handle parsing of "incomplete" X.509 certificates like MRI does (fixes #42)

kares · kares · commit 0fe8de8cb5e6 · 2015-05-28T13:47:47.000+02:00
... signatureAlgOID: 0.0 seems to map to "itu-t" value under C OpenSSL

while this NPEs in 0.9.7 it somehow parsed without noiz in 0.9.6
diff --git a/src/main/java/org/jruby/ext/openssl/X509Cert.java b/src/main/java/org/jruby/ext/openssl/X509Cert.java
@@ -211,8 +211,21 @@ private void initialize(final ThreadContext context, final byte[] encoded, final
         this.issuer = X509Name.newName(runtime, cert.getIssuerX500Principal());
         this.version = RubyFixnum.newFixnum(runtime, cert.getVersion() - 1);
         String sigAlgorithm = cert.getSigAlgOID();
+
         if ( sigAlgorithm == null ) sigAlgorithm = cert.getSigAlgName(); // e.g. SHA256withRSA
-        else sigAlgorithm = ASN1.oid2name(runtime, sigAlgorithm); // "hot" path e.g. sha256WithRSAEncryption
+        else {
+            sigAlgorithm = ASN1.oid2name(runtime, new ASN1ObjectIdentifier(sigAlgorithm), true);
+            if ( sigAlgorithm == null ) {
+                sigAlgorithm = "itu-t"; // MRI compability ... the "crazy" parts
+                // for some certificates that MRI parses,
+                // we get getSigAlgOID() == getSigAlgName() == "0.0"
+
+                if ( cert.getSigAlgName() != null && ! cert.getSigAlgOID().equals(cert.getSigAlgName()) ) {
+                    sigAlgorithm = cert.getSigAlgName(); // not sure if it makes any sense
+                }
+            }
+
+        } // "hot" path e.g. sha256WithRSAEncryption
         this.sig_alg = RubyString.newString(runtime, sigAlgorithm);
 
         final Set<String> criticalExtOIDs = cert.getCriticalExtensionOIDs();
diff --git a/src/test/ruby/x509/test_x509cert.rb b/src/test/ruby/x509/test_x509cert.rb
@@ -275,6 +275,12 @@ def test_to_text_regression
     assert cert.to_text.index('Signature Algorithm: sha256WithRSAEncryption')
   end
 
+  def test_cert_loading_regression
+    cert_text = "0\x82\x01\xAD0\x82\x01\xA1\xA0\x03\x02\x01\x02\x02\x01\x010\x03\x06\x01\x000g1\v0\t\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\b\f\nCalifornia1\x150\x13\x06\x03U\x04\a\f\fSanta Monica1\x110\x0F\x06\x03U\x04\n\f\bOneLogin1\x190\x17\x06\x03U\x04\x03\f\x10app.onelogin.com0\x1E\x17\r100309095845Z\x17\r150309095845Z0g1\v0\t\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\b\f\nCalifornia1\x150\x13\x06\x03U\x04\a\f\fSanta Monica1\x110\x0F\x06\x03U\x04\n\f\bOneLogin1\x190\x17\x06\x03U\x04\x03\f\x10app.onelogin.com0\x81\x9F0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x01\x05\x00\x03\x81\x8D\x000\x81\x89\x02\x81\x81\x00\xE8\xD2\xBBW\xE3?/\x1D\xE7\x0E\x10\xC8\xBD~\xCD\xDE!#\rL\x92G\xDF\xE1f?L\xB1\xBC9\x99\x14\xE5\x84\xD2Zi\x87<>d\xBD\x81\xF9\xBA\x85\xD2\xFF\xAA\x90\xF3Z\x97\xA5\x1D\xB0W\xC0\x93\xA3\x06IP\xB84\xF5\xD7Qu\x19\xFCB\xCA\xA3\xD4\\\x8E\v\x9B%\x13|\xB6m\x9D\xA8\x16\xE6\xBB\xDA\x87\xFF\xE3\xD7\xE9\xBA9\xC5O\xA2\xA7C\xADB\x04\xCA\xA5\x0E\x84\xD0\xA8\xE4\xFA\xDA\xF1\x89\xF2s\xFA1\x95\xAF\x03\xAB1\xAA\xE7y\x02\x03\x01\x00\x010\x03\x06\x01\x00\x03\x01\x00"
+    assert cert = OpenSSL::X509::Certificate.new(cert_text)
+    assert cert.to_text.index('itu-t')
+  end
+
   TEST_KEY_RSA1024 = <<-_end_of_pem_
 -----BEGIN RSA PRIVATE KEY-----
 MIICXgIBAAKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7Cx
