←back to thread

Getting ready to issue IP address certificates

(community.letsencrypt.org)
315 points Bogdanp | 8 comments | 25 Jun 25 16:21 UTC | HN request time: 1.198s | source | bottom
Show context
timewizard ◴[25 Jun 25 18:11 UTC] No.44380241[source]
I've personally never felt comfortable using regexes to solve production problems. The certificate code referenced here shows why:

https://github.com/mozilla-firefox/firefox/blob/d5979c2a5c2e...

Yikes.

replies(3): >>44380967 #>>44381082 #>>44381215 #
1. cpburns2009 ◴[25 Jun 25 19:35 UTC] No.44381082[source]
All that regex does is split an IPv6 address into groups of 4 digits, joins them with ":", and collapses any sequence of ":0000:" to "::". I don't see anything problematic with it.
replies(1): >>44381405 #
2. timewizard ◴[25 Jun 25 20:13 UTC] No.44381405[source]
> and collapses any sequence of ":0000:" to "::"

Which is an error. Any ip like 2001:0000:0000::1 is going to be incorrect. It willingly produces errors. Whoever wrote this didn't even spend a few seconds thinking about the structure of IPv6 addresses.

> I don't see anything problematic with it.

Other than it being completely wrong and requiring a regex to be compiled for an amount of work that's certainly less than the compilation itself.

replies(4): >>44381780 #>>44381818 #>>44381852 #>>44384570 #
3. cpburns2009 ◴[25 Jun 25 21:00 UTC] No.44381780[source]
It only operates on a 32 digit IPv6 address so it won't already be abbreviated. My phrasing was inexact. It replaces only the first sequence of any number of ":0000:" to "::".
4. remram ◴[25 Jun 25 21:04 UTC] No.44381818[source]
> Any ip like 2001:0000:0000::1 is going to be incorrect.

This is neither a possible input nor a possible output of that code.

replies(1): >>44383205 #
5. ephou7 ◴[25 Jun 25 21:08 UTC] No.44381852[source]
> Other than it being completely wrong and requiring a regex to be compiled for an amount of work that's certainly less than the compilation itself.

It's not. And the sequence you describe is not even parsed because colons are not part of the IPv6 extension of the SAN. PLease educate yourself before spilling such drivel.

6. dontdoxxme ◴[26 Jun 25 00:48 UTC] No.44383205{3}[source]
That example doesn't work, but an IPv6 address like: 3fff:0020::

Would be in the IP SAN as 3fff0020000000000000000000000000, which this code expands:

   "3fff0020000000000000000000000000"
                .toLowerCase()
                .match(/.{1,4}/g)
                .join(":")
                .replace(/\b:?(?:0+:?){2,}/, "::")
   '3fff::20:0000:0000:0000:0000:0000:0000'
Which has one too many parts and doesn't parse as an IPv6 address. But like mentioned this is just presentation code. I don't want to waste time if this isn't actually a bug, but maybe someone on the LetsEncrypt trial could actually make a cert to see if IP addresses formatted like that are a problem in reality...
replies(1): >>44383387 #
7. remram ◴[26 Jun 25 01:22 UTC] No.44383387{4}[source]
That one does look like a bug. I stand corrected.
8. ranger_danger ◴[26 Jun 25 05:58 UTC] No.44384570[source]
> Any ip like 2001:0000:0000::1 is going to be incorrect

How so?