Encode Netscape IA5String extensions correctly (fixes #349)

create_ext has no special case for nsComment (OID 2.16.840.1.113730.1.13)
and other Netscape IA5String extensions, so they fall through to the
generic else branch which double-wraps the value in OCTET STRINGs:

    OCTET STRING { OCTET STRING { raw ASCII } }

CRuby's native OpenSSL bindings produce the correct encoding:

    OCTET STRING { IA5String "..." }

The malformed encoding causes BouncyCastle to crash when parsing
certificates containing these extensions, as it tries to interpret the
raw ASCII bytes as ASN.1 structures.

Add isNetscapeIA5StringExtension() covering all Netscape extensions
defined as IA5String (nsBaseUrl, nsRevocationUrl, nsCaRevocationUrl,
nsRenewalUrl, nsCaPolicyUrl, nsSslServerName, nsComment). nsCertType
is excluded as it is a BIT STRING already handled separately.

Author: bsommerer

src/main/java/org/jruby/ext/openssl/X509ExtensionFactory.java

@@ -211,6 +211,9 @@ else if (id.equals("2.5.29.31")) { // crlDistributionPoints
             else if (id.equals("1.3.6.1.5.5.7.1.1")) { // authorityInfoAccess
                 value = parseAuthorityInfoAccess(valuex);
             }
+            else if (isNetscapeIA5StringExtension(id)) {
+                value = new DEROctetString(new DERIA5String(valuex).getEncoded(ASN1Encoding.DER));
+            }
             else {
                 value = new DEROctetString(new DEROctetString(ByteList.plain(valuex)).getEncoded(ASN1Encoding.DER));
             }
@@ -385,6 +388,25 @@ private DERBitString parseNsCertType(String oid, String valuex) {
         return new DERBitString(new byte[]{v}, unused);
     }
 
+    /**
+     * Returns true for Netscape extensions whose value is an IA5String.
+     * nsCertType (2.16.840.1.113730.1.1) is a BIT STRING handled separately.
+     */
+    private static boolean isNetscapeIA5StringExtension(final String oid) {
+        switch (oid) {
+            case "2.16.840.1.113730.1.2":  // nsBaseUrl
+            case "2.16.840.1.113730.1.3":  // nsRevocationUrl
+            case "2.16.840.1.113730.1.4":  // nsCaRevocationUrl
+            case "2.16.840.1.113730.1.7":  // nsRenewalUrl
+            case "2.16.840.1.113730.1.8":  // nsCaPolicyUrl
+            case "2.16.840.1.113730.1.12": // nsSslServerName
+            case "2.16.840.1.113730.1.13": // nsComment
+                return true;
+            default:
+                return false;
+        }
+    }
+
     private static DLSequence parseBasicConstrains(final String valuex) {
         final String[] val = StringHelper.split(valuex, ',');
         final ASN1EncodableVector vec = new ASN1EncodableVector();

src/test/ruby/x509/test_x509ext.rb

@@ -331,6 +331,30 @@ def test_subject_alt_name_sign_to_pem_through_cert
     assert_equal "DNS:test.example.com, DNS:test2.example.com, DNS:example.com, DNS:www.example.com", ext.value
   end
 
+  def test_ns_comment_der_encoding
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ext = ef.create_extension("nsComment", "my test comment")
+
+    # Value round-trips correctly
+    assert_equal "my test comment", ext.value
+
+    # Inner encoding must be IA5String (tag 0x16), not OCTET STRING (tag 0x04)
+    seq = OpenSSL::ASN1.decode(ext.to_der)
+    inner = OpenSSL::ASN1.decode(seq.value[-1].value)
+    assert_instance_of OpenSSL::ASN1::IA5String, inner
+    assert_equal "my test comment", inner.value
+  end
+
+  def test_ns_base_url_der_encoding
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ext = ef.create_extension("nsBaseUrl", "https://example.com/")
+
+    seq = OpenSSL::ASN1.decode(ext.to_der)
+    inner = OpenSSL::ASN1.decode(seq.value[-1].value)
+    assert_instance_of OpenSSL::ASN1::IA5String, inner
+    assert_equal "https://example.com/", inner.value
+  end
+
   def subject_alt_name(domains)
     ef = OpenSSL::X509::ExtensionFactory.new
     ef.create_extension("subjectAltName", domains.split(',').map { |d| "DNS: #{d}" }.join(', '))