Discrepancy in ASN1 parsing

[segiddins]

Running the following:

#!/usr/bin/env ruby

require "openssl"

cert = OpenSSL::X509::Certificate.new(<<~PEM)
-----BEGIN CERTIFICATE-----
MIIGtjCCBj2gAwIBAgIUc7zfSZuHHT3Rsf/igttvd1CD3x8wCgYIKoZIzj0EAwMw
NzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl
cm1lZGlhdGUwHhcNMjQxMjA5MTA1MjA3WhcNMjQxMjA5MTEwMjA3WjAAMFkwEwYH
KoZIzj0CAQYIKoZIzj0DAQcDQgAERTzd/PLB8h9sijCoBqAbxu5zCSXqOwxMl5Ip
t5V0/chRi8jOpq2XogiBNWWPfahjPnfKxJbAOyJqoxXytHURuaOCBVwwggVYMA4G
A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUls1k
ayrCVCxiMfIAlC0Ax/pBzq8wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y
ZD8wYwYDVR0RAQH/BFkwV4ZVaHR0cHM6Ly9naXRodWIuY29tL2xvc3Rpc2xhbmQv
ZmFyYWRheS8uZ2l0aHViL3dvcmtmbG93cy9wdWJsaXNoLnltbEByZWZzL3RhZ3Mv
djIuMTIuMjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0
aHVidXNlcmNvbnRlbnQuY29tMBUGCisGAQQBg78wAQIEB3JlbGVhc2UwNgYKKwYB
BAGDvzABAwQoYTljZjAwNDI1ZTNhYmM5OWI3ODk1MmFmNDRkZWIyOTEyYTY1YTg4
MjAVBgorBgEEAYO/MAEEBAdQdWJsaXNoMCAGCisGAQQBg78wAQUEEmxvc3Rpc2xh
bmQvZmFyYWRheTAfBgorBgEEAYO/MAEGBBFyZWZzL3RhZ3MvdjIuMTIuMjA7Bgor
BgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29u
dGVudC5jb20wZQYKKwYBBAGDvzABCQRXDFVodHRwczovL2dpdGh1Yi5jb20vbG9z
dGlzbGFuZC9mYXJhZGF5Ly5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJl
ZnMvdGFncy92Mi4xMi4yMDgGCisGAQQBg78wAQoEKgwoYTljZjAwNDI1ZTNhYmM5
OWI3ODk1MmFmNDRkZWIyOTEyYTY1YTg4MjAdBgorBgEEAYO/MAELBA8MDWdpdGh1
Yi1ob3N0ZWQwNQYKKwYBBAGDvzABDAQnDCVodHRwczovL2dpdGh1Yi5jb20vbG9z
dGlzbGFuZC9mYXJhZGF5MDgGCisGAQQBg78wAQ0EKgwoYTljZjAwNDI1ZTNhYmM5
OWI3ODk1MmFmNDRkZWIyOTEyYTY1YTg4MjAhBgorBgEEAYO/MAEOBBMMEXJlZnMv
dGFncy92Mi4xMi4yMBYGCisGAQQBg78wAQ8ECAwGNDE3Mzg5MC0GCisGAQQBg78w
ARAEHwwdaHR0cHM6Ly9naXRodWIuY29tL2xvc3Rpc2xhbmQwFwYKKwYBBAGDvzAB
EQQJDAcyNjEzNDY0MGUGCisGAQQBg78wARIEVwxVaHR0cHM6Ly9naXRodWIuY29t
L2xvc3Rpc2xhbmQvZmFyYWRheS8uZ2l0aHViL3dvcmtmbG93cy9wdWJsaXNoLnlt
bEByZWZzL3RhZ3MvdjIuMTIuMjA4BgorBgEEAYO/MAETBCoMKGE5Y2YwMDQyNWUz
YWJjOTliNzg5NTJhZjQ0ZGViMjkxMmE2NWE4ODIwFwYKKwYBBAGDvzABFAQJDAdy
ZWxlYXNlMFkGCisGAQQBg78wARUESwxJaHR0cHM6Ly9naXRodWIuY29tL2xvc3Rp
c2xhbmQvZmFyYWRheS9hY3Rpb25zL3J1bnMvMTIyMzQwOTIyMTkvYXR0ZW1wdHMv
MTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBiQYKKwYBBAHWeQIEAgR7BHkAdwB1
AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABk6sMQLsAAAQDAEYw
RAIgKYWv654Z8Mnp8M0siTvvpETH3o1U5rO2mNtqNGdflgwCIBmlPpdHwvt2qxeG
hgWCWxPLtmxaKDDjtU2jkE3ustt6MAoGCCqGSM49BAMDA2cAMGQCMAJI0G92YXn9
BfgGqcLt6Jg7uPNDP3topBtnMgugHbZ0cc145spRntCz0AIZm4FCHwIwHJjVVWWj
q1lX7mpMeg1XnBqE6+eGQ7/V9i8UGfKptZSHUP2gYzL06UJw1FLaKYD2
-----END CERTIFICATE-----
PEM
  
