X509 getExtBasicConstraints() not outputting the CA JSON key and value

Question

X509 getExtBasicConstraints() not outputting the CA JSON key and value

robcordes opened this issue 8 months ago · 10 comments

the picture below is a screenshot of the object:
The method result sin the extension name and its critical flag value instead of returning the data as per API being:
x.getExtBasicConstraints() → {cA:true,pathLen:3,critical:true}

The output of the certificate tested with is: (subject and SAN is removed from the output. One can see that openssl does output the CA flag.

openssl x509 -in ......pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
32:20:35:82:6c:29:5d:41:60:e4:ce:3e:00:bc:04:72:b3:56:29:bb
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=NL, O=KPN B.V., CN=KPN PKIoverheid Private Services CA - G1
Validity
Not Before: Nov 17 14:20:04 2023 GMT
Not After : Nov 16 14:20:03 2026 GMT
Subject: C=NL, L=Den Haag, O=....., serialNumber=0,
CN=client.t05i0014ru075.idd.....
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c9:94:22:52:91:1a:55:3c:65:3f:77:d5:8a:ec:
8a:85:dd:16:db:54:ff:0d:10:75:5f:8c:f5:72:a1:
5c:1e:d0:21:6a:0c:a7:4b:6f:07:62:55:7c:05:3f:
33:97:3e:61:fc:91:6e:96:26:f2:98:40:b6:9c:12:
bf:4f:2e:cb:7f:c9:4c:63:65:64:4c:66:2a:66:18:
e0:8f:e7:4e:66:71:63:7b:fd:38:06:df:f0:f6:31:
bc:61:3e:06:08:fe:d0:98:61:06:a9:a0:2e:9e:9b:
72:a1:0f:d0:57:2c:28:55:86:0e:c4:37:eb:5b:b7:
3f:b9:aa:64:24:70:3f:22:b0:65:52:f7:53:42:2c:
2a:a4:77:8a:78:13:2d:08:53:a1:f4:24:80:3e:e0:
c4:0d:54:a7:b3:f5:fc:40:fc:5d:a4:a9:16:f4:c6:
ea:32:7f:4b:28:72:f8:31:dd:71:75:ab:8a:48:61:
fb:a5:56:8d:b0:b9:f3:87:ed:19:9f:d1:fd:e5:6c:
6d:3b:47:d6:3e:2e:35:ed:b8:cf:52:e9:c8:cb:06:
70:59:37:1d:31:f4:0b:ac:82:50:7f:0a:78:29:49:
85:6c:25:aa:90:b7:b0:d7:49:85:37:1e:6d:f7:ad:
06:6e:30:0c:9b:3c:e2:c4:15:66:7e:a3:6c:43:bb:
65:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
B8:D4:4C:9F:A8:5B:6E:DA:25:A7:68:8E:EF:8C:46:1A:FE:1F:53:65
Authority Information Access:
OCSP - URI:http://procsp.managedpki.com
X509v3 Subject Alternative Name:
DNS:.........
X509v3 Certificate Policies:
Policy: 2.16.528.1.1003.1.2.8.6
CPS: https://certificaat.kpn.com/elektronische-opslagplaats
User Notice:
Explicit Text: Op dit certificaat is het CPS PKIoverheid Private Services Server certificaten van KPN van toepassing.
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.managedpki.com/KPNBVPKIoverheidPrivateServicesCAG1/LatestCRL.crl
X509v3 Subject Key Identifier:
8B:5E:3C:84:9B:E3:DA:FF:C8:E0:CC:06:E2:8A:18:E4:D0:47:41:65
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
ae:3f:39:62:13:a0:3d:96:75:25:05:c8:4d:0b:0e:18:27:2c:
3c:47:dc:7b:c2:de:3b:c1:1d:0f:5e:8e:3c:69:f7:b9:d5:ab:
f9:23:68:d2:5f:c7:ab:29:cf:c6:9c:f7:b1:a7:d6:44:9b:13:
1f:7d:0d:bb:45:a7:8b:44:ec:c6:f3:5d:42:a2:c1:ca:fa:c8:
4b:5d:38:f8:4a:9d:c4:ce:5f:7c:1f:3b:e9:6f:98:ea:2b:c7:
60:f9:76:b9:28:c3:05:82:08:a9:b1:22:44:d4:94:5a:e8:6d:
c6:8d:b7:ba:44:f8:bb:66:29:8a:48:61:ee:07:dd:2d:08:aa:
30:c0:e2:67:15:93:4e:cd:15:c6:e8:1e:0a:76:14:cf:9c:ff:
3d:ff:35:4e:3a:bb:18:a0:b9:77:f9:bb:77:7d:a1:5e:5a:f7:
10:a2:f7:01:47:6d:10:a7:7c:fc:09:80:84:9b:16:19:bc:94:
99:28:5f:76:f9:67:91:80:a5:43:0d:ab:c6:62:cb:1e:dc:e6:
67:ad:8e:2c:aa:05:19:c5:0e:10:04:82:1e:f4:42:db:55:c9:
d7:b6:38:2b:bc:f5:1a:e8:8a:d6:84:9b:c0:7d:4c:f7:3f:b1:
b6:b5:bb:23:0c:93:18:44:02:04:4a:27:a5:af:4b:4d:34:cb:
b7:1c:46:02:c7:8a:4b:9e:e8:0e:30:a1:35:7a:d6:70:5a:7e:
59:d0:c8:cf:e5:63:fe:7b:31:8c:a5:65:3c:25:07:5a:e1:9d:
3b:86:18:9c:7c:15:fb:2e:91:33:86:a3:af:0d:40:3f:6b:05:
c6:a0:2b:c7:31:90:8b:63:2f:21:db:82:d1:d8:7d:2f:c3:81:
a5:54:b5:f7:4d:c0:f2:10:9e:6e:2e:41:5f:37:d3:89:e9:3b:
6a:f2:de:17:3d:d1:ab:92:27:84:d9:d7:1d:e9:c7:25:bf:e7:
7d:c6:c7:e7:09:dc:29:e0:a6:9e:24:1d:cb:17:60:0b:74:12:
1b:cd:29:ef:bc:51:0e:3e:19:db:6d:6e:41:6b:c8:62:6f:70:
fb:22:61:e6:3c:0c:28:39:35:0f:29:13:0d:20:b1:89:a3:e8:
75:5d:ba:35:d4:30:56:8c:13:59:a1:4c:79:69:55:2f:c6:7c:
1c:07:0c:6e:48:cb:2a:ad:59:2a:75:71:7b:f7:4a:9e:67:79:
d5:38:bc:8f:a4:36:fb:fb:44:c1:cb:ef:64:83:6e:b7:7f:77:
e1:d7:1a:e5:40:45:f2:41:a4:3d:04:06:a2:f3:67:46:49:55:
2d:4d:81:74:99:e4:1f:1f:64:09:a0:e2:c4:0b:81:14:a3:14:
c6:76:b3:fc:41:0f:f1:05

