0008738: Subject Alternative Name for user x.509 certificate does not comply with RFC 5280 - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0008738	CTT UA Package	5 - General Problem	public	2023-03-21 18:07	2023-05-12 16:08

Reporter	Ondrej Flek	Assigned To	Alexander Allmendinger
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Fixed in Version	1.03.09-01.00.503

Summary	0008738: Subject Alternative Name for user x.509 certificate does not comply with RFC 5280
Description	The Subject Alternative Name field in the ctt_ca1U_usrUR.der user x.509 certificate ("URI:compliance@opcfoundation.org") does not follow RFC 5280. As a result, some security libraries consider such certificate invalid.
Steps To Reproduce	Following is the printout of the certificate content, see the "X509v3 Subject Alternative Name:" field. openssl x509 -text -in ./PKI/certs/ctt_ca1U_usrUR.der Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = Arizona, O = OPC Foundation, CN = ctt_ca1U, DC = 3J26SP2 Validity Not Before: Nov 1 14:09:11 2022 GMT Not After : Nov 1 14:09:11 2023 GMT Subject: C = US, ST = Arizona, O = OPC Foundation, CN = ctt_ca1U_usrUR, DC = 3J26SP2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cb:8e:1b:17:b6:3e:38:e7:07:cd:d9:30:74:05: 30:a5:7a:34:1c:aa:58:88:a5:41:d8:d5:9b:3f:b3: 18:70:d0:41:1d:f3:98:e9:7f:69:6e:6c:17:79:94: 09:e3:61:9c:a7:cf:eb:6d:29:82:41:fd:d7:f4:27: 97:6a:9b:38:9b:21:1c:90:ba:05:99:24:37:4d:d8: 44:6a:c4:a1:a9:5b:99:7c:4c:17:6b:74:f2:35:4b: 33:d6:7f:45:fe:7c:cd:e2:a6:04:11:30:97:b6:c2: 4a:15:86:c0:18:0f:45:56:4c:41:b6:9c:b1:ed:c8: dd:21:43:c4:39:d7:bd:ae:ec:54:4d:1d:c0:5b:f8: 4b:e1:d5:f8:ba:50:dc:72:d9:2e:8d:f8:06:07:e8: bb:9b:97:3e:7e:4d:e5:ad:dd:d4:b8:e7:ba:af:64: de:80:91:c2:c6:6f:36:e3:4d:f8:c3:39:25:6f:0a: f5:b4:a5:3e:3b:9f:36:c5:f6:92:d2:80:55:c8:6c: fb:b2:55:51:f8:2d:02:2f:19:74:27:85:33:24:62: dc:3c:e9:d1:6d:21:73:00:2b:12:bd:55:a3:89:df: 7b:08:a5:64:ce:7c:02:89:0c:35:1f:6d:8f:ec:d8: 70:e8:6d:45:82:65:f7:b9:8c:61:b5:6c:06:ae:ec: 3a:e9 Exponent: 65537 (0x10001) X509v3 extensions: Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 38:32:72:E6:6F:7F:40:E6:ED:20:CC:D5:1A:41:96:DC:D4:A3:68:78 X509v3 Authority Key Identifier: CB:A4:39:06:51:79:88:FE:64:C1:66:8A:80:66:1B:A9:A9:E3:04:0D X509v3 Subject Alternative Name: URI:compliance@opcfoundation.org X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: CA:FALSE
Additional Information	RFC 5280, Section 4.2.16, says: "When the subjectAltName extension contains a URI, the name MUST be stored in the uniformResourceIdentifier (an IA5String). The name MUST NOT be a relative URI, and it MUST follow the URI syntax and encoding rules specified in [RFC3986]. The name MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. URIs that include an authority ([RFC3986], Section 3.2) MUST include a fully qualified domain name or IP address as the host. " RFC 3986, Section 3, says: "The generic URI syntax consists of a hierarchical sequence of components referred to as the scheme, authority, path, query, and fragment. URI = scheme ":" hier-part [ "?" query ] [ "#" fragment ] hier-part = "//" authority path-abempty / path-absolute / path-rootless / path-empty The scheme and path components are required, though the path may be empty (no characters). When authority is present, the path must either be empty or begin with a slash ("/") character. When authority is not present, the path cannot begin with two slash characters ("//"). ............ foo://example.com:8042/over/there?name=ferret#nose _/ _____/\/ _____/ _/ \| \| \| \| \| scheme authority path query fragment \| ____\|__ / \ / \ urn:example:animal:ferret:nose" RFC 3986, Section 4.3, says: "Some protocol elements allow only the absolute form of a URI without a fragment identifier. For example, defining a base URI for later use by relative references calls for an absolute-URI syntax rule that does not allow a fragment. absolute-URI = scheme ":" hier-part [ "?" query ] URI scheme specifications must define their own syntax so that all strings matching their scheme-specific syntax will also match the <absolute-URI> grammar."
Tags	No tags attached.

Files Affected

Alexander Allmendinger 2023-05-02 10:33 developer ~0019258	Updating generated user certificates to be valid certificates. For X509 UserCerts the OPC UA specification doesn't have real requirements but they need to be legal from their structure to be used. The now generated certificates follow the same structure as the OPCF Digital User Certificates provided by OPCF IT.

Paul Hunkar 2023-05-12 16:08 administrator ~0019366	reviewed changes in call, agreed to changes and closed issue

Date Modified	Username	Field	Change
2023-03-21 18:07	Ondrej Flek	New Issue
2023-04-13 15:30	Paul Hunkar	Assigned To	=> Alexander Allmendinger
2023-04-13 15:30	Paul Hunkar	Status	new => assigned
2023-05-02 10:33	Alexander Allmendinger	Status	assigned => resolved
2023-05-02 10:33	Alexander Allmendinger	Resolution	open => fixed
2023-05-02 10:33	Alexander Allmendinger	Note Added: 0019258
2023-05-12 16:05	Paul Hunkar	Project	Compliance Test Tool (CTT) Unified Architecture => CTT UA Package
2023-05-12 16:08	Paul Hunkar	Status	resolved => closed
2023-05-12 16:08	Paul Hunkar	Fixed in Version	=> 1.03.09-01.00.503
2023-05-12 16:08	Paul Hunkar	Note Added: 0019366