67926 – PEMFile prints unidentifiable string representation of ASN.1 OIDs

Bug 67926 - PEMFile prints unidentifiable string representation of ASN.1 OIDs

Summary: PEMFile prints unidentifiable string representation of ASN.1 OIDs

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 9
Classification:	Unclassified
Component:	Connectors (show other bugs)
Version:	9.0.82
Hardware:	All All

Importance:	P2 enhancement (vote)
Target Milestone:	-----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:	Beginner

Depends on:
Blocks:

Reported:	2023-10-25 09:39 UTC by Michael Osipov
Modified:	2023-10-31 11:20 UTC (History)
CC List:	1 user (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Osipov 2023-10-25 09:39:35 UTC

The following pattern is used:
> sm.getString("pemFile....", HexUtils.toHexString(oidBytes))

The result is a hex string which is not helpful. The ASN.1 DER encoding of an OID should be converted to a dotted string representation for users.

Affected keys:
pemFile.unknownEncryptionAlgorithm
pemFile.unknownPkcs8Algorithm
pemFile.notPbkdf2
pemFile.unknownPrfAlgorithm

Howto: https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-object-identifier?redirectedfrom=MSDN

Reference: https://lists.apache.org/thread/2x709tc8ms5jnd1s6drf3pons009sqdl

E.g. for DES_EDE3_CBC as 1.2.840.113549.3.7 the output would be: 2a864886f70d0307. Little helpful.

Comment 1 Mark Thomas 2023-10-25 09:46:09 UTC

Whether the user is provided with the OID in string or byte form doesn't change the fact that the PEM file isn't going to be usable.

The byte string is sufficient for us to diagnose the issue (and matches what Tomcat uses internally).

I wasn't (and still aren't) convinced it was worth the effort to provide byte to string conversion for OIDs just for the error messages.

That said, if you want to write a byte to String formatter for OIDs then I'm not going to object.

Comment 2 Michael Osipov 2023-10-25 09:53:54 UTC

(In reply to Mark Thomas from comment #1)
> Whether the user is provided with the OID in string or byte form doesn't
> change the fact that the PEM file isn't going to be usable.
> 
> The byte string is sufficient for us to diagnose the issue (and matches what
> Tomcat uses internally).
> 
> I wasn't (and still aren't) convinced it was worth the effort to provide
> byte to string conversion for OIDs just for the error messages.
> 
> That said, if you want to write a byte to String formatter for OIDs then I'm
> not going to object.

Agree, but from a user's PoV it makes it much much easier to seach online or here: http://www.oid-info.com/

Let's leave it as an enhancement.

Comment 3 Michael Osipov 2023-10-26 06:25:10 UTC

I think the easiest solution is to use org.ietf.jgss.Oid.Oid(byte[]) and the invoke #toString()

Comment 4 Mark Thomas 2023-10-26 22:33:05 UTC

+1 - we are already using that class in the SPNEGO authenticator

Comment 5 Michael Osipov 2023-10-27 07:26:21 UTC

(In reply to Mark Thomas from comment #4)
> +1 - we are already using that class in the SPNEGO authenticator

I'll try prepare a PR for this.

Comment 6 Michael Osipov 2023-10-31 11:20:29 UTC

Fixed in:
- main for 11.0.0-M14 and onwards
- 10.1.x for 10.1.16 and onwards
- 9.0.x  for 9.0.83 and onwards
- 8.5.x for 8.5.96 and onwards