URI in SAN removes plus character

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

URI in SAN removes plus character

Pete Kofod
All:

We are running EJBCA 6.3.1.1 community edition which has BC "under the hood".  We have run in to an issue with certificates with SANs.  Specifically, we have a requirement to include an AMQP URI as a SAN in a family of certificates.  The URI format includes a "+" symbol in the URI so the URI looks something like this:

amqp://end.entity+1234

This is a valid URI.  Unfortunately, during the certification creation process, it appears that the "+" sign is getting escaped by EJBCA.  We removed the escape function in EJBCA, but now the "plus" as well as all following text gets removed.  It appears that the "+" gets caught up in tokenization, but how is unclear.

So after EJBCA escapes it, the SAN looks like:  amqp://end.entity\+1234

And if we remove the escape, the SAN looks like: amqp://end.entity

Can anybody tell me if BouncyCastle removes "+" from a SAN string and if so, where does that occur?  We need to let the "plus" go through untampered.  The version EJBCA runs is 1.51 (Java).