URI in SAN removes plus character

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

URI in SAN removes plus character

Pete Kofod

We are running EJBCA community edition which has BC "under the hood".  We have run in to an issue with certificates with SANs.  Specifically, we have a requirement to include an AMQP URI as a SAN in a family of certificates.  The URI format includes a "+" symbol in the URI so the URI looks something like this:


This is a valid URI.  Unfortunately, during the certification creation process, it appears that the "+" sign is getting escaped by EJBCA.  We removed the escape function in EJBCA, but now the "plus" as well as all following text gets removed.  It appears that the "+" gets caught up in tokenization, but how is unclear.

So after EJBCA escapes it, the SAN looks like:  amqp://end.entity\+1234

And if we remove the escape, the SAN looks like: amqp://end.entity

Can anybody tell me if BouncyCastle removes "+" from a SAN string and if so, where does that occur?  We need to let the "plus" go through untampered.  The version EJBCA runs is 1.51 (Java).