fix: use ORGANIZATION_NAME OID (2.5.4.10) not ORGANIZATION (2.5.6.4) in extract_name#219
Open
ryancee wants to merge 1 commit intostr4d:update-yubikeyfrom
Open
fix: use ORGANIZATION_NAME OID (2.5.4.10) not ORGANIZATION (2.5.6.4) in extract_name#219ryancee wants to merge 1 commit intostr4d:update-yubikeyfrom
ryancee wants to merge 1 commit intostr4d:update-yubikeyfrom
Conversation
This was referenced Mar 24, 2026
Closed
rfc4519::ORGANIZATION is the object class OID (2.5.6.4). rfc4519::ORGANIZATION_NAME is the attribute type OID (2.5.4.10) that x509-cert uses when encoding O= attributes in a certificate subject DN. extract_name() compared a.oid == ORGANIZATION which never matched, causing Metadata::extract() to return None and the .unwrap() in builder.rs:175 to panic after every successful --generate invocation.
ryancee
force-pushed
the
fix/organization-name-oid
branch
from
b887de7 to
c9f9895
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
util.rsimportsrfc4519::ORGANIZATIONwhich is OID2.5.6.4— the object class OID for Organization, not the attribute type OID used in certificate subjects.The correct import is
rfc4519::ORGANIZATION_NAMEwhich is OID2.5.4.10— the attribute type OID thatx509-certassigns when encodingO=attributes in a DN string viaName::from_str.Impact
Without this fix,
extract_name()comparesa.oid == ORGANIZATION(2.5.6.4) against every attribute in the generated certificate's subject, but theO=age-plugin-yubikeyattribute is encoded with OID2.5.4.10. The comparison never matches, soextract_name()returnsNone, and the.unwrap()atbuilder.rs:175panics immediately after every successful--generateinvocation:This means
--generatealways panics on theupdate-yubikeybranch, even though the key and certificate are written to the YubiKey successfully before the panic.Fix
One line. The alias
as ORGANIZATIONpreserves all existing uses of the identifier throughout the file.Testing
Verified by running
age-plugin-yubikey --generateagainst a YubiKey 5C Nano 2 (firmware 5.7.4, AES256 management key) with the patched binary. Generation completes without panic and produces a valid recipient + identity stub.