Re: [strongSwan] scepclient and cisco

Fri, 18 May 2012 06:58:52 -0700 

Hi Germano,

> Looks like the cisco box wasn't able to decrypt the request.

In the meantime I was able to verify this against Microsoft's SCEP
implementation (Windows Server 2008 R2).  The problem is that scepclient
incorrectly ASN.1-encoded the integer value 0 as 0200 instead of 020100
when generating PKCS#7 messages and PKCS#10 certificate requests.  It
did so for quite a while (at least since the beginning of our Git
repository's history) so I'm not sure why this ever worked - perhaps the
other implementations were not so strict.

Anyway, a fix will be included in one of our upcoming releases.  If you
don't want to wait use the attached patch.

Regards,
Tobias

>From 70a76b0011dc12ff27508bc38ee8cddfd4debdae Mon Sep 17 00:00:00 2001
From: Tobias Brunner <[email protected]>
Date: Sat, 12 May 2012 18:21:32 +0200
Subject: [PATCH 01/24] Properly encode 0 in ASN.1.

According to X.690 an INTEGER object always has at least one content
octet.
---
 src/libstrongswan/asn1/asn1.c |   17 +++++++----------
 1 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index 8adab85..c9f6fce 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -28,7 +28,7 @@
 /**
  * Commonly used ASN1 values.
  */
-const chunk_t ASN1_INTEGER_0 = chunk_from_chars(0x02, 0x00);
+const chunk_t ASN1_INTEGER_0 = chunk_from_chars(0x02, 0x01, 0x00);
 const chunk_t ASN1_INTEGER_1 = chunk_from_chars(0x02, 0x01, 0x01);
 const chunk_t ASN1_INTEGER_2 = chunk_from_chars(0x02, 0x01, 0x02);
 
@@ -761,16 +761,13 @@ chunk_t asn1_integer(const char *mode, chunk_t content)
 	size_t len;
 	u_char *pos;
 
-	if (content.len == 0 || (content.len == 1 && *content.ptr == 0x00))
-	{
-		/* a zero ASN.1 integer does not have a value field */
-		len = 0;
-	}
-	else
-	{
-		/* ASN.1 integers must be positive numbers in two's complement */
-		len = content.len + ((*content.ptr & 0x80) ? 1 : 0);
+	if (content.len == 0)
+	{	/* make sure 0 is encoded properly */
+		content = chunk_from_chars(0x00);
 	}
+
+	/* ASN.1 integers must be positive numbers in two's complement */
+	len = content.len + ((*content.ptr & 0x80) ? 1 : 0);
 	pos = asn1_build_object(&object, ASN1_INTEGER, len);
 	if (len > content.len)
 	{
-- 
1.7.4.1


_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to