From 892e6eef01cb373631264348df61097e04c3a90e Mon Sep 17 00:00:00 2001
From: SpectralHiss <houssem.elfekih@jetstack.io>
Date: Wed, 10 Jan 2024 10:35:43 +0000
Subject: [PATCH] Fix OtherName Value UniversalValue .Type() detection

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
---
 pkg/util/pki/match.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/pkg/util/pki/match.go b/pkg/util/pki/match.go
index 0b331ae6d..b735cab9f 100644
--- a/pkg/util/pki/match.go
+++ b/pkg/util/pki/match.go
@@ -22,6 +22,7 @@ import (
 	"crypto/ed25519"
 	"crypto/rsa"
 	"crypto/x509/pkix"
+	"encoding/asn1"
 	"net"
 
 	"fmt"
@@ -240,14 +241,23 @@ func matchOtherNames(extension []pkix.Extension, specOtherNames []cmapi.OtherNam
 
 	x509OtherNames := make([]cmapi.OtherName, 0, len(x509GeneralNames.OtherNames))
 	for _, otherName := range x509GeneralNames.OtherNames {
-		uv, err := UnmarshalUniversalValue(otherName.Value)
+
+		var otherNameInnerValue asn1.RawValue
+		// We have to perform one more level of unwrapping because value is still context specific class
+		// tagged 0
+		_, err := asn1.Unmarshal(otherName.Value.Bytes, &otherNameInnerValue)
+		if err != nil {
+			return false, err
+		}
+
+		uv, err := UnmarshalUniversalValue(otherNameInnerValue)
 		if err != nil {
 			return false, err
 		}
 
 		if uv.Type() != UniversalValueTypeUTF8String {
 			// This means the CertificateRequest's otherName was not an utf8 value
-			return false, fmt.Errorf("otherName is not an utf8 value")
+			return false, fmt.Errorf("otherName is not an utf8 value, got: %v", uv.Type())
 		}
 
 		x509OtherNames = append(x509OtherNames, cmapi.OtherName{