subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bre...@apache.org
Subject svn commit: r1612775 - in /subversion/branches/svn-auth-x509/subversion: libsvn_subr/x509parse.c tests/libsvn_subr/x509-test.c
Date Wed, 23 Jul 2014 06:17:19 GMT
Author: breser
Date: Wed Jul 23 06:17:19 2014
New Revision: 1612775

URL: http://svn.apache.org/r1612775
Log:
On svn-auth-x509 branch, Deal with T61String/TeletexString encoding.

Actually, I'm just puting on this and doing what everyone else does
which is treat it as ISO-8859-1.  That's what Firefox, OpenLDAP and OpenSSL do.
>From testing with my cert that contains and ISO-8859-1 encoded value in a
T61 labeled field, I can't find any major piece of software that doesn't
treat it as ISO-8859-1.  So when in Rome...

* subversion/libsvn_subr/x509parse.c
  (fuzzy_escape): Cleanup the comment.
  (x509name_to_utf8_string): Start treating T61String as ISO-8859-1 and
    expand some comments.

* subversion/tests/libsvn_subr/x509-test.c
  (cert_tests): Enable the T61 test and tweak the comments since the cert
    OpenSSL gave me isn't actually T.61 encoded but is ISO-8859-1.

Modified:
    subversion/branches/svn-auth-x509/subversion/libsvn_subr/x509parse.c
    subversion/branches/svn-auth-x509/subversion/tests/libsvn_subr/x509-test.c

Modified: subversion/branches/svn-auth-x509/subversion/libsvn_subr/x509parse.c
URL: http://svn.apache.org/viewvc/subversion/branches/svn-auth-x509/subversion/libsvn_subr/x509parse.c?rev=1612775&r1=1612774&r2=1612775&view=diff
==============================================================================
--- subversion/branches/svn-auth-x509/subversion/libsvn_subr/x509parse.c (original)
+++ subversion/branches/svn-auth-x509/subversion/libsvn_subr/x509parse.c Wed Jul 23 06:17:19
2014
@@ -560,7 +560,8 @@ x509_skip_ext(const unsigned char **p,
  * svn_xml_fuzzy_escape() and svn_utf_cstring_from_utf8_fuzzy(). 
  * All of the encoding formats somewhat overlap with ascii (BMPString 
  * and UniversalString are actually always wider so you'll end up
- * with a bunch of escaped nul bytes, and T61 ) */
+ * with a bunch of escaped nul bytes, but ideally we don't get here
+ * for those). */
 static const svn_string_t *
 fuzzy_escape(const svn_string_t *src, apr_pool_t *result_pool)
 {
@@ -622,7 +623,8 @@ x509name_to_utf8_string(const x509_name 
       if (svn_utf__is_valid(src_string->data, src_string->len))
         return src_string;
       else
-        /* not a valid UTF-8 string */
+        /* not a valid UTF-8 string, who knows what it is,
+         * so run it through the fuzzy_escape code.  */
         return fuzzy_escape(src_string, result_pool);
       break;
 
@@ -640,10 +642,26 @@ x509name_to_utf8_string(const x509_name 
       frompage = "UCS-4BE";
       break;
 
-      /* TODO: Handle T61String/TeletexString encoding.
-       * This isn't exactly T.61 despite the name.
-       * See: https://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt */
+      /* Despite what all the IETF, ISO, ITU bits say everything out
+       * on the Internet that I can find treats this as ISO-8859-1.
+       * Even the name is misleading, it's not actually T.61.  All the
+       * gory details can be found in the Character Sets section of:
+       * https://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
+       */
+      case ASN1_T61_STRING:
+      frompage = "ISO-8859-1";
+      break;
 
+      /* This leaves two types out there in the wild.  PrintableString,
+       * which is just a subset of ASCII and IA5 which is ASCII (though
+       * 0x24 '$' and 0x23 '#' may be defined with differnet symbols
+       * depending on the location, in practice it seems everyone just
+       * treats it as ASCII).  Since these are just ASCII run through
+       * the fuzzy_escape code to deal with anything that isn't actually
+       * ASCII.  There shouldn't be any other types here but if we find
+       * a cert with some other cert, the best we can do is the
+       * fuzzy_escape().  Note: Technically IA5 isn't valid in this
+       * context, however in the real world it may pop up. */
       default:
       return fuzzy_escape(src_string, result_pool);
     }

Modified: subversion/branches/svn-auth-x509/subversion/tests/libsvn_subr/x509-test.c
URL: http://svn.apache.org/viewvc/subversion/branches/svn-auth-x509/subversion/tests/libsvn_subr/x509-test.c?rev=1612775&r1=1612774&r2=1612775&view=diff
==============================================================================
--- subversion/branches/svn-auth-x509/subversion/tests/libsvn_subr/x509-test.c (original)
+++ subversion/branches/svn-auth-x509/subversion/tests/libsvn_subr/x509-test.c Wed Jul 23
06:17:19 2014
@@ -207,13 +207,12 @@ static struct x509_test cert_tests[] = {
     "2015-07-22T23:02:09.000000Z",
     "6e2cd969350979d3741b9abb66c71159a94ff971"
   },
-#if 0 /* turned off for now because I haven't figured out how to deal with
-         a T.61 encoded certs that have something other than just ASCII */
   /* The issuer and subject (except for the country code) is T61String
    * (aka TeletexString) encoded.  Created with openssl using utf8=yes
    * and string_mask=MASK:4.  Note that the example chosen specifically
    * includes the Norwegian OE (slashed O) to highlight that this is
-   * not ISO-8859-1.  See the following for the horrible details on
+   * being treated as ISO-8859-1 despite what the X.509 says.
+   * See the following for the horrible details on
    * this encoding: https://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
    */
   { "MIIDnTCCAoWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET"
@@ -242,7 +241,6 @@ static struct x509_test cert_tests[] = {
     "2015-07-22T23:44:18.000000Z",
     "787d1577ae77b79649d8f99cf4ed58a332dc48da"
   },
-#endif
   { NULL }
 };
 
@@ -287,7 +285,6 @@ compare_results(struct x509_test *xt,
 {
   const char *v;
 
-#if 1
   v = svn_hash_gets(certinfo, SVN_X509_CERTINFO_KEY_SUBJECT);
   if (!v)
     return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,
@@ -307,7 +304,7 @@ compare_results(struct x509_test *xt,
                              "Issuer didn't match for cert '%s', "
                              "expected '%s', got '%s'", xt->subject,
                              xt->issuer, v);
-#endif
+
   SVN_ERR(compare_dates(xt->valid_from,
                         svn_hash_gets(certinfo,
                                       SVN_X509_CERTINFO_KEY_VALID_FROM),



Mime
View raw message