Encoding of AlgorithmIdentifier with NULL parameters

Thulasi Goriparthi <thulasi.goriparthi@xxxxxxxxx> · Fri, 29 Jan 2021 00:37:18 +0530

I am trying to provide a test certificate generated by openssl-3.0.0-alpha10 to a third party certificate parser/manager. This software expects AlgorithmIdentifier to either have parameters or to have null encoded (05 00) parameters which seems to be missing in the certificate.
Certificate generated by openssl-3.0.0-alpha10

    0:d=0  hl=4 l=1030 cons: SEQUENCE          
    4:d=1  hl=4 l= 752 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=   1 prim: INTEGER           :01
   16:d=2  hl=2 l=  11 cons: SEQUENCE          
   18:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   29:d=2  hl=3 l= 143 cons: SEQUENCE          
   32:d=3  hl=2 l=  11 cons: SET               
   34:d=4  hl=2 l=   9 cons: SEQUENCE          
   36:d=5  hl=2 l=   3 prim: OBJECT            :countryName

Certificate generated by openssl-1.1.1g

    0:d=0  hl=4 l= 988 cons: SEQUENCE          
    4:d=1  hl=4 l= 708 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=   1 prim: INTEGER           :01
   16:d=2  hl=2 l=  13 cons: SEQUENCE          
   18:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   29:d=3  hl=2 l=   0 prim: NULL              
   31:d=2  hl=3 l= 143 cons: SEQUENCE          
   34:d=3  hl=2 l=  11 cons: SET               
   36:d=4  hl=2 l=   9 cons: SEQUENCE          
   38:d=5  hl=2 l=   3 prim: OBJECT            :countryName

From https://tools.ietf.org/html/rfc5280#section-4.1.1.2, It isn't clear if NULL parameters can be completely omitted or if it should still have NULL encoding.

Is this a too stringent check in the third-party s/w or a miss in openss-3.0.0-alpha10?

Thanks,
Thulasi.