Hi all!
I have performed some tests with the comp match module (yes it runs if
you work around ITS 6556 ;-)).
The result is that the comp match module only works with very simple
X509 certs that use old algorithms!
For example if you use X509 certificates with long serial numbers the
snacc generated asn.1 parser (contained in file certificate.c) fails
decoding the serial number.
Another drawback: The attributes in Name components subject and issuer
(cn, c, o, ou) have to be PrintableStrings; if for example there is an
UTF8String present in the issuer the asn.1 parser fails decoding the
issuer.
All modern algorithms (sha256WithRSA, sha512WithRSA) are not recognized
by the parser; if your X509 certificate is signed with sha256WithRSA the
asn.1 parser fails decoding the AlgorithmIdentifier.
In modern times these drawbacks aren't acceptable. Another appropriate
asn.1 module for the X509 certificate structure has to be compiled with
the openldap esnacc compiler. I would have done this but the openldap
esnacc fails parsing its own modules!!!
See something like this:
openl...@ocsp-openldap24:~/Certificate>
~/openldap-snacc-2.3.6/compiler/esnacc -E BER_COMP -E GSER -t -d -f -I
/home/openldap/openldap-snacc-2.3.6/asn1specs -I . Certificate.asn1
/home/openldap/openldap-snacc-2.3.6/asn1specs/asn1module.asn1(91) :
parse error at symbol ""OID""
Parsing errors---cannot proceed
The code in the asn.1 module:
88 ModuleId ::= SEQUENCE
89 {
90 name MyString,
91 oid OBJECT IDENTIFIER OPTIONAL --snacc cTypeName:"OID"
isPtr:"TRUE"
92 }
93
Does anybody know how the esnacc error can be avoided?
Regards,
Hartmut
