> On Mar 18, 2019, at 6:51 AM, Graham Leggett <minfrin@xxxxxxxx> wrote: > > The CSR is incomplete, but isn’t malformed. A mandatory part of the CSR is missing. It is malformed. > The CSR is the in the process of being built. Part of that process involves sending the partially complete CSR to another module, which then completes the CSR structure. This used to work, but has regressed when moving from rhel6 to rhel7. > >> which has a non-zero length signature algorithm OID (l = 9). Your >> example has "l=0" where one would expect the signature OID after >> the extensions. > > How do I fix openssl to parse this as it did before? Since you don't have a CSR, the fix is to not attempt to encode the data as a CSR. It sounds like what you have is a CRI (that is a CertificationRequestInfo structure) so you'll need to encode that instead. https://tools.ietf.org/html/rfc2986#section-4 The relevant codec functions are: i2d_X509_REQ_INFO and d2i_X509_REQ_INFO. A CSR is: CertificationRequest ::= SEQUENCE { certificationRequestInfo CertificationRequestInfo, signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }}, signature BIT STRING } which encapsulates the CRI a larger signed structure, adding precisely the bits you're missing. An alternative (if you must) is to create an actual CSR, with a dummy signature OID, and signature and then ignore the signature on the other side. -- Viktor.
