DIRECTORYSTRING and substitute in v1.0.0d

[Christian Weber]

Hi there,

in the past we have implemented some templates for x509v3
extensions for certificates due to being able to handle
some attributes defined in common-pki 2.0.

One of the more structured attributes is admission:

id-isismtt-at-admission OBJECT IDENTIFIER ::= {id-isismtt-at 3}
id-isismtt-at-namingAuthorities OBJECT IDENTIFIER ::= {id-isismtt-at 11}
AdmissionSyntax ::= SEQUENCE {
        admissionAuthority GeneralName OPTIONAL,

contentsOfAdmissions SEQUENCE OF Admissions }

Admissions ::= SEQUENCE {
        admissionAuthority [0] EXPLICIT GeneralName OPTIONAL,
        namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL,

professionInfos SEQUENCE OF ProfessionInfo }

NamingAuthority ::= SEQUENCE {
        namingAuthorityId OBJECT IDENTIFIER OPTIONAL,
        namingAuthorityUrl IA5String OPTIONAL,
        namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL
}
ProfessionInfo ::= SEQUENCE {
        namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL,
        professionItems SEQUENCE OF DirectoryString(SIZE(1..128)),
        professionOIDs SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
        registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,

addProfessionInfo OCTET STRING OPTIONAL

> )

So we defined (representig the ProfessionInfo part of the structure):

typedef STACK_OF(DIRECTORYSTRING) DIRECTORYSTRINGS;
DECLARE_ASN1_FUNCTIONS(DIRECTORYSTRINGS)
DECLARE_ASN1_ITEM(DIRECTORYSTRINGS)

typedef struct X509_ADMISSION_PROF_INFO_st {
        X509_ADMISSION_NAM_AUTH *namingAuthority;   // optional
        DIRECTORYSTRINGS *professionItems;
        ASN1_OBJECTS *professionOIDs;               // optional
        ASN1_PRINTABLESTRING *registrationNumber;   // optional
        ASN1_OCTET_STRING *addProfessionInfo;       // optional
} X509_ADMISSION_PROF_INFO;

and (nearly) all went ok. For parsing the template we had to patch
a patch tasn_dec.c not to complain about errors to optional template
elements.

With version 1.0.0 DIRECTORYSTRING support seems to have gone or otherwise
substituted.

We were using the structures with (code snippet)

ASN1_SEQUENCE(X509_ADMISSION_PROF_INFO) = {
  ASN1_EXP_OPT(X509_ADMISSION_PROF_INFO, namingAuthority, 
X509_ADMISSION_NAM_AUTH, 0),
  ASN1_SEQUENCE_OF(X509_ADMISSION_PROF_INFO, professionItems, DIRECTORYSTRING),
  ASN1_OPT(X509_ADMISSION_PROF_INFO, professionOIDs, ASN1_OBJECTS),
  ASN1_OPT(X509_ADMISSION_PROF_INFO, registrationNumber, ASN1_PRINTABLESTRING),
  ASN1_OPT(X509_ADMISSION_PROF_INFO, addProfessionInfo, ASN1_OCTET_STRING)
} ASN1_SEQUENCE_END(X509_ADMISSION_PROF_INFO)

IMPLEMENT_ASN1_FUNCTIONS(X509_ADMISSION_PROF_INFO)

...

X509_ADMISSION_PROF_INFO_SK *sk_apis = i2_admissions->professionInfos;
for (int i3 = 0; i3 < sk_X509_ADMISSION_PROF_INFO_num(sk_apis); i3++)
{
        X509_ADMISSION_PROF_INFO *api = 
sk_X509_ADMISSION_PROF_INFO_value(sk_apis, i3);
        if (api)
        {
                X509_ADMISSION_NAM_AUTH *namingAuthority2 = 
api->namingAuthority;
                // namingAuthority2 (s.o. --> namingAuthority)
                if (namingAuthority2)
                {
                        avnode *att_na = 
Attribute_namingAuthority(namingAuthority2);
                        if (att_na)
                                prof->adoptname("namingAuthority", att_na);
                        else
                                prof->addname("namingAuthority").addvalue("[PARSING 
FAILURE]");
                }

... now look at the professionItems ...

                for (int i4 = 0; i4 < sk_num(api->professionItems); i4++)
                {
                        ASN1_STRING *as = sk_value(api->professionItems, i4);
                        prof->addname("professionItem")
                                
.addvalue(Certificate::ASN1_STRING_UTF8String(as));
                }

Curenntly the compiler dislikes sk_num as well as sk_DIRECTORYSTRING_num.
So we had to fall back to the general ASN1_STRING type and do the checking
by hand within the code.

It would be nice to have some type that implicitly does the typechecking on the 
ASN1
objects. So how to define some MB_STRING that makes the lib do the checks?
We've already noticed some MB_STRING (or so) with a Mask, but don't know how to 
use it.

At last the patch to tasn_dec.c .

--- C:/wrk/openssl-1.0.0d/crypto/asn1/tasn_dec.c        Tue Jun 15 18:25:06 2010
+++ S:/Build/SAK-2.1/openssl-1.0.0d/crypto/asn1/tasn_dec.c      Thu Mar 10 
01:26:40 2011
@@ -188,6 +188,8 @@
                         */
                        if ((tag != -1) || opt)
                                {
+                               /* If OPTIONAL, assume this is OK Patch 
5.2.2010 ChWe */
+                               if (opt) return -1;
                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
                                ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
                                goto err;

We wonder if this critical in any aspect? With the patch the lib still seems to 
work for us.

What are we missing? Any hints?

TIA
--
Christian Weber
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org