[openssl-dev] OID with length zero related bug
Dr. Stephen Henson
steve at openssl.org
Thu Apr 9 13:18:11 UTC 2015
On Thu, Apr 09, 2015, Juan Antonio Osorio wrote:
> Hi,
>
> I've recently encountered that OpenSSL is sending some unexpected errors
> when reading X.509 certificate requests, if the key is not specified, or
> the CSR is not signed.
>
Well if a key is not specified ot the CSR isn't signed then it isn't a valid
CSR and OpenSSl should reject it. Previous versions included a bogus OID when
generating such a CSR which meant it could be parsed (but it was still
invalid).
The encoder should really reject this and refuse to encode it but applications
might not expect an error from the encoder.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list