Corrupt CSR generated

[technion]

Environment

jruby 9.1.2.0 (2.3.0) 2016-05-26 7357c8f OpenJDK 64-Bit Server VM 25.102-b14 on 1.8.0_102-b14 +jit [linux-x86_64]
Arch Linux, jRuby installed from AUR.

Linux linodeplz 4.4.0-2-ec2 #1 SMP Thu Jan 21 09:52:26 PST 2016 x86_64 GNU/Linux

Other relevant info you may wish to add:
This issue showed up in part of a Sinatra application, but has been reduced to a minimal test case.

Expected Behavior

Generate a CSR using the script from this gist. Then use OpenSSL to view.

https://gist.github.com/technion/0e63d42299cc3d91f387d41e9e5c2c74

Under MRI 2.3.1, we can observe this behaviour:

$ ./ssltest.rb > mycsr.csr
$ openssl req -in mycsr.csr -noout -text | more
...
            X509v3 Subject Alternative Name:
                DNS:test.example.com, DNS:test2.example.com, DNS:example.com, DNS:www.example.com

It can be observed that the "Subject Alternative Name" field correctly matches those defined on line 13 of the gist.

Actual Behavior

When recreating the above test:

$ jruby ./ssltest.rb > mycsr.csr
$ openssl req -in mycsr.csr -noout -text | more
...
           X509v3 Subject Alternative Name:
                .N test.example.com,DNS: test2.example.com,DNS: example.com,DNS: www.example.com

You can observe that the first 'DNS' field is broken, and the data appears to have different spacing

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[technion]

Just an update: I've tested with jRuby 9.1.4.0 and the issue still occurs.

The specific corruption appears to vary depending on the exact domainlist value. I've seen numbers and all sorts of strange characters appear.

[jmcclell]

We are seeing this same issue with generating certs.

We see the same issue with Subject Alternative Name and we also see that the Authority Key Identifier, which is generally a hash value, appears to be binary garbage in the output we are seeing from this library.

jruby 1.7.26 (1.9.3p551) 2016-08-26 69763b8 on OpenJDK 64-Bit Server VM 1.7.0_111-b01 +jit [linux-amd64]

(This is the JRuby bundled with PuppetServer)

[duritong]

I can confirm these behavior together with multiple fields. As a reference you can see all the disabled tests for trocla and x509 for jruby

• https://github.com/duritong/trocla/blob/master/spec/trocla/formats/x509_spec.rb#L187-L189
• https://github.com/duritong/trocla/blob/master/spec/trocla/formats/x509_spec.rb#L196-L198
• https://github.com/duritong/trocla/blob/master/spec/trocla/formats/x509_spec.rb#L227-L229
• https://github.com/duritong/trocla/blob/master/spec/trocla/formats/x509_spec.rb#L280-L282

This makes openssl support on jruby barely usable and as a CA completely unusable.

[kares]

it should be fixable but it might need some hacking around x.509 support jossl uses from bouncy-castle.

[kares]

subjectAltName and authorityKeyIdentifier should work better since 0.9.18 but extensions such as nameConstraints are currently not supported (and will likely require a considerable amount of work thus help/support is welcome), please open separate issue(s) for these.