<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
This is a corner case, but an interesting one.<br>
<br>
An empty OBJECT IDENTIFIER has no meaning, since it can't identify
anything. Therefore, one shouldn't be able to allocate such a thing,
even less encode it.<br>
<br>
The CSR is of course invalid, but the previous one was also invalid;
OID 0.0 does not identify a signature algorithm (it's the OID {
itu-t recommendation }).<br>
<br>
The decoding step of the "0600" hex sequence correctly produces a
"BAD OBJECT", since it's an invalid encoding of an OID.<br>
So having an error when decoding such a CSR is a correct behaviour
and should be expected.<br>
<br>
<pre class="moz-signature" cols="72">--
Erwann ABALEA
</pre>
<div class="moz-cite-prefix">Le 09/04/2015 14:36, Juan Antonio
Osorio a écrit :<br>
</div>
<blockquote
cite="mid:CAG=EsMN9azY-TNPxJ0=49konfYZpTzU6CkKf2h18LfSaa2nz3g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Hi,<br>
<br>
</div>
I've recently encountered that OpenSSL is sending some
unexpected errors when reading X.509 certificate requests,
if the key is not specified, or the CSR is not signed.<br>
<br>
</div>
Now, this seems to happen because it now will specify a
length=0 in the ASN.1 structure since the OID is not set
(since the key is not specified). And I think this behaviour
was introduced in this commit:
2e430277578d3dd586cd005682a54a59d6158146<br>
<br>
</div>
So, when using asn1parse to read such a CSR, the section that
would contain the key has BAD OBJECT, and will throw an error
such as 'invalid object encoding' from 'c2i_ASN1_OBJECT' when
the certificate is read or loaded. It used to be the case that
it would return an OID 0.0 with length=1, but, like I said,
this is not the case anymore.<br>
<br>
</div>
I'm using OpenSSL 1.0.2a.<br>
<div>
<div>
<div>
<div>
<div><br>
</div>
<div>I reproduced this error while testing some code
using pyOpenSSL. and here's how I reproduced it: <a
moz-do-not-send="true"
href="http://pastebin.com/Ky1e8Gz0">http://pastebin.com/Ky1e8Gz0</a><br>
<br>
</div>
<div>the asn1parse dump of the CSR that causes the error
looks like this:<br>
<a moz-do-not-send="true"
href="http://pastebin.com/2EvuaLsk">http://pastebin.com/2EvuaLsk</a><br>
<br>
</div>
<div>While, in OpenSSL 1.0.1f, (the version where I
tested this problem doesn't happen), it would look
like this:<br>
<a moz-do-not-send="true"
href="http://pastebin.com/0vzu2zzx">http://pastebin.com/0vzu2zzx</a><br>
<br>
</div>
<div>Now, I'm not sure how to actually report this bug,
since I'm not sure if it's a bug related to the way
the CSRs are being interpreted, or a bug related to
how the ASN.1 structure is being written. Any
insights?<br>
<br>
</div>
<div>BR<br>
</div>
<div>-- <br>
<div class="gmail_signature"><font
style="font-family:arial
narrow,sans-serif;color:rgb(102,102,102)">Juan
Antonio Osorio R.<br>
e-mail: <a moz-do-not-send="true"
href="mailto:jaosorior@gmail.com"
target="_blank">jaosorior@gmail.com</a></font><br>
<font style="font-family:arial
narrow,sans-serif;color:rgb(102,102,102)"><br>
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
openssl-dev mailing list
To unsubscribe: <a class="moz-txt-link-freetext" href="https://mta.openssl.org/mailman/listinfo/openssl-dev">https://mta.openssl.org/mailman/listinfo/openssl-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>