[issue46232] Client certificates with UniqueIdentifier in the subject break ssl.peer_certificate()

Kacper Sun, 02 Jan 2022 14:03:32 -0800


New submission from Kacper <kac...@kacper.se>:


Currently all subject sets of a client certificate are treated as UTF8 strings 
using the ASN1_STRING_to_UTF8 function 
(https://github.com/python/cpython/blob/8d999cbf4adea053be6dbb612b9844635c4dfb8e/Modules/_ssl.c#L912),
 however RFC 5280 states that the UniqueIdentifier is of type BIT STRING. 
Passing a BIT STRING into the ASN1_STRING_to_UTF8 function seems to return -1 
and subsequently fail a SSL handshake.

Traceback (most recent call last):
  File "/usr/lib64/python3.6/asyncio/events.py", line 145, in _run
    self._callback(*self._args)
  File "/usr/lib64/python3.6/site-packages/tornado/platform/asyncio.py", line 
138, in _handle_events
    handler_func(fileobj, events)
  File "/usr/lib64/python3.6/site-packages/tornado/iostream.py", line 702, in 
_handle_events
    self._handle_read()
  File "/usr/lib64/python3.6/site-packages/tornado/iostream.py", line 1471, in 
_handle_read
    self._do_ssl_handshake()
  File "/usr/lib64/python3.6/site-packages/tornado/iostream.py", line 1431, in 
_do_ssl_handshake
    if not self._verify_cert(self.socket.getpeercert()):
  File "/usr/lib64/python3.6/ssl.py", line 860, in getpeercert
    return self._sslobj.getpeercert(binary_form)
  File "/usr/lib64/python3.6/ssl.py", line 610, in getpeercert
    return self._sslobj.peer_certificate(binary_form)
ssl.SSLError: unknown error (_ssl.c:959)

(line 959 of _ssl.c corresponds to 
https://github.com/python/cpython/blob/8d999cbf4adea053be6dbb612b9844635c4dfb8e/Modules/_ssl.c#L914)

https://github.com/pyca/cryptography/issues/3542 might be of interest for 
further discussion.

----------
assignee: christian.heimes
components: SSL
messages: 409532
nosy: christian.heimes, kacper
priority: normal
severity: normal
status: open
title: Client certificates with UniqueIdentifier in the subject break 
ssl.peer_certificate()
type: behavior
versions: Python 3.10, Python 3.11, Python 3.6, Python 3.7, Python 3.8, Python 
3.9

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue46232>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46232] Client certificates with UniqueIdentifier in the subject break ssl.peer_certificate()

Reply via email to