Ia5String support
darkseid-is opened this issue · comments
Add support for Ia5String in Distinguished Name. Thank you.
What's your use case? Why do you need this?
Trying to create CertificateParams using from_ca_cert_der. The existing certificate contains subject in Ia5String format. Thank You.
Why is it important to you that the generated certificate has the same type as the existing certificate?
The type doesn't matter , but https://docs.rs/rcgen/latest/rcgen/struct.CertificateParams.html#method.from_ca_cert_der fails to parse the certificate if subject is of type Ia5String.
Can you share the certificate? I would expect most certificate subjects to contain organization names, or common names, and those are defined in RFC 5280 as choices of string types that don't include Ia5String. Does the subject contain something unusual like a DomainComponent or is it misencoded?
Here is the certificate
-----BEGIN CERTIFICATE-----
MIIDwzCCAqugAwIBAgIUDbwX+I6Mglqk/s/5Ig9cWuLeZI4wDQYJKoZIhvcNAQEL
BQAwcTELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVy
bGluMRUwEwYDVQQKDAxmcmVlLWhvc3RpbmcxKTAnBgkqhkiG9w0BCQEWGmNvbnRh
Y3RAd3d3LndlYmhvc3RpbmcuaHRiMB4XDTIzMDIwMTIwMTkyMloXDTI0MDIwMTIw
MTkyMlowcTELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJlcmxpbjEPMA0GA1UEBwwG
QmVybGluMRUwEwYDVQQKDAxmcmVlLWhvc3RpbmcxKTAnBgkqhkiG9w0BCQEWGmNv
bnRhY3RAd3d3LndlYmhvc3RpbmcuaHRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAsnrZYHQIiNN6J6zHYhag4x2uQIxBpHCOUE0lSD+jVhBTGGI+3hHV
5IEb0bnQkl25sJznVGKAZeRWbrBytDIdatAAY0JgBH+zsGKP0TSq3IfBZZ8ky8DR
ZbE8LDMOjTMf9zt+gaZ0ImjZfyN0mWLQz50+7wcvYqKAupuicLrASp5CQoGVlg+G
BeSvdLxLxO6yOOfHVIq7aaxYF/mCz+wlFcQB0r9fAveX6xLZGFHWcRE4d5eHVmub
3Z5pJUZFy7bTk7hnZN1FWH4n5teefLdGE0pRTMqlSEBZdP39DeQoIVYZL3c+8SaK
9ouPk6MlhHQPeCbUCzXsHQGRM04ikkQ6wQIDAQABo1MwUTAdBgNVHQ4EFgQUEnQA
S/EsJQsz7fwkTkREt0c3QtMwHwYDVR0jBBgwFoAUEnQAS/EsJQsz7fwkTkREt0c3
QtMwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAXoAPy1OefGsE
L2Hzc2OTsE6IdMS3vyCfVRzax3XpWEI9T5UMeATWU4bu0BQ5HBsZ8El1/guPUm0H
BVVIXmYLQo6sehj+EOuXGHXGHvgwwUS4UYdVNFBANZtZ+a322kp+g/B8U4VLHFM5
gjCpnPnvyv2ESNKXhd1jTAfCMuFThCTRPZorO5PVxnHUsJ/rb6IaS3un+vp8LkIi
FigFaGrElTFE/j9Qirgshp7ekFUYppqOBCEjd9h+14Yb+sG1byz2vW/OoXBwGB63
2fGOyXtR9zau0NRNFd/t26AbY/3QIyc99DwR8QhBhzCkVwmXV/RyLc/WAoD5OyH+
LKFFI1NSEA==
-----END CERTIFICATE-----
Thanks!
It's the emailAddress attribute in the subject causing trouble:
SET {
SEQUENCE {
# emailAddress
OBJECT_IDENTIFIER { 1.2.840.113549.1.9.1 }
IA5String { "contact@www.webhosting.htb" }
}
}
5280 mentions:
Implementers should note that the at sign ('@') and underscore ('_')
characters are not supported by the ASN.1 type PrintableString.
These characters often appear in Internet addresses. Such addresses
MUST be encoded using an ASN.1 type that supports them. They are
usually encoded as IA5String in either the emailAddress attribute
within a distinguished name or the rfc822Name field of GeneralName.
I believe IA5String is equivalent to ASCII so I think it would be feasible to implement support without too much work.
@darkseid-is with the code in #182 I'm able to use CertificateParams::from_ca_cert_der with your example certificate without error.
This is fixed in the main branch.
Thanks for the fix guys.