Answer 1 · 2024-02-07T21:43:30.000Z

Hi @robcordes , could you provide its certificate PEM? Then I'll investigate it.

Answer 2 · 2024-02-08T09:47:39.000Z

mailed the PEM file.

Answer 3 · 2024-02-09T00:29:51.000Z

getExtBasicConstraints() returns proper value for the certificate you send me.

> x.getExtBasicConstraints()
{ extname: 'basicConstraints', critical: true }

Answer 4 · 2024-02-09T07:24:01.000Z

Hi, It is the CA flag I’m after and which is not returned. It should have returned x.getExtBasicConstraints() → {cA:true,pathLen:3,critical:true} as per API description. This is what the code returns however: Best regards, Rob Cordes

…

On Feb 9, 2024, at 01:30, Kenji Urushima ***@***.***> wrote: getExtBasicConstraints() returns proper value for the certificate you send me. > x.getExtBasicConstraints() { extname: 'basicConstraints', critical: true } — Reply to this email directly, view it on GitHub <#610 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AENQQRH4FXHZ7TR3NOKWNZ3YSVUYXAVCNFSM6AAAAABC6RRA76VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZVGE2DGMBZG4>. You are receiving this because you modified the open/close state.

Answer 5 · 2024-02-09T09:57:45.000Z

BTW, I didn't get your email with PEM file.

Answer 6 · 2024-02-09T10:05:02.000Z

Here it is again. Best regards, Rob Cordes

…

On Feb 9, 2024, at 10:57, Kenji Urushima ***@***.***> wrote: BTW, I didn't get your email with PEM file. — Reply to this email directly, view it on GitHub <#610 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AENQQRBZX3GCBU66OSCFL4DYSXXKJAVCNFSM6AAAAABC6RRA76VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZVGYZTENBRGM>. You are receiving this because you modified the open/close state.

Answer 7 · 2024-02-09T10:08:26.000Z

I believe you can't attach a file in that way.

Answer 8 · 2024-02-09T10:55:54.000Z

PKIO-issued-client.t05i0014ru075.idd.mindef.nl.txt
Here it is with .txt as extension.
Again, if the CA flag is false, would it not be present as an attribute at all? So like the criticality flag for any given extension?

Answer 9 · 2024-02-09T11:00:49.000Z

Yes, when cA flag is false, "cA" attribute will not exist like critical flag.

Answer 10 · 2024-02-09T11:12:16.000Z

Allright then this issue can be closed as well. Thx for the explanation. Best regards, Rob Cordes

…

On Feb 9, 2024, at 12:01, Kenji Urushima ***@***.***> wrote: Yes, when cA flag is false, "cA" attribute will not exists like critical flag. — Reply to this email directly, view it on GitHub <#610 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AENQQRB6GUPU4KWBNMAZMHDYSX6W3AVCNFSM6AAAAABC6RRA76VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZVG4YTKOBWGI>. You are receiving this because you modified the open/close state.