,O="Some Corp, Inc.",OU=test,CN=salil_server
salil_server,172.17.0.5 x509v3-rsa2048-sha256 Subject:C=us,ST=nc,L=rtp,O="Some Corp, Inc.",OU=test,CN=salil_server
 
 
 
 
 



More information about the ssh_x509 mailing list