First, background (questions at the end):
Version 2 of the pkcs 9 spec at
http://www.rsa.com/rsalabs/node.asp?id=2131 (PDF:
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-9-v2/pkcs-9.pdf) says in
section 5.4.1:
"A challenge-password attribute must have a single attribute value."
At first I expected that to mean "single" in X509_ATTRIBUTE would be
1, but then I noticed (through gdb) that in an actual CSR it was
actually 0, which was confirmed by asn1parse below:
arch [apps]$ ./openssl version
Electric Fence 2.2.0 Copyright (C) 1987-1999 Bruce Perens
OpenSSL 0.9.8g 19 Oct 2007
arch [apps]$
arch [apps]$ ls csr
ls: csr: No such file or directory
arch [apps]$
arch [apps]$ ./openssl req -new -out csr -nodes> /dev/null 2>&1
test password!!!
optional company name
arch [apps]$
arch [apps]$ ./openssl asn1parse -in csr
Electric Fence 2.2.0 Copyright (C) 1987-1999 Bruce Perens
0:d=0 hl=4 l= 460 cons: SEQUENCE
4:d=1 hl=4 l= 309 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 69 cons: SEQUENCE
13:d=3 hl=2 l= 11 cons: SET
15:d=4 hl=2 l= 9 cons: SEQUENCE
17:d=5 hl=2 l= 3 prim: OBJECT :countryName
22:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU
26:d=3 hl=2 l= 19 cons: SET
28:d=4 hl=2 l= 17 cons: SEQUENCE
30:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
35:d=5 hl=2 l= 10 prim: PRINTABLESTRING :Some-State
47:d=3 hl=2 l= 33 cons: SET
49:d=4 hl=2 l= 31 cons: SEQUENCE
51:d=5 hl=2 l= 3 prim: OBJECT :organizationName
56:d=5 hl=2 l= 24 prim: PRINTABLESTRING :Internet Widgits Pty Ltd
82:d=2 hl=3 l= 159 cons: SEQUENCE
85:d=3 hl=2 l= 13 cons: SEQUENCE
87:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
98:d=4 hl=2 l= 0 prim: NULL
100:d=3 hl=3 l= 141 prim: BIT STRING
244:d=2 hl=2 l= 71 cons: cont [ 0 ]
246:d=3 hl=2 l= 31 cons: SEQUENCE
248:d=4 hl=2 l= 9 prim: OBJECT :challengePassword
259:d=4 hl=2 l= 18 cons: SET
261:d=5 hl=2 l= 16 prim: IA5STRING :test password!!!
279:d=3 hl=2 l= 36 cons: SEQUENCE
281:d=4 hl=2 l= 9 prim: OBJECT :unstructuredName
292:d=4 hl=2 l= 23 cons: SET
294:d=5 hl=2 l= 21 prim: PRINTABLESTRING :optional company name
317:d=1 hl=2 l= 13 cons: SEQUENCE
319:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
330:d=2 hl=2 l= 0 prim: NULL
332:d=1 hl=3 l= 129 prim: BIT STRING
arch [apps]$
So am I misinterpreting the RSA PKCS 9 spec, and that it actually
means that the challenge password must be a "sequence of one object"?
If that's the case, then the stack "STACK_OF(ASN1_TYPE) *set" in
X509_ATTRIBUTE should always have one element right?
A side question: what exactly does this "which is wrong" comment
mean? :)
typedef struct x509_attributes_st
...
int single; /* 0 for a set, 1 for a single item (which is wrong) */
union {
...
} X509_ATTRIBUTE;
Thanks.
_________________________________________________________________
It’s the same Hotmail®. If by “same” you mean up to 70% faster.
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_broad1_122008______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
