Re: Encoding of AlgorithmIdentifier with NULL parameters

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Also note that the official ASN.1 declaration for
AlgorithmIdentifier (from X.509 (2012), section 7.2) marks
the parameters field as OPTIONAL, so parsers really should
accept its absence.

However if broken parsers are common (this thread
only found one such parser), maybe it would be
good practice to include the NULL value for compatibility.

AlgorithmIdentifier{ALGORITHM:SupportedAlgorithms} ::= SEQUENCE {
    algorithm ALGORITHM.&id({SupportedAlgorithms}),
    parameters ALGORITHM.&Type({SupportedAlgorithms}{@algorithm}) OPTIONAL,
... }
On 2021-01-28 20:07, Thulasi Goriparthi wrote:
I am trying to provide a test certificate generated by openssl-3.0.0-alpha10 to a third party certificate parser/manager. This software expects AlgorithmIdentifier to either have parameters or to have null encoded (05 00) parameters which seems to be missing in the certificate.

Certificate generated by openssl-3.0.0-alpha10

    0:d=0  hl=4 l=1030 cons: SEQUENCE          

    4:d=1  hl=4 l= 752 cons: SEQUENCE          

    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        

   10:d=3  hl=2 l=   1 prim: INTEGER           :02

   13:d=2  hl=2 l=   1 prim: INTEGER           :01

   16:d=2  hl=2 l=  11 cons: SEQUENCE          

   18:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption

   29:d=2  hl=3 l= 143 cons: SEQUENCE          

   32:d=3  hl=2 l=  11 cons: SET               

   34:d=4  hl=2 l=   9 cons: SEQUENCE          

   36:d=5  hl=2 l=   3 prim: OBJECT            :countryName


Certificate generated by openssl-1.1.1g

    0:d=0  hl=4 l= 988 cons: SEQUENCE          

    4:d=1  hl=4 l= 708 cons: SEQUENCE          

    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        

   10:d=3  hl=2 l=   1 prim: INTEGER           :02

   13:d=2  hl=2 l=   1 prim: INTEGER           :01

   16:d=2  hl=2 l=  13 cons: SEQUENCE          

   18:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption

   29:d=3  hl=2 l=   0 prim: NULL              

   31:d=2  hl=3 l= 143 cons: SEQUENCE          

   34:d=3  hl=2 l=  11 cons: SET               

   36:d=4  hl=2 l=   9 cons: SEQUENCE          

   38:d=5  hl=2 l=   3 prim: OBJECT            :countryName


From https://tools.ietf.org/html/rfc5280#section-4.1.1.2, It isn't clear if NULL parameters can be completely omitted or if it should still have NULL encoding.

Is this a too stringent check in the third-party s/w or a miss in openss-3.0.0-alpha10?

Thanks,
Thulasi.
Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux