#40 x509 cert string type mangling breaks chains

Reviewed by: Cody Peter Mello <[email protected]>
Approved by: Cody Peter Mello <[email protected]>

lib/identity.js

@@ -136,14 +136,25 @@ Identity.prototype.toAsn1 = function (der, tag) {
 		/*
 		 * If we fit in a PrintableString, use that. Otherwise use an
 		 * IA5String or UTF8String.
+		 *
+		 * If this identity was parsed from a DN, use the ASN.1 types
+		 * from the original representation (otherwise this might not
+		 * be a full match for the original in some validators).
 		 */
-		if (c.value.match(NOT_IA5)) {
+		if (c.asn1type === asn1.Ber.Utf8String ||
+		    c.value.match(NOT_IA5)) {
 			var v = new Buffer(c.value, 'utf8');
 			der.writeBuffer(v, asn1.Ber.Utf8String);
-		} else if (c.value.match(NOT_PRINTABLE)) {
+
+		} else if (c.asn1type === asn1.Ber.IA5String ||
+		    c.value.match(NOT_PRINTABLE)) {
 			der.writeString(c.value, asn1.Ber.IA5String);
+
 		} else {
-			der.writeString(c.value, asn1.Ber.PrintableString);
+			var type = asn1.Ber.PrintableString;
+			if (c.asn1type !== undefined)
+				type = c.asn1type;
+			der.writeString(c.value, type);
 		}
 		der.endSequence();
 		der.endSequence();
@@ -253,7 +264,7 @@ Identity.parseAsn1 = function (der, top) {
 		default:
 			throw (new Error('Unknown asn1 type ' + type));
 		}
-		components.push({ oid: oid, value: value });
+		components.push({ oid: oid, asn1type: type, value: value });
 		der._offset = after;
 	}
 	der._offset = end;

test/assets/jim-x509-utf8.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5zCCAVACCQDOUqSuHM0PuzANBgkqhkiG9w0BAQsFADA4MQ0wCwYDVQQKDAR0
+ZXN0MQ8wDQYDVQQLDAZmb29iYXIxFjAUBgNVBAMMDWEgdGVzdCBzdHJpbmcwHhcN
+MTcxMjA4MDA0NzA3WhcNMjcxMjA2MDA0NzA3WjA4MQ0wCwYDVQQKDAR0ZXN0MQ8w
+DQYDVQQLDAZmb29iYXIxFjAUBgNVBAMMDWEgdGVzdCBzdHJpbmcwgZ8wDQYJKoZI
+hvcNAQEBBQADgY0AMIGJAoGBANWaXdgNWqKYXJWAryuAQSK0D74arruteq8pXjRX
+kaVPs4ZAv6LTOtfyKQtHwikK9VyzfsXvwqiEX3AOPznieRxQJs2HQmKGivcjlpiW
+m8QWU7hLyeNXD0o6tj4v3/QAtEArpQ73qBPBE5bmj/yC3IPFQnEQXYOJbN6C6ZAl
+bVI3AgMBAAEwDQYJKoZIhvcNAQELBQADgYEAIfBM7JsAzvT90Q2L4dcjxG4Vu3ER
+7+NqKJJmab4SW6FmKLGK/E5h4VPmU9JaqdW2xco9vfNYshmLOSHQaeq2ZiEm0Xpv
+2qOu235UxeafBnEAbnz+pRaldPFhuRWWX9Krn/YkeE7I/wcojkNZiI1E1aaRmvGL
+5oTaYabrqnKdDE0=
+-----END CERTIFICATE-----

test/openssl-cmd.js

@@ -391,6 +391,60 @@ function genTests() {
 	});
 });
 
+test('utf8string in issuer DN (#40)', function (t) {
+	var pem = fs.readFileSync(path.join(testDir, 'id_rsa'));
+	var ikey = sshpk.parsePrivateKey(pem, 'pkcs1');
+
+	var certpem = fs.readFileSync(path.join(testDir, 'jim-x509-utf8.pem'));
+	var issucert = sshpk.parseCertificate(certpem, 'pem');
+
+	var issuid = issucert.subjects[0];
+	var id = sshpk.identityFromDN('cn=foo_bar@');
+	var key = sshpk.generatePrivateKey('ecdsa');
+
+	var cert = sshpk.createCertificate(issuid, ikey, id, key);
+	var certPem = cert.toBuffer('pem');
+
+	var kid = spawn('openssl', ['asn1parse']);
+	var bufs = [];
+	kid.stdout.on('data', bufs.push.bind(bufs));
+	kid.on('close', function (rc) {
+		t.equal(rc, 0, 'openssl exited with 0 status');
+		var output = Buffer.concat(bufs).toString('utf8');
+		var lines = output.split('\n');
+		var foundString = false;
+		lines.forEach(function (line) {
+			if (line.indexOf('foo_bar@') !== -1) {
+				t.strictEqual(
+				    line.indexOf('PRINTABLESTRING'),
+				    -1, 'subject CN is printablestring');
+				t.strictEqual(
+				    line.indexOf('UTF8STRING'), -1,
+				    'subject CN is not utf8string');
+				t.notStrictEqual(
+				    line.indexOf('IA5STRING'), -1,
+				    'subject CN is not ia5string');
+			}
+			if (line.indexOf('a test string') !== -1) {
+				t.notStrictEqual(
+				    line.indexOf('UTF8STRING'),
+				    -1, 'issuer CN is utf8string');
+				t.strictEqual(
+				    line.indexOf('PRINTABLESTRING'), -1,
+				    'issuer CN is not printablestring');
+				t.strictEqual(
+				    line.indexOf('IA5STRING'), -1,
+				    'issuer CN is not ia5string');
+				foundString = true;
+			}
+		});
+		t.ok(foundString, 'found the issuer CN');
+		t.end();
+	});
+	kid.stdin.write(certPem);
+	kid.stdin.end();
+});
+
 test('teardown', function (t) {
     temp.cleanup(function () {
         t.end();