<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>Dear list,<br>
<br>
I have encountered a behavior difference between the CMS <br>
routines in OpenSSL and the equivalent functionality in <br>
another CMS implementation, and I wonder which is the <br>
correct behavior.<br>
<br>
I was examining a </tt><tt>CMS signature made by someone else and
<br>
found that some implementations accepted it as valid while <br>
others said it was not valid.</tt><tt><br>
</tt><tt><br>
</tt><tt>In this particular CMS signature, the distinguished name <br>
of the certificate issuer is encoded slightly differently <br>
in the certificate and in the PKCS#7 SignerInfo structure.<br>
<br>
Specifically, one element of the name is tagged as a <br>
T61STRING in the actual certificate, but as a UTF8STRING <br>
in the SignerInfo.issuerAndSerialNumber.issuer field. <br>
This name element is actually pure 7 bit printable ASCII <br>
(letters and underscores) in this particular case, so the <br>
two encodings have the same length and the same content-<br>
bytes, only different tag bytes.<br>
<br>
I found that openssl accepts this difference, while at <br>
least one Java version does not.<br>
<br>
So I am wondering what the officially correct behavior is <br>
when verifying such a case. Should the <br>
SignerInfo.issuerAndSerialNumber.issuer be treated as <br>
matching or as not matching a certificate in which an <br>
otherwise identical string is tagged differently but <br>
represents the same textual value (because it uses only <br>
the common subset of the two string encodings)?<br>
</tt>
<pre class="moz-signature" cols="72">Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. <a class="moz-txt-link-freetext" href="http://www.wisemo.com">http://www.wisemo.com</a>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded </pre>
</body>
</html>