[openssl-dev] OID with length zero related bug

Juan Antonio Osorio jaosorior at gmail.com
Thu Apr 9 12:36:05 UTC 2015


Hi,

I've recently encountered that OpenSSL is sending some unexpected errors
when reading X.509 certificate requests, if the key is not specified, or
the CSR is not signed.

Now, this seems to happen because it now will specify a length=0 in the
ASN.1 structure since the OID is not set (since the key is not specified).
And I think this behaviour was introduced in this commit:
2e430277578d3dd586cd005682a54a59d6158146

So, when using asn1parse to read such a CSR, the section that would contain
the key has BAD OBJECT, and will throw an error such as 'invalid object
encoding' from 'c2i_ASN1_OBJECT' when the certificate is read or loaded. It
used to be the case that it would return an OID 0.0 with length=1, but,
like I said, this is not the case anymore.

I'm using OpenSSL 1.0.2a.

I reproduced this error while testing some code using pyOpenSSL. and here's
how I reproduced it: http://pastebin.com/Ky1e8Gz0

the asn1parse dump of the CSR that causes the error looks like this:
http://pastebin.com/2EvuaLsk

While, in OpenSSL 1.0.1f, (the version where I tested this problem doesn't
happen), it would look like this:
http://pastebin.com/0vzu2zzx

Now, I'm not sure how to actually report this bug, since I'm not sure if
it's a bug related to the way the CSRs are being interpreted, or a bug
related to how the ASN.1 structure is being written. Any insights?

BR
-- 
Juan Antonio Osorio R.
e-mail: jaosorior at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150409/83e9f0bb/attachment.html>


More information about the openssl-dev mailing list