san = cert.find_extension("subjectAltName")
pp san.value
oid, universion, octet_string = OpenSSL::ASN1.decode(san.to_der).value
pp OpenSSL::ASN1.decode(octet_string.value)

yields

**********************************************************************************************************************************************************************************
--------------------------------------------------------------------3.4 (ruby 3.4.1) -> exit status 0 in 60ms--------------------------------------------------------------------
"URI:https://github.com/lostisland/faraday/.github/workflows/publish.yml@refs/tags/v2.12.2"
#<OpenSSL::ASN1::Sequence:0x0000000104c260f0
 @indefinite_length=false,
 @tag=16,
 @tag_class=:UNIVERSAL,
 @tagging=nil,
 @value=
  [#<OpenSSL::ASN1::ASN1Data:0x0000000104c26230
    @indefinite_length=false,
    @tag=6,
    @tag_class=:CONTEXT_SPECIFIC,
    @value=
     "https://github.com/lostisland/faraday/.github/workflows/publish.yml@refs/tags/v2.12.2">]>
--------------------------------------------------------------------3.4 (ruby 3.4.1) -> exit status 0 in 60ms--------------------------------------------------------------------
**********************************************************************************************************************************************************************************

**********************************************************************************************************************************************************************************
------------------------------------------------------------jruby-9.4.12.0 (jruby 9.4.12.0) -> exit status 0 in 1.716s------------------------------------------------------------
"URI:https://github.com/lostisland/faraday/.github/workflows/publish.yml@refs/tags/v2.12.2"
#<OpenSSL::ASN1::Sequence:0x554d040d
 @indefinite_length=false,
 @tag=16,
 @tag_class=:UNIVERSAL,
 @tagging=nil,
 @value=
  [#<OpenSSL::ASN1::ASN1Data:0x663622b1
    @tag=6,
    @tag_class=:CONTEXT_SPECIFIC,
    @value=
     [#<OpenSSL::ASN1::OctetString:0x338270ea
       @indefinite_length=false,
       @tag=4,
       @tag_class=:UNIVERSAL,
       @tagging=nil,
       @value=
        "https://github.com/lostisland/faraday/.github/workflows/publish.yml@refs/tags/v2.12.2">]>]>
------------------------------------------------------------jruby-9.4.12.0 (jruby 9.4.12.0) -> exit status 0 in 1.716s------------------------------------------------------------
**********************************************************************************************************************************************************************************

Note that on jruby, the inner octet string is wrapped inside an ASN1Data, whereas it is only an ASN1Data on MRI.

❯ printf "0W\x86Uhttps://github.com/lostisland/faraday/.github/workflows/publish.yml@refs/tags/v2.12.2" | der2ascii
SEQUENCE {
  [6 PRIMITIVE] { "https://github.com/lostisland/faraday/.github/workflows/publish.yml@refs/tags/v2.12.2" }
}