x.509 PKI - illegal object in getInstance: org.bouncycastle.asn1.DERTaggedObject

[billmurrin]

I am currently compiling the develop branch of TheHive and attempting to get x.509 working since the elastic4play pki commit was merged. I do now get prompted for x.509 certificate in my web browser! :-)

However, when I try to use certificate fields 'cn' or 'rfc822Name', I am unable to SSO and keep getting the following error (Note, I have not tried any other fields):

[info] o.e.ClientAuthSSLEngineProvider - Client certificate authentication is enable
[info] o.e.ErrorHandler - GET /api/user/current returned 400
java.lang.IllegalArgumentException: illegal object in getInstance: org.bouncycastle.asn1.DERTaggedObject
        at org.bouncycastle.asn1.DERUTF8String.getInstance(Unknown Source)
        at org.elastic4play.controllers.Authenticated$CertificateSAN$$anonfun$unapply$4.applyOrElse(Authenticated.scala:153)
        at org.elastic4play.controllers.Authenticated$CertificateSAN$$anonfun$unapply$4.applyOrElse(Authenticated.scala:148)
        at scala.PartialFunction$Lifted.apply(PartialFunction.scala:224)
        at scala.PartialFunction$Lifted.apply(PartialFunction.scala:220)
        at scala.Option.collect(Option.scala:282)
        at org.elastic4play.controllers.Authenticated$CertificateSAN$.unapply(Authenticated.scala:148)
        at org.elastic4play.controllers.Authenticated$$anonfun$$nestedInanonfun$getFromClientCertificate$6$1.applyOrElse(Authenticated.scala:186)
        at org.elastic4play.controllers.Authenticated$$anonfun$$nestedInanonfun$getFromClientCertificate$6$1.applyOrElse(Authenticated.scala:185)
        at scala.collection.TraversableOnce.collectFirst(TraversableOnce.scala:145)

After this error, I am brought to the login page and no SSO takes place.

[billmurrin]

Additional information, I compiled a local version with a few logger notifications and included it into TheHive, here is the output prior to the error. *Actual upn has been modified.

[info] o.e.c.Authenticated - Debug ASN Sequence: [1.3.6.1.4.1.311.20.2.3, [0][0]1234564567897897@domain]
[info] o.e.c.Authenticated - Debug ASN id: 1.3.6.1.4.1.311.20.2.3

[billmurrin]

Authenticated.scala (The output I added so you see where it is).

          case (0, value: Array[Byte]) ⇒
            val asn1 = new ASN1InputStream(new ByteArrayInputStream(value)).readObject()
            val asn1Seq = ASN1Sequence.getInstance(asn1)
            logger.info("Debug ASN Sequence: " + asn1Seq.toString())
            val id = ASN1ObjectIdentifier.getInstance(asn1Seq.getObjectAt(0)).getId
            logger.info("Debug ASN id: " + id.toString())
            val asnObject = asn1Seq.getObjectAt(1).asInstanceOf[ASN1TaggedObject].getObject
            logger.info("Debug ASN Object: " + asnObject.toString())
            val valueStr = DERUTF8String.getInstance(asnObject).getString
            id match {
              case "1.3.6.1.4.1.311.20.2.3" ⇒ "upn" → valueStr
              // Add other object id
              case other                    ⇒ other → valueStr
            }

Output:

[info] o.e.c.Authenticated - Debug ASN Sequence: [1.3.6.1.4.1.311.20.2.3, [0][0]1234564567897897@domain]
[info] o.e.c.Authenticated - Debug ASN id: 1.3.6.1.4.1.311.20.2.3
[info] o.e.c.Authenticated - Debug ASN Object: [0]1234564567897897@domain
[info] o.e.ErrorHandler - GET /api/user/current returned 400
java.lang.IllegalArgumentException: illegal object in getInstance: org.bouncycastle.asn1.DERTaggedObject
        at org.bouncycastle.asn1.DERUTF8String.getInstance(Unknown Source)
        at org.elastic4play.controllers.Authenticated$CertificateSAN$$anonfun$unapply$4.applyOrElse(Authenticated.scala:157)
        at org.elastic4play.controllers.Authenticated$CertificateSAN$$anonfun$unapply$4.applyOrElse(Authenticated.scala:148)
        at scala.PartialFunction$Lifted.apply(PartialFunction.scala:224)
        at scala.PartialFunction$Lifted.apply(PartialFunction.scala:220)
        at scala.Option.collect(Option.scala:282)
        at org.elastic4play.controllers.Authenticated$CertificateSAN$.unapply(Authenticated.scala:148)
        at org.elastic4play.controllers.Authenticated$$anonfun$$nestedInanonfun$getFromClientCertificate$6$1.applyOrElse(Authenticated.scala:190)
        at org.elastic4play.controllers.Authenticated$$anonfun$$nestedInanonfun$getFromClientCertificate$6$1.applyOrElse(Authenticated.scala:189)
        at scala.collection.TraversableOnce.collectFirst(TraversableOnce.scala:145)

[billmurrin]

If I do something like this:

          case (0, value: Array[Byte]) ⇒
            val asn1 = new ASN1InputStream(new ByteArrayInputStream(value)).readObject()
            val asn1Seq = ASN1Sequence.getInstance(asn1)
            logger.info("Debug ASN Sequence: " + asn1Seq.toString())
            val id = ASN1ObjectIdentifier.getInstance(asn1Seq.getObjectAt(0)).getId
            logger.info("Debug ASN id: " + id.toString())
            val asnObject = asn1Seq.getObjectAt(1).asInstanceOf[ASN1TaggedObject].getObject()
            logger.info("Debug ASN Object: " + asnObject.toString())
            logger.info("Class: " + asnObject.getClass())
            logger.info("Primitive: " + asnObject.toASN1Primitive)
            logger.info("Primitive toString: " + asnObject.toASN1Primitive.toString)
            logger.info("Encoded: " + asnObject.getEncoded)
            val valueStr = asnObject.toString().split("]")(1)
            logger.info("The new string: " + valueStr)

            id match {
              case "1.3.6.1.4.1.311.20.2.3" ⇒ "upn" → valueStr
              // Add other object id
              case other                    ⇒ other → valueStr
            }

I am able to use upn as the certificateField and can conduct SSO with TheHive. However, I am not able to use any other field name for certificateField.

[To-om]

Hi @billmurrin,
Thank you for your investigation. I've fixed this problem and I hope that it covers all cases.

[billmurrin]

@To-om Your commit is working great for me. Thanks!