Encoding of AlgorithmIdentifier with NULL parameters
Thulasi Goriparthi
thulasi.goriparthi at gmail.com
Thu Jan 28 19:07:18 UTC 2021
I am trying to provide a test certificate generated by
openssl-3.0.0-alpha10 to a third party certificate parser/manager. This
software expects AlgorithmIdentifier to either have parameters or to have
null encoded (05 00) parameters which seems to be missing in the
certificate.
Certificate generated by openssl-3.0.0-alpha10
0:d=0 hl=4 l=1030 cons: SEQUENCE
4:d=1 hl=4 l= 752 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 1 prim: INTEGER :01
* 16:d=2 hl=2 l= 11 cons: SEQUENCE *
* 18:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption*
* 29:d=2 hl=3 l= 143 cons: *SEQUENCE
32:d=3 hl=2 l= 11 cons: SET
34:d=4 hl=2 l= 9 cons: SEQUENCE
36:d=5 hl=2 l= 3 prim: OBJECT :countryName
Certificate generated by openssl-1.1.1g
0:d=0 hl=4 l= 988 cons: SEQUENCE
4:d=1 hl=4 l= 708 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 1 prim: INTEGER :01
* 16:d=2 hl=2 l= 13 cons: SEQUENCE *
* 18:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption*
* 29:d=3 hl=2 l= 0 prim: NULL *
31:d=2 hl=3 l= 143 cons: SEQUENCE
34:d=3 hl=2 l= 11 cons: SET
36:d=4 hl=2 l= 9 cons: SEQUENCE
38:d=5 hl=2 l= 3 prim: OBJECT :countryName
>From https://tools.ietf.org/html/rfc5280#section-4.1.1.2, It isn't clear if
NULL parameters can be completely omitted or if it should still have NULL
encoding.
Is this a too stringent check in the third-party s/w or a miss in
openss-3.0.0-alpha10?
Thanks,
Thulasi.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210129/aa36e400/attachment.html>
More information about the openssl-users
mailing list