Use utf8 string for private key subject with non-printable characters by areed · Pull Request #710 · smallstep/crypto

areed · 2025-02-20T21:29:11Z

When importing a private key into an NSS database with a certificate, the certificate common name is used as the value of the CKA_SUBJECT attribute on the key object. This fixes the serialization to work when the CN contains characters that aren't valid for the asn1 printable string type.

💔Thank you!

maraino · 2025-02-21T01:42:39Z

+var printableRx = regexp.MustCompile(`^[a-zA-Z0-9 '()+,\-.\\:=?]*$`)
+
+func isPrintable(s string) bool {
+	return printableRx.MatchString(s)
+}


Is this a limitation of nssdb?

The unicode package has a method for validating whether a run is printable IsPrint(rune). Some more complicated limitations can be done using the In(r rune, ranges ...*RangeTable) function, for example, to limit the runes to be in the Latin RangeTable, or you can also create your own.

This refers to the asn.1 type of printable strings, which is more restrictive than the unicode IsPrint function. In a certificate where the common name contains only printable characters it's encoded with the asn1 tag for PrintableString. For anything else it gets the asn1 tag for UTF8String. (At least that's how it works for our certificates.)

Looping runes will perform better:

crypto/x509util/utils.go

Lines 183 to 213 in 9fd47c3

// isPrintableString reports whether the given s is a valid ASN.1 PrintableString.

// If asterisk is allowAsterisk then '*' is also allowed, reflecting existing

// practice. If ampersand is allowAmpersand then '&' is allowed as well.

func isPrintableString(s string, asterisk, ampersand bool) bool {

for _, b := range s {

valid := 'a' <= b && b <= 'z' ||

'A' <= b && b <= 'Z' ||

'0' <= b && b <= '9' ||

'\'' <= b && b <= ')' ||

'+' <= b && b <= '/' ||

b == ' ' ||

b == ':' ||

b == '=' ||

b == '?' ||

// This is technically not allowed in a PrintableString.

// However, x509 certificates with wildcard strings don't

// always use the correct string type so we permit it.

(asterisk && b == '*') ||

// This is not technically allowed either. However, not

// only is it relatively common, but there are also a

// handful of CA certificates that contain it. At least

// one of which will not expire until 2027.

(ampersand && b == '&')

if !valid {

return false

}

}

return true

}

Go ans1 loops around bytes using a similar method, this is for one byte https://github.com/golang/go/blob/f24b299df2896a4e8a80863dbb55a264f4b9bb68/src/encoding/asn1/asn1.go#L422-L444

maraino

lgtm

Use utf8 string for private key subject with non-printable characters

d423b16

github-actions bot added the needs triage label Feb 20, 2025

areed requested a review from maraino February 20, 2025 21:29

Fix lint

5334881

joshdrake previously approved these changes Feb 20, 2025

View reviewed changes

maraino reviewed Feb 21, 2025

View reviewed changes

Use x509util.IsPrintableString

9ce1394

areed dismissed joshdrake’s stale review via 9ce1394 February 24, 2025 14:32

areed enabled auto-merge (squash) February 24, 2025 14:38

Move IsPrintableString to internal/utils

0788362

maraino approved these changes Feb 24, 2025

View reviewed changes

areed merged commit 9694c65 into master Feb 24, 2025

areed deleted the areed/nssdb-non-printable branch February 24, 2025 21:05

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use utf8 string for private key subject with non-printable characters#710

Use utf8 string for private key subject with non-printable characters#710
areed merged 4 commits intomasterfrom
areed/nssdb-non-printable

areed commented Feb 20, 2025

Uh oh!

maraino Feb 21, 2025

Uh oh!

areed Feb 21, 2025

Uh oh!

maraino Feb 21, 2025

Uh oh!

areed Feb 24, 2025 •

edited

Loading

Uh oh!

maraino left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

	// isPrintableString reports whether the given s is a valid ASN.1 PrintableString.
	// If asterisk is allowAsterisk then '*' is also allowed, reflecting existing
	// practice. If ampersand is allowAmpersand then '&' is allowed as well.
	func isPrintableString(s string, asterisk, ampersand bool) bool {
	for _, b := range s {
	valid := 'a' <= b && b <= 'z' \|\|
	'A' <= b && b <= 'Z' \|\|
	'0' <= b && b <= '9' \|\|
	'\'' <= b && b <= ')' \|\|
	'+' <= b && b <= '/' \|\|
	b == ' ' \|\|
	b == ':' \|\|
	b == '=' \|\|
	b == '?' \|\|
	// This is technically not allowed in a PrintableString.
	// However, x509 certificates with wildcard strings don't
	// always use the correct string type so we permit it.
	(asterisk && b == '*') \|\|
	// This is not technically allowed either. However, not
	// only is it relatively common, but there are also a
	// handful of CA certificates that contain it. At least
	// one of which will not expire until 2027.
	(ampersand && b == '&')

	if !valid {
	return false
	}
	}

	return true
	}

Conversation

areed commented Feb 20, 2025

Uh oh!

maraino Feb 21, 2025

Choose a reason for hiding this comment

Uh oh!

areed Feb 21, 2025

Choose a reason for hiding this comment

Uh oh!

maraino Feb 21, 2025

Choose a reason for hiding this comment

Uh oh!

areed Feb 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

maraino left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

areed Feb 24, 2025 •

edited

Loading