That CSR is clearly invalid, because one of its objects isn't properly
DER encoded.
The INTEGER encoding its version has a length equal to zero, and this
isn't permitted by X.690 (BER/DER/CER encoding):
"8.3.1 The encoding of an integer value shall be primitive. The contents
octets shall consist of one or more octets."
OpenSSL could set the version to 0 by default when creating the X509_REQ
object (this is done when you call the X509_to_X509_REQ() function).
But the version field is not declared as "INTEGER DEFAULT v1", so it
could be acceptable to consider that explicitely setting the version is
the responsibility of the application creating the request.
--
Erwann ABALEA
Le 16/03/2013 19:22, Ken Smith a écrit :
-----BEGIN CERTIFICATE REQUEST-----
MIICbzCCAVcCADArMSkwJwYDVQQDEyBiYjA2NGU1MDIwMTcwOTE4MTY0ZTlmMDY2
[...]
0s8Z
-----END CERTIFICATE REQUEST-----
[...]
Section 4.1 of RFC 2986 says, "Certification request information shall
have...CertificationRequestInfo ::= SEQUENCE { version INTEGER { v1(0)
} (v1,...),". Shouldn't OpenSSL be adding a version with a default
value of 0 even when X509_REQ_set_version is not called?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
