> From: [email protected] On Behalf Of PETER LIN > Sent: Tuesday, 12 May, 2009 01:26
> I need to generate some problematic cert so as to test > whether my app will reject these certs or not. Such x509 cert > are like without Issuer field, Version field, or etc. Is > there any command line available to do the job? Or > alternatively I can use c++ to parse in a valid cert, do some > modification, and parse out. > > I tried to clear some pointer of a valid X509 structure and wrote out. > Sometime OpenSSL will reject the modified cert (like Issuer > ptr cleared), and sometime wont (in the case of Version ptr > cleared). I wonder while parsing a x509 cert, which component > OpenSSL takes as compulsory, and which are optional? Is my > procedure correct? > OpenSSL uses generic routines for all(?) ASN1 encoding/decoding with (C) static data that specify the particular ASN1 definition. The X509 and X509_CINF (CertInfo = body) 'items' in asn1/x_x509.c specify as per the X.509 standards: - version optional, explicitly tagged, default 0 = v1 - issuerUID and subjectUID optional, implicitly tagged (these were never widely adopted and are rarely if ever used) - extensions optional, explicitly tagged (To be exact, the UIDs should be permitted only for version>=1 (spec v2) and extensions only for version>=2 (spec v3); I don't think OpenSSL enforces that part.) The issuer and serial names are each a SEQUENCE of tagged string items. There are a set of tags intended and commonly used for these names (country, stateprovince, locality, organization, etc.) but the encoding does not require any (much less all) of them. A particular verifier may demand that a cert contain at least some name item(s) it recognizes before accepting that cert as 'good'. The signature-algid field (gives the alg/parms signing the cert) and the algid part of the pubkey (gives the alg/parms to be used with the (pub)key being certified, i.e. for subject data) each have a 'parameters' part whose type depends on the algorithm specified. I can't think offhand of any algorithms whose public parameters have optional parts, but there may well be; the (pre)encoding allows it. Within extensions, each particular (tagged) extension has its own definition of what its data part is, and what if anything is optional. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
