[ssh_x509] X.509 Certificate Format Question, additional information

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue Dec 24 14:22:49 EET 2019


ssh_x509 at roumenpetrov.info wrote:
> Roumen,
> I am working with a co-worker on a scenario using the PKIX-SSH X.509 code that we integrated and they are creating a certificate with the following Organization name in the Subject, notice the comma:
> -subj "/C=us/ST=was/L=se/O=Some Corp, Inc."
> The code is stating the following when parsing the cert:
> ssh_X509_NAME_add_entry_by_NID: escape sequence without data
> x509key_from_subject: x509key_str2X509NAME fail
This parser is simple :(.

> When I run a decode on the certificate with the online decoder https://certlogik.com/decoder/,  I get the following. I believe the comma is creating a backslash:
> O = Some Corp\, Inc.
> When I create a cert with openssl and use the Some Corp, Inc. and then decode it I do see the backslash in the name, in front of the comma. However, if I use openssl to decode it (not the online decoder https://certlogik.com/decoder/) then I do not see the escape character but I see “” around the line:
> [root at 518b16e9cea7 /]# openssl x509 -in junk.pem -text | grep Subject
> Subject: C = us, ST = was, L = se, O = " Some Corp, Inc."
The modern version is use of nameopt commend argument. In general 
PKIX-SSH is not able to parse non-ascii output of above command and so 
nameopt is required (see README.x509v3) .

With  openssl x509 -in junk.pem -text -nameopt 
utf8,sep_comma_plus,-use_quote you should see escaped output same as 
"online decoder"

> Question:
> I would like to verify what your code is actually doing. It does not look to me like the comma is the issue but that there is indeed a “\” character in the string because of the comma and that is what your code is complaining about.
Method is x509key_str2X509NAME. As already was point is is simple, i.e. 
does not support "escaped sequences".

> It is hard to discern since there is a difference between what the online decoder provides and what openssl decode provides, either way using the comma provides a \ for the online decode or a “” around the string for an openssl decode. Any clarification would be helpful, thanks.
There is no difference as "foo," (quoted included) and foo\, are one and 
the same. Quoted sting does not require escape sequence for specific 
Please see manual page x509(3), section NAME OPTIONS.

> Further details from investigation:
> I was able to set up the connection to mirror the customers issue and it looks like it is an issue actually reading the host key contents on the client:
> If I use the following in the cert on the server:   -subj "/C=us/ST=was/L=se/O=Some Corp, Inc." I can actually make the connection with no errors and the hostkey file looks like this:
> salil_server, x509v3-rsa2048-sha256 Subject:C=us,ST=nc,L=rtp,O=" Some Corp, Inc.",OU=test,CN=salil_server
Work-around is to use "public" file instead distinguished name in 
respective files (know host, authorized keys).

> [SNIP]

Method x509key_str2X509NAME could be improved to be more compliant with 
rfc 2253.


More information about the ssh_x509 mailing list