Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SubjectAlternativeNameBuilder.AddDnsName throws ArgumentException #102201

Open
amaltinsky opened this issue May 14, 2024 · 3 comments
Open

SubjectAlternativeNameBuilder.AddDnsName throws ArgumentException #102201

amaltinsky opened this issue May 14, 2024 · 3 comments
Labels
area-System.Security untriaged New issue has not been triaged by the area owner

Comments

@amaltinsky
Copy link

amaltinsky commented May 14, 2024
edited

Description

Calling SubjectAlternativeNameBuilder.AddDnsName() with a name that ends with - results in an ArgumentException although it's a perfectly valid DNS name. This is caused by IdnMapping mistakenly treating such names as IDNs.

Note that Uri.CheckHostName("EC2-12-456-789-") returns Dns as the name type.

Reproduction Steps

var builder = new SubjectAlternativeNameBuilder();
s.AddDnsName("EC2-12-456-789-"); // throws ArgumentException

Expected behavior

Adds the given DNS name to the SubjectAlternateName

Actual behavior

Throws ArgumentException

Regression?

No response

Known Workarounds

No response

Configuration

No response

Other information

No response
@dotnet-issue-labeler dotnet-issue-labeler bot added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label May 14, 2024
@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label May 14, 2024
@amaltinsky amaltinsky changed the title SubjectAlternativeNameBuilder.AddDnsName throws an exception ArgumentException SubjectAlternativeNameBuilder.AddDnsName throws ArgumentException May 14, 2024
@huoyaoyuan huoyaoyuan added area-System.Security and removed needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners labels May 14, 2024
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@bartonjs
Copy link
Member

According to RFC 1034, ending in a hyphen is invalid.

<domain> ::= <subdomain> | " "

<subdomain> ::= <label> | <subdomain> "." <label>

<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]

<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>

<let-dig-hyp> ::= <let-dig> | "-"

<let-dig> ::= <letter> | <digit>

The label production only allows ldh-str (letter-digit-or-hyphen) after the first character, and before the last.

@amaltinsky
Copy link
Author

amaltinsky commented May 14, 2024
edited

@bartonjs

First, this exception only happens when the ICU Globalization API is used (as I now discovered). This work fine with NLS, which means that it works fine with old versions of .NET. This shouldn't be the case regardless of whether this is a valid DNS name.

Second, hostnames seem to not have this restriction on ending with hyphen. And such hostnames can easily be accidentally created due to truncation to 15 characters. We ran into this issue in practice on a Windows EC2 machine where our code tried to generate a certificate with the hostname as an alternate name. This used to work in older versions of .NET.

Lastly, there seems to be some confusion with Uri.CheckHostName() which returns UriHostNameType.Dns for names that end with a hyphen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-System.Security untriaged New issue has not been triaged by the area owner
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@huoyaoyuan @bartonjs @amaltinsky