fix stir/shaken tnauthlist decoding2

Author: dmitry-sinina

app/models/concerns/equipment/stir_shaken/certificate_details.rb

@@ -51,13 +51,21 @@ def format_tn_auth_list(certificate)
         ext = certificate.extensions.find { |e| e.oid == TN_AUTH_LIST_OID }
         return [] if ext.nil?
 
-        tn_auth_seq = OpenSSL::ASN1.decode(OpenSSL::ASN1.decode(ext.value_der).value)
+        tn_auth_seq = decode_tn_auth_list(ext)
         entries = tn_auth_seq.value.map { |entry| format_tn_auth_entry(entry) }
         ['TNAuthList:'] + entries.map { |e| "  #{e}" }
       rescue OpenSSL::ASN1::ASN1Error
         ['TNAuthList: unable to decode']
       end
 
+      def decode_tn_auth_list(ext)
+        decoded = OpenSSL::ASN1.decode(ext.value_der)
+        # value_der may or may not include OCTET STRING wrapper depending on
+        # how the extension was encoded. If first decode returns an OctetString,
+        # we need a second decode to get the actual TNAuthList sequence.
+        decoded.tag == OpenSSL::ASN1::OCTET_STRING ? OpenSSL::ASN1.decode(decoded.value) : decoded
+      end
+
       def format_tn_auth_entry(entry)
         case entry.tag
         when 0

spec/support/helpers/stir_shaken_certificate_helper.rb

@@ -94,9 +94,13 @@ def build_tn_auth_list_extension(entries)
       end
     end
     tn_auth_list = OpenSSL::ASN1::Sequence.new(tn_entries)
-    OpenSSL::X509::Extension.new(
-      '1.3.6.1.5.5.7.1.26',
-      OpenSSL::ASN1::OctetString.new(tn_auth_list.to_der)
-    )
+    # Build extension from raw DER to match real certificate encoding.
+    # This ensures value_der returns the TNAuthList sequence directly
+    # (without extra OCTET STRING wrapper).
+    ext_der = OpenSSL::ASN1::Sequence.new([
+                                            OpenSSL::ASN1::ObjectId.new('1.3.6.1.5.5.7.1.26'),
+                                            OpenSSL::ASN1::OctetString.new(tn_auth_list.to_der)
+                                          ])
+    OpenSSL::X509::Extension.new(ext_der.to_der)
   end
 end