On Tue, Jan 27, 2009, Ilya O. wrote:
> Hello.
>
> I've discovered that openssl (at least 0.9.8j and 0.9.8i) fails po
> parse certificate if it has PostalCode encoded as NumericString (and
> this is allowed thing according to RFC3280).
>
> The error log reads following
> {{{
> unable to load certificate
> 3664:error:0D07808C:asn1 encoding routines:ASN1_ITEM_EX_D2I:mstring
> wrong tag:.\crypto\asn1\tasn_dec.c:228:Type=ASN1_PRINTABLE
> 3664:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:.\crypto\asn1\tasn_dec.c:750:Field=value, Type=X509_NAME_ENTRY
> 3664:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:.\crypto\asn1\tasn_dec.c:711:
> 3664:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:.\crypto\asn1\tasn_dec.c:711:
> 3664:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:.\crypto\asn1\tasn_dec.c:750:Field=subject, Type=X509_CINF
> 3664:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:.\crypto\asn1\tasn_dec.c:750:Field=cert_info, Type=X509
> }}}
>
> (Given log was created by MSVC-compiled openssl 0.9.8i);
>
> As far as I was able to understand, Openssl expects stack of
> X509_NAME_ENTRY in certificate 'subject' field.
> And X509_NAME_ENTRY is expected to have 'value' field of a type
> ASN1_STRING that is expected to be at least (I seem to recall that
> there is some king of set of allowed types, but I fail to recall where
> I've seen them, so it might be one and only) ASN1_PRINTABLE.
>
> I suggest fixing this crush by defining B_ASN1_NUMERICSTRING as subset
> of B_ASN1_PRINTABLESTRING (numbers are printable, aren't they?).
> My fix looks like
>
> @@ -131,8 +131,8 @@
> #define V_ASN1_BMPSTRING 30
>
> /* For use with d2i_ASN1_type_bytes() */
> -#define B_ASN1_NUMERICSTRING 0x0001
> #define B_ASN1_PRINTABLESTRING 0x0002
> +#define B_ASN1_NUMERICSTRING 0x0001 | B_ASN1_PRINTABLESTRING /*
> Numeric string IS printable */
> #define B_ASN1_T61STRING 0x0004
> #define B_ASN1_TELETEXSTRING 0x0004
> #define B_ASN1_VIDEOTEXSTRING 0x0008
>
>
> (This is for openssl 0.9.8j code of ./crypto/asn1/asn1.h).
>
> I've attached patch file containing same changes (as bonus it removes
> any spaces at ends of lines [my default vim setting, sorry if it isn't
> good]).
>
Do you have a sample certificate using that other string type?
The correct solution is to add an entry to the internal tables in
crypto/asn1/a_strnid.c the default for unspecified types is a DirectoryString
which isn't appropriate here.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
