ASN1_EX_COMBINE in OpenSSL 1.1.1c?

Matt Caswell matt at openssl.org
Tue Aug 27 22:32:55 UTC 2019



On 27/08/2019 17:24, weber at infotech.de wrote:
> Dear users,
> 
> during migration from version 1.0.2s to 1.1.1c we are missing the makro
> ASN1_EX_COMBINE.
> 
> It was used to embed a choice in a sequence as follows:
>> ASN1_CHOICE(X509AT_ATTRIBUTE_SET) = {
>>     ASN1_SET_OF(X509AT_ATTRIBUTE, value.set, ASN1_ANY),
>>     ASN1_SIMPLE(X509AT_ATTRIBUTE, value.single, ASN1_ANY)
>> } ASN1_CHOICE_END_selector(X509AT_ATTRIBUTE, X509AT_ATTRIBUTE_SET, single)
>>
>> ASN1_SEQUENCE(X509AT_ATTRIBUTE) = {
>>     ASN1_SIMPLE(X509AT_ATTRIBUTE, object, ASN1_OBJECT),
>>     /* CHOICE type merged with parent */
>>     ASN1_EX_COMBINE(0, 0, X509AT_ATTRIBUTE_SET)
>> } ASN1_SEQUENCE_END(X509AT_ATTRIBUTE)
> 
> What's the proper substitute in 1.1.1c?

Support for ASN1_EX_COMBINE was removed by commit ee9d76371ae which had this
description:

    Remove combine option from ASN.1 code.

    Remove the combine option. This was used for compatibility with some
    non standard behaviour in ancient versions of OpenSSL: specifically
    the X509_ATTRIBUTE and DSAPublicKey handling. Since these have now
    been revised it is no longer needed.

For your application you might draw some inspiration from commit e20b57270d
which removed the use of this from X509_ATTRIBUTE internally in OpenSSL:

commit e20b57270dece66ce2c68aeb5d14dd6d9f3c5d68
Author:     Dr. Stephen Henson <steve at openssl.org>
AuthorDate: Wed Mar 25 15:08:55 2015 +0000
Commit:     Dr. Stephen Henson <steve at openssl.org>
CommitDate: Wed Mar 25 15:46:54 2015 +0000

    Remove X509_ATTRIBUTE hack.

    The X509_ATTRIBUTE structure includes a hack to tolerate malformed
    attributes that encode as the type instead of SET OF type. This form
    is never created by OpenSSL and shouldn't be needed any more.

    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>

You might also look at commit ea6b07b54 which removed it for the DSAPublicKey
handling.

Regards

Matt


More information about the openssl-users mailing list