[BUG] Incorrect Encoding of Percent-Encoded Characters in URI Fields

[gokceyilmazz]

Describe the Bug

When creating a certificate in EJBCA, either through a CSR (Certificate Signing Request) or directly, URI input fields such as Subject Alternative Name (SAN) URI or DNS Name incorrectly handle certain special characters.

For example, if a CSR contains the SAN URI:test:ce fe, the issued certificate correctly reflects URI:test:ce fe. However, when using a percent-encoded space (%20), such as URI:test:ce%20fe, the issued certificate incorrectly replaces % with /, resulting in URI:test:ce/20fe.

This issue is observed across other URI-based fields as well (e.g., DNS Name).

To Reproduce

Steps to reproduce the behavior:

1. Navigate to EJBCA and generate a certificate using a CSR or direct input.
2. In the Subject Alternative Name (SAN) field, enter URI:test:ce%20fe.
3. Issue the certificate and inspect the generated Subject Alternative Name.
4. The expected value URI:test:ce%20fe is incorrectly replaced with URI:test:ce/20fe.

Expected Behavior

The issued certificate should preserve the percent-encoded characters as provided in the input, without altering them. In this case, URI:test:ce%20fe should appear exactly as entered in the certificate.

Product Deployment

Please complete the following information:

• Version: EJBCA 7.11.0 Community

Additional Context

This issue affects multiple URI-based fields, including Subject Alternative Name (SAN) URI and DNS Name. The incorrect character replacement could lead to interoperability issues with systems that rely on correct percent-encoding for URI fields.

[primetomas]

You need to run that on the latest version of EJBCA. No updates to EJBCA 7 will be done.

You should also mention how you issue the certificate. Through REST API or by manual upload to the RA API? These things make all the difference.

[primetomas]

I guess it is URL encoding you are after, is that correct?

I tested in the EJBCA 9 in the RA Web and it works for me, parsing my certificate with OpenSSL I get:
X509v3 Subject Alternative Name:
URI:URI:test:ce%20fe, DNS:tomas45678

[gokceyilmazz]

We tested this both via the Web UI and the REST API, and the issue occurs in both cases.

Additionally, I have now tested this on EJBCA 8.3.2, and the problem still persists in this version as well.

Let me know if you need any additional details!

[primetomas]

The latest version of EJBCA is 9.0, which is where I tested the RA UI.

[gokceyilmazz]

I have tested this again with EJBCA 9.0.0, and the issue is still valid.

When I provide a percent-encoded space ("%20") in the Subject Alternative Name (SAN), DNS Name fields, the resulting certificate still replaces it with a slash ("/") instead of keeping "%20".

[primetomas]

That doesn’t look like a valid DNS name. Can you point to any standard that defines DNS names with colon and percentage signs instead of ie www.example.com.

[gokceyilmazz]

I used the DNS Name field just as an example, but this issue occurs in all Subject Alternative Name (SAN) fields where a URI can be entered. Even when I directly specify the URI in the Subject Alternative Names field as you did in your test, I do not get the expected result. Instead, I still receive an incorrect encoding.

[primetomas]

Oh yeah, now I see. In my environment I have removed % from "forbidden.characters" in conf/cesecore.properties. So if you are deploying from source, it's an easy change.

[gokceyilmazz]

I installed EJBCA using Docker, not from source. I checked the cesecore.properties file inside my container, but there is no forbidden.characters property defined in the file.

Is there a default value for this setting that applies even if it's not explicitly present in the configuration? Or do I need to manually add it and remove % to resolve the issue?

[primetomas]

You can find the default here. https://github.com/Keyfactor/ejbca-ce/blob/main/conf/cesecore.properties.sample

[gokceyilmazz]

Thank you for the clarification! I really appreciate the reference to the default configuration.

Regarding Subject Alternative Names, URI values can be included as defined RFC 5280. Additionally, RFC 3986 states that:

"Once produced, a URI is always in its percent-encoding form"

Since % is a common an expected character in URIs, perhaps allowing it by default in source code could be beneficial in certain cases.

Thanks again for your help!

[primetomas]

Thanks. Since %20 is space. Perhaps it would be more user friendly to URL encode the data user puts in. I.e. user enters "uri:foo bar", but it's automatically URL encoded when placed in the certificate.
What do you think?

[primetomas]

I.e. % is also used in SQL, which is why there is a bit of wariness against using it. While there is no (known and it's been tested extensively) SQL-injection in EJBCA there is a "security first" development attitude.