[openssl-dev] OID with length zero related bug

Erwann Abalea erwann.abalea at opentrust.com
Thu Apr 9 13:40:07 UTC 2015 

This is a corner case, but an interesting one.

An empty OBJECT IDENTIFIER has no meaning, since it can't identify 
anything. Therefore, one shouldn't be able to allocate such a thing, 
even less encode it.

The CSR is of course invalid, but the previous one was also invalid; OID 
0.0 does not identify a signature algorithm (it's the OID { itu-t 
recommendation }).

The decoding step of the "0600" hex sequence correctly produces a "BAD 
OBJECT", since it's an invalid encoding of an OID.
So having an error when decoding such a CSR is a correct behaviour and 
should be expected.

-- 
Erwann ABALEA

Le 09/04/2015 14:36, Juan Antonio Osorio a écrit :
> Hi,
>
> I've recently encountered that OpenSSL is sending some unexpected 
> errors when reading X.509 certificate requests, if the key is not 
> specified, or the CSR is not signed.
>
> Now, this seems to happen because it now will specify a length=0 in 
> the ASN.1 structure since the OID is not set (since the key is not 
> specified). And I think this behaviour was introduced in this commit: 
> 2e430277578d3dd586cd005682a54a59d6158146
>
> So, when using asn1parse to read such a CSR, the section that would 
> contain the key has BAD OBJECT, and will throw an error such as 
> 'invalid object encoding' from 'c2i_ASN1_OBJECT' when the certificate 
> is read or loaded. It used to be the case that it would return an OID 
> 0.0 with length=1, but, like I said, this is not the case anymore.
>
> I'm using OpenSSL 1.0.2a.
>
> I reproduced this error while testing some code using pyOpenSSL. and 
> here's how I reproduced it: http://pastebin.com/Ky1e8Gz0
>
> the asn1parse dump of the CSR that causes the error looks like this:
> http://pastebin.com/2EvuaLsk
>
> While, in OpenSSL 1.0.1f, (the version where I tested this problem 
> doesn't happen), it would look like this:
> http://pastebin.com/0vzu2zzx
>
> Now, I'm not sure how to actually report this bug, since I'm not sure 
> if it's a bug related to the way the CSRs are being interpreted, or a 
> bug related to how the ASN.1 structure is being written. Any insights?
>
> BR
> -- 
> Juan Antonio Osorio R.
> e-mail: jaosorior at gmail.com <mailto:jaosorior at gmail.com>
>
>
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150409/46f397a1/attachment.html>

More information about the openssl-dev mailing list