On Thu, Mar 10, 2011, Christian Weber wrote:
> Hi there,
>
> in the past we have implemented some templates for x509v3
> extensions for certificates due to being able to handle
> some attributes defined in common-pki 2.0.
>
> One of the more structured attributes is admission:
> >id-isismtt-at-admission OBJECT IDENTIFIER ::= {id-isismtt-at 3}
> >id-isismtt-at-namingAuthorities OBJECT IDENTIFIER ::= {id-isismtt-at 11}
> >AdmissionSyntax ::= SEQUENCE {
> > admissionAuthority GeneralName OPTIONAL,
> > contentsOfAdmissions SEQUENCE OF Admissions }
> >Admissions ::= SEQUENCE {
> > admissionAuthority [0] EXPLICIT GeneralName OPTIONAL,
> > namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL,
> > professionInfos SEQUENCE OF ProfessionInfo }
> >NamingAuthority ::= SEQUENCE {
> > namingAuthorityId OBJECT IDENTIFIER OPTIONAL,
> > namingAuthorityUrl IA5String OPTIONAL,
> > namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL
> >}
> >ProfessionInfo ::= SEQUENCE {
> > namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL,
> > professionItems SEQUENCE OF DirectoryString(SIZE(1..128)),
> > professionOIDs SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
> > registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,
> > addProfessionInfo OCTET STRING OPTIONAL
> > )
>
> So we defined (representig the ProfessionInfo part of the structure):
> >typedef STACK_OF(DIRECTORYSTRING) DIRECTORYSTRINGS;
> >DECLARE_ASN1_FUNCTIONS(DIRECTORYSTRINGS)
> >DECLARE_ASN1_ITEM(DIRECTORYSTRINGS)
> >
> >typedef struct X509_ADMISSION_PROF_INFO_st {
> > X509_ADMISSION_NAM_AUTH *namingAuthority; // optional
> > DIRECTORYSTRINGS *professionItems;
> > ASN1_OBJECTS *professionOIDs; // optional
> > ASN1_PRINTABLESTRING *registrationNumber; // optional
> > ASN1_OCTET_STRING *addProfessionInfo; // optional
> >} X509_ADMISSION_PROF_INFO;
>
> and (nearly) all went ok. For parsing the template we had to patch
> a patch tasn_dec.c not to complain about errors to optional template
> elements.
>
> With version 1.0.0 DIRECTORYSTRING support seems to have gone or otherwise
> substituted.
>
> We were using the structures with (code snippet)
> >ASN1_SEQUENCE(X509_ADMISSION_PROF_INFO) = {
> > ASN1_EXP_OPT(X509_ADMISSION_PROF_INFO, namingAuthority,
> > X509_ADMISSION_NAM_AUTH, 0),
> > ASN1_SEQUENCE_OF(X509_ADMISSION_PROF_INFO, professionItems,
> > DIRECTORYSTRING),
> > ASN1_OPT(X509_ADMISSION_PROF_INFO, professionOIDs