Hello. I've discovered that openssl (at least 0.9.8j and 0.9.8i) fails po parse certificate if it has PostalCode encoded as NumericString (and this is allowed thing according to RFC3280).
The error log reads following
{{{
unable to load certificate
3664:error:0D07808C:asn1 encoding routines:ASN1_ITEM_EX_D2I:mstring
wrong tag:.\crypto\asn1\tasn_dec.c:228:Type=ASN1_PRINTABLE
3664:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:.\crypto\asn1\tasn_dec.c:750:Field=value, Type=X509_NAME_ENTRY
3664:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:.\crypto\asn1\tasn_dec.c:711:
3664:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:.\crypto\asn1\tasn_dec.c:711:
3664:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:.\crypto\asn1\tasn_dec.c:750:Field=subject, Type=X509_CINF
3664:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:.\crypto\asn1\tasn_dec.c:750:Field=cert_info, Type=X509
}}}
(Given log was created by MSVC-compiled openssl 0.9.8i);
As far as I was able to understand, Openssl expects stack of
X509_NAME_ENTRY in certificate 'subject' field.
And X509_NAME_ENTRY is expected to have 'value' field of a type
ASN1_STRING that is expected to be at least (I seem to recall that
there is some king of set of allowed types, but I fail to recall where
I've seen them, so it might be one and only) ASN1_PRINTABLE.
I suggest fixing this crush by defining B_ASN1_NUMERICSTRING as subset
of B_ASN1_PRINTABLESTRING (numbers are printable, aren't they?).
My fix looks like
@@ -131,8 +131,8 @@
#define V_ASN1_BMPSTRING 30
/* For use with d2i_ASN1_type_bytes() */
-#define B_ASN1_NUMERICSTRING 0x0001
#define B_ASN1_PRINTABLESTRING 0x0002
+#define B_ASN1_NUMERICSTRING 0x0001 | B_ASN1_PRINTABLESTRING /*
Numeric string IS printable */
#define B_ASN1_T61STRING 0x0004
#define B_ASN1_TELETEXSTRING 0x0004
#define B_ASN1_VIDEOTEXSTRING 0x0008
(This is for openssl 0.9.8j code of ./crypto/asn1/asn1.h).
I've attached patch file containing same changes (as bonus it removes
any spaces at ends of lines [my default vim setting, sorry if it isn't
good]).
Thank you.
numericstring_fix.patch
Description: Binary data
