Dear OpenSSL users, lately I ran into a problem when trying to parse attributecertificates (ACs). ACs contain a sequence of attributes which look like x509v5 attributes.
I've decided to use parts of the AC implementation from Daniel Díaz-Sánchez (downloable at http://www.it.uc3m.es/dds/swRelease/pmi/pmi.xml ). Which works fine for me so far. I've implemented some awareness of attribute types as defined by ISIS-MTT v1.1 of 16.3.2004 (which is still current) as additionalinformation, restriction, monetarylimit, admission and others. All works fine except for a special AC with the procuration attribute, which is defined as follows: ProcurationSyntax ::= SEQUENCE { country [1] EXPLICIT PrintableString(SIZE(2)) OPTIONAL typeOfSubstitution [2] EXPLICIT DirectoryString(SIZE(1..128)) OPTIONAL signingFor [3] EXPLICIT SigningFor } SigningFor ::= CHOICE { thirdPerson GeneralName certRef IssuerSerial } but with exceptions to the type of the field thirdPerson which is't exactly a GeneralName in sense of OpenSSL. What I implemented is: ASN1_CHOICE(X509_PROCURATION_SIGNINGFOR) = { ASN1_SIMPLE(X509_PROCURATION_SIGNINGFOR, value.thirdPerson, GENERAL_NAME), ASN1_SIMPLE(X509_PROCURATION_SIGNINGFOR, value.certRef, X509AT_ISSUER_SERIAL) } ASN1_CHOICE_END(X509_PROCURATION_SIGNINGFOR) IMPLEMENT_ASN1_FUNCTIONS(X509_PROCURATION_SIGNINGFOR) ASN1_SEQUENCE(X509_PROCURATION) = { ASN1_EXP(X509_PROCURATION, country, ASN1_PRINTABLESTRING, 1), ASN1_EXP(X509_PROCURATION, typeOfSubstitiution, DIRECTORYSTRING, 2), ASN1_EXP(X509_PROCURATION, signingFor, X509_PROCURATION_SIGNINGFOR, 3) } ASN1_SEQUENCE_END(X509_PROCURATION) IMPLEMENT_ASN1_FUNCTIONS(X509_PROCURATION) Conforming to RFC 3039 ISIS-MTT states for ACs: ISIS-MTT PROFILE: The GeneralName MUST be of type directoryName and MAY only contain: - RFC3039 attributes, except pseudonym (countryName, commonName, surname, givenName, serialNumber, organizationName, organizationalUnitName, stateOrProvincename, localityName, postalAddress) and - SubjectDirectoryName attributes (title, dateOfBirth, placeOfBirth, gender, countryOfCitizenship, countryOfResidence and NameAtBirth). The problem arises when it comes to parsing a dateOfBirth attribute, since is of ASN1 type GENERALIZEDTIME. All other are (more or less) strings. In OpenSSL GeneralName of Type GEN_DIRNAME is mapped to X509_NAME (see x509v3.h) which only may hold string values, but no date value. So parsing an AC which contains such an item, it results in parsing failure: === ... 2008:error:0D07808C:asn1 encoding routines:ASN1_ITEM_EX_D2I:mstring wrong tag: X:\openssl\openssl-0.9.8g\crypto\asn1\tasn_dec.c:228: Type=ASN1_PRINTABLE 2008:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: X:\openssl\openssl-0.9.8g\crypto\asn1\tasn_dec.c:749: Field=value, Type=X509_NAME_ENTRY 2008:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: X:\openssl\openssl-0.9.8g\crypto\asn1\tasn_dec.c:710: 2008:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: X:\openssl\openssl-0.9.8g\crypto\asn1\tasn_dec.c:710: 2008:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: X:\openssl\openssl-0.9.8g\crypto\asn1\tasn_dec.c:749: 2008:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 error: X:\openssl\openssl-0.9.8g\crypto\asn1\tasn_dec.c:578: 2008:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error: X:\openssl\openssl-0.9.8g\crypto\asn1\tasn_dec.c:338: Field=d.directoryName, Type=GENERAL_NAME 2008:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: X:\openssl\openssl-0.9.8g\crypto\asn1\tasn_dec.c:749: 2008:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error: X:\openssl\openssl-0.9.8g\crypto\asn1\tasn_dec.c:338: Field=value.thirdPerson, Type=X509_PROCURATION_SIGNINGFOR 2008:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: X:\openssl\openssl-0.9.8g\crypto\asn1\tasn_dec.c:749: 2008:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 error: X:\openssl\openssl-0.9.8g\crypto\asn1\tasn_dec.c:578: Field=signingFor, Type=X509_PROCURATION === which is correct since GENERALIZEDTIME is not a string. In tasn_dec, line 227 ASN1_tag2bit returns 0x00008000 (B_ASN1_GENERALIZEDTIME) while it->utype is 0x00013d16 (B_ASN1_PRINTABLE, I guess). How can I convince OpenSSL to accept dateOfBirth as allowable type in this case? Any idea? TIA -- Christian ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
