[fix] format authorityInfoAccess extension values (#210)

Author: kares

src/main/java/org/jruby/ext/openssl/X509Extension.java

@@ -57,6 +57,8 @@
 import org.bouncycastle.asn1.x509.DistributionPoint;
 import org.bouncycastle.asn1.x509.DistributionPointName;
 import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.AccessDescription;
+import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
 import org.bouncycastle.asn1.x509.GeneralName;
 import org.bouncycastle.asn1.x509.GeneralNames;
 import org.bouncycastle.util.encoders.Hex;
@@ -599,8 +601,7 @@ else if ( entry.respondsTo("value") ) {
                         }
                         else if ( dpName != null && dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER ) {
                             val.append(ByteList.plain("Relative Name:"));
-                            val.append('\n');
-                            val.append(ByteList.plain("  "));
+                            val.append('\n').append(' ').append(' ');
                             val.append(ByteList.plain(dpName.getName().toString()));
                         }
                     }
@@ -613,6 +614,35 @@ else if ( dpName != null && dpName.getType() == DistributionPointName.NAME_RELAT
                 }
             }
 
+            if ( oid.equals("1.3.6.1.5.5.7.1.1") ) { // authorityInfoAccess
+                try {
+                    ASN1Encodable value = getRealValue();
+                    final ByteList val = new ByteList(64);
+
+                    if ( value instanceof ASN1OctetString ) {
+                        value = ASN1.readObject( ((ASN1OctetString) value).getOctets() );
+                    }
+
+                    final AuthorityInformationAccess infoAccess = AuthorityInformationAccess.getInstance(value);
+                    final AccessDescription[] descriptions = infoAccess.getAccessDescriptions();
+
+                    for ( int i = 0; i < descriptions.length; i++ ) {
+                        if ( i > 0 ) val.append('\n');
+
+                        final AccessDescription description = descriptions[i];
+                        val.append( ByteList.plain( accessDescriptionMethodName(runtime, description) ) );
+                        val.append(' ').append('-').append(' ');
+                        formatGeneralName(description.getAccessLocation(), val, false);
+                    }
+
+                    return runtime.newString( val );
+                }
+                catch (IllegalArgumentException e) {
+                    debugStackTrace(runtime, e);
+                    return rawValueAsString(context);
+                }
+            }
+
             return rawValueAsString(context);
         }
         catch (IOException e) {
@@ -661,6 +691,19 @@ private static byte[] keyidBytes(ASN1Primitive keyid) throws IOException {
         return keyid.getEncoded(ASN1Encoding.DER);
     }
 
+    private static String accessDescriptionMethodName(final Ruby runtime, final AccessDescription description) {
+        final ASN1ObjectIdentifier method = description.getAccessMethod();
+        if ( AccessDescription.id_ad_ocsp.equals(method) ) return "OCSP";
+        if ( AccessDescription.id_ad_caIssuers.equals(method) ) return "CA Issuers";
+
+        final Integer nid = ASN1.oid2nid(runtime, method);
+        if ( nid != null ) {
+            final String name = ASN1.nid2ln(runtime, nid);
+            if ( name != null ) return name;
+        }
+        return method.getId();
+    }
+
     @SuppressWarnings("unchecked")
     private static boolean formatGeneralName(final GeneralName name, final ByteList out, final boolean slashed) {
         final ASN1Encodable obj = name.getName();

src/test/ruby/x509/test_x509cert.rb

@@ -753,4 +753,34 @@ def test_crl_distribution_points_with_dirname
     assert value.include?('Full Name:'), "Missing 'Full Name:' in extension value"
     assert value.include?('DirName:'), "Missing 'DirName:' in extension value"
   end
+
+  def test_authority_info_access_to_text
+    key = OpenSSL::PKey::RSA.new(2048)
+    subject = "/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example"
+
+    cert = OpenSSL::X509::Certificate.new
+    cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
+    cert.not_before = Time.now
+    cert.not_after = Time.now + 365*24*60*60
+    cert.public_key = key.public_key
+    cert.serial = 0x3
+    cert.version = 2
+
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = ef.issuer_certificate = cert
+
+    cert.add_extension ef.create_extension('authorityInfoAccess',
+      'OCSP;URI:http://ocsp.example.com,caIssuers;URI:http://ca.example.com/ca.crt')
+
+    cert.sign key, OpenSSL::Digest::SHA256.new
+
+    aia_ext = cert.extensions.find { |e| e.oid == 'authorityInfoAccess' }
+    assert_not_nil aia_ext, 'authorityInfoAccess extension not found'
+    assert_equal "OCSP - URI:http://ocsp.example.com\nCA Issuers - URI:http://ca.example.com/ca.crt", aia_ext.value
+
+    text = cert.to_text
+    assert text.include?('Authority Information Access:'), "Missing 'Authority Information Access:' in to_text output"
+    assert text.include?('OCSP - URI:http://ocsp.example.com'), 'Missing OCSP URI in to_text output'
+    assert text.include?('CA Issuers - URI:http://ca.example.com/ca.crt'), 'Missing CA Issuers URI in to_text output'
+  end
 end