Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl "string too long" #220

Open
horsmand opened this issue Nov 6, 2020 · 0 comments
Open

openssl "string too long" #220

horsmand opened this issue Nov 6, 2020 · 0 comments
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@horsmand
Copy link
Contributor

horsmand commented Nov 6, 2020

When using openssl to generate certificates, there are limits on the length that the common name, organization, and organizational unit strings can be. Our code that is utilizing openssl to generate certificates doesn't have any of these validations, so it's possible to have the Lambda fail while attempting to create the certificate.

Reproduction Steps

  1. Create an X509CertificatePem, giving it a common name longer than 64 characters
  2. Attempt a cdk deploy

Error Log

This output is from running the integration tests found in the integ directory:

  66/101 | 11:46:49 PM | CREATE_FAILED        | Custom::RFDK_X509Generator                  | RenderStructWFS1/RenderQueueCertPEM1604523630410737353/Default/Default (RenderStructWFS1RenderQueueCertPEM16045236304107373535BCBE002) Failed to create resource. Command failed: openssl req -passout env:CERT_PASSPHRASE -newkey rsa:2048 -days 1095 -out /tmp/tmp.WaO7Ph/cert.csr -keyout /tmp/tmp.WaO7Ph/cert.key -subj /CN=renderqueue.RFDKInteg-WFS1-ComponentTier1604523630410737353.local/O=AWS/OU=Thinkbox
Generating a 2048 bit RSA private key
........................................................+++
.............................................................+++
unable to write 'random state'
writing new private key to '/tmp/tmp.WaO7Ph/cert.key'
-----
problems making Certificate Request
139781724301216:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:158:maxsize=64

Error: Command failed: openssl req -passout env:CERT_PASSPHRASE -newkey rsa:2048 -days 1095 -out /tmp/tmp.WaO7Ph/cert.csr -keyout /tmp/tmp.WaO7Ph/cert.key -subj /CN=renderqueue.RFDKInteg-WFS1-ComponentTier1604523630410737353.local/O=AWS/OU=Thinkbox
Generating a 2048 bit RSA private key
........................................................+++
..

Environment

The openssl command is being run inside a Lambda using AL2 with the Lambda layer published by RFDK, which installs "OpenSSL 1.0.2k-fips for Amazon Linux 2".

Other

Fixing this should include doing the validation for any other constraints put on the fields of a distinguished name.

This is 🐛 Bug Report
@horsmand horsmand added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 6, 2020
@ddneilson ddneilson mentioned this issue May 16, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@horsmand