Encoding of AlgorithmIdentifier with NULL parameters

Jakob Bohm jb-openssl at wisemo.com
Fri Jan 29 02:09:32 UTC 2021 

Also note that the official ASN.1 declaration for
AlgorithmIdentifier (from X.509 (2012), section 7.2) marks
the parameters field as OPTIONAL, so parsers really should
accept its absence.

However if broken parsers are common (this thread
only found one such parser), maybe it would be
good practice to include the NULL value for compatibility.

AlgorithmIdentifier{ALGORITHM:SupportedAlgorithms} ::= SEQUENCE {
     algorithm ALGORITHM.&id({SupportedAlgorithms}),
     parameters ALGORITHM.&Type({SupportedAlgorithms}{@algorithm}) OPTIONAL,
... }

On 2021-01-28 20:07, Thulasi Goriparthi wrote:
> I am trying to provide a test certificate generated by 
> openssl-3.0.0-alpha10 to a third party certificate parser/manager. 
> This software expects AlgorithmIdentifier to either have parameters or 
> to have null encoded (05 00) parameters which seems to be missing in 
> the certificate.
>
> Certificate generated by openssl-3.0.0-alpha10
>
>     0:d=0  hl=4 l=1030 cons: SEQUENCE
>
>     4:d=1  hl=4 l= 752 cons: SEQUENCE
>
>     8:d=2  hl=2 l=   3 cons: cont [ 0 ]
>
>    10:d=3  hl=2 l=   1 prim: INTEGER           :02
>
>    13:d=2  hl=2 l=   1 prim: INTEGER           :01
>
> *   16:d=2  hl=2 l=  11 cons: SEQUENCE *
>
> *   18:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption*
>
> *   29:d=2  hl=3 l= 143 cons: *SEQUENCE
>
>    32:d=3  hl=2 l=  11 cons: SET
>
>    34:d=4  hl=2 l=   9 cons: SEQUENCE
>
>    36:d=5  hl=2 l=   3 prim: OBJECT            :countryName
>
>
> Certificate generated by openssl-1.1.1g
>
>     0:d=0  hl=4 l= 988 cons: SEQUENCE
>
>     4:d=1  hl=4 l= 708 cons: SEQUENCE
>
>     8:d=2  hl=2 l=   3 cons: cont [ 0 ]
>
>    10:d=3  hl=2 l=   1 prim: INTEGER           :02
>
>    13:d=2  hl=2 l=   1 prim: INTEGER           :01
>
> *   16:d=2  hl=2 l=  13 cons: SEQUENCE *
>
> *   18:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption*
>
> *   29:d=3  hl=2 l=   0 prim: NULL *
>
>    31:d=2  hl=3 l= 143 cons: SEQUENCE
>
>    34:d=3  hl=2 l=  11 cons: SET
>
>    36:d=4  hl=2 l=   9 cons: SEQUENCE
>
>    38:d=5  hl=2 l=   3 prim: OBJECT            :countryName
>
>
> From https://tools.ietf.org/html/rfc5280#section-4.1.1.2, It isn't 
> clear if NULL parameters can be completely omitted or if it should 
> still have NULL encoding.
>
> Is this a too stringent check in the third-party s/w or a miss in 
> openss-3.0.0-alpha10?
>
> Thanks,
> Thulasi.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210129/90091665/attachment.html>

More information about the openssl-users mailing list