<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">RFC 4055 says:</div><div class=""><br class=""></div><div class=""> The object identifier used to identify the PKCS #1 version 1.5</div><div class=""> signature algorithm with SHA-224 is:</div><div class=""><br class=""></div><div class=""> sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 }</div><div class=""><br class=""></div><div class=""> The object identifier used to identify the PKCS #1 version 1.5</div><div class=""> signature algorithm with SHA-256 is:</div><div class=""><br class=""></div><div class=""> sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }</div><div class=""><br class=""></div><div class=""> The object identifier used to identify the PKCS #1 version 1.5</div><div class=""> signature algorithm with SHA-384 is:</div><div class=""><br class=""></div><div class=""> sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }</div><div class=""><br class=""></div><div class=""> The object identifier used to identify the PKCS #1 version 1.5</div><div class=""> signature algorithm with SHA-512 is:</div><div class=""><br class=""></div><div class=""> sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }</div><div class=""><br class=""></div><div class=""> When any of these four object identifiers appears within an</div><div class=""> AlgorithmIdentifier, the parameters MUST be NULL. Implementations</div><div class=""> MUST accept the parameters being absent as well as present.</div><div class=""><br class=""></div><div class="">So, when generating the certificate, the NULL ought to be there.</div><div class=""><br class=""></div><div class="">Also, when validating, the code should be forgiving about it not being there.</div><div class=""><br class=""></div><div class="">Russ</div><div class=""><br class=""></div><div><br class=""><blockquote type="cite" class=""><div class="">On Jan 28, 2021, at 2:07 PM, Thulasi Goriparthi <<a href="mailto:thulasi.goriparthi@gmail.com" class="">thulasi.goriparthi@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><font face="monospace" class="">I am trying to provide a test certificate generated by openssl-3.0.0-alpha10 to a third party certificate parser/manager. This software expects AlgorithmIdentifier to either have parameters or to have null encoded (05 00) parameters which seems to be missing in the certificate.</font><div class=""><font face="monospace" class=""><br class=""></font></div><div class=""><font face="monospace" class="">Certificate generated by openssl-3.0.0-alpha10</font></div><div class=""><font face="monospace" class=""><br class=""></font></div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 0:d=0 hl=4 l=1030 cons: SEQUENCE </font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 4:d=1 hl=4 l= 752 cons: SEQUENCE </font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 8:d=2 hl=2 l= 3 cons: cont [ 0 ] </font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 10:d=3 hl=2 l= 1 prim: INTEGER :02</font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 13:d=2 hl=2 l= 1 prim: INTEGER :01</font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><b class=""><font face="monospace" class=""> 16:d=2 hl=2 l= 11 cons: SEQUENCE </font></b></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><b class=""><font face="monospace" class=""> 18:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption</font></b></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""><b class=""> 29:d=2 hl=3 l= 143 cons: </b>SEQUENCE </font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 32:d=3 hl=2 l= 11 cons: SET </font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 34:d=4 hl=2 l= 9 cons: SEQUENCE </font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 36:d=5 hl=2 l= 3 prim: OBJECT :countryName</font></span></div></div><div class=""><font face="monospace" class=""><br class=""></font></div><div class=""><font face="monospace" class="">Certificate generated by openssl-1.1.1g</font></div><div class=""><font face="monospace" class=""><br class=""></font></div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 0:d=0 hl=4 l= 988 cons: SEQUENCE </font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 4:d=1 hl=4 l= 708 cons: SEQUENCE </font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 8:d=2 hl=2 l= 3 cons: cont [ 0 ] </font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 10:d=3 hl=2 l= 1 prim: INTEGER :02</font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 13:d=2 hl=2 l= 1 prim: INTEGER :01</font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><b class=""><font face="monospace" class=""> 16:d=2 hl=2 l= 13 cons: SEQUENCE </font></b></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><b class=""><font face="monospace" class=""> 18:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption</font></b></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""><b class=""> 29:d=3 hl=2 l= 0 prim: NULL </b> </font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 31:d=2 hl=3 l= 143 cons: SEQUENCE </font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 34:d=3 hl=2 l= 11 cons: SET </font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 36:d=4 hl=2 l= 9 cons: SEQUENCE </font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal;" class=""><span style="font-variant-ligatures:no-common-ligatures" class=""><font face="monospace" class=""> 38:d=5 hl=2 l= 3 prim: OBJECT :countryName</font></span></div><div class=""><font face="monospace" class=""><br class=""></font></div><div class=""><font face="monospace" class="">From <a href="https://tools.ietf.org/html/rfc5280#section-4.1.1.2" class="">https://tools.ietf.org/html/rfc5280#section-4.1.1.2</a>, It isn't clear if NULL parameters can be completely omitted or if it should still have NULL encoding.</font></div><div class=""><font face="monospace" class=""><br class=""></font></div><div class=""><font face="monospace" class="">Is this a too stringent check in the third-party s/w or a miss in openss-3.0.0-alpha10?</font></div><div class=""><font face="monospace" class=""><br class=""></font></div><div class=""><font face="monospace" class="">Thanks,</font></div><div class=""><font face="monospace" class="">Thulasi.</font></div></div></div></div></div></div></div>
</div></blockquote></div><br class=""></body></html>