On Wed, Jan 28, 2009, Dr. Stephen Henson wrote:
> On Tue, Jan 27, 2009, Ilya O. wrote:
>
> > Hello.
> >
> > I've discovered that openssl (at least 0.9.8j and 0.9.8i) fails po
> > parse certificate if it has PostalCode encoded as NumericString (and
> > this is allowed thing according to RFC3280).
> >
> > The error log reads following
> > {{{
> > unable to load certificate
> > 3664:error:0D07808C:asn1 encoding routines:ASN1_ITEM_EX_D2I:mstring
> > wrong tag:.\crypto\asn1\tasn_dec.c:228:Type=ASN1_PRINTABLE
> > 3664:error:0D08303A:asn1 encoding
> > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> > error:.\crypto\asn1\tasn_dec.c:750:Field=value, Type=X509_NAME_ENTRY
> > 3664:error:0D08303A:asn1 encoding
> > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> > error:.\crypto\asn1\tasn_dec.c:711:
> > 3664:error:0D08303A:asn1 encoding
> > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> > error:.\crypto\asn1\tasn_dec.c:711:
> > 3664:error:0D08303A:asn1 encoding
> > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> > error:.\crypto\asn1\tasn_dec.c:750:Field=subject, Type=X509_CINF
> > 3664:error:0D08303A:asn1 encoding
> > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> > error:.\crypto\asn1\tasn_dec.c:750:Field=cert_info, Type=X509
> > }}}
> >
> > (Given log was created by MSVC-compiled openssl 0.9.8i);
> >
> > As far as I was able to understand, Openssl expects stack of
> > X509_NAME_ENTRY in certificate 'subject' field.
> > And X509_NAME_ENTRY is expected to have 'value' field of a type
> > ASN1_STRING that is expected to be at least (I seem to recall that
> > there is some king of set of allowed types, but I fail to recall where
> > I've seen them, so it might be one and only) ASN1_PRINTABLE.
> >
> > I suggest fixing this crush by defining B_ASN1_NUMERICSTRING as subset
> > of B_ASN1_PRINTABLESTRING (numbers are printable, aren't they?).
> > My fix looks like
> >
> > @@ -131,8 +131,8 @@
> > #define V_ASN1_BMPSTRING 30
> >
> > /* For use with d2i_ASN1_type_bytes() */
> > -#define B_ASN1_NUMERICSTRING 0x0001
> > #define B_ASN1_PRINTABLESTRING 0x0002
> > +#define B_ASN1_NUMERICSTRING 0x0001 | B_ASN1_PRINTABLESTRING /*
> > Numeric string IS printable */
> > #define B_ASN1_T61STRING 0x0004
> > #define B_ASN1_TELETEXSTRING 0x0004
> > #define B_ASN1_VIDEOTEXSTRING 0x0008
> >
> >
> > (This is for openssl 0.9.8j code of ./crypto/asn1/asn1.h).
> >
> > I've attached patch file containing same changes (as bonus it removes
> > any spaces at ends of lines [my default vim setting, sorry if it isn't
> > good]).
> >
>
> Do you have a sample certificate using that other string type?
>
> The correct solution is to add an entry to the internal tables in
> crypto/asn1/a_strnid.c the default for unspecified types is a DirectoryString
> which isn't appropriate here.
>
Well now I think of it that isn't actually sufficient. You need to add
B_ASN1_NUMERICSTRING to the ored values for B_ASN1_PRINTABLE in
crypto/asn1/asn1.h too.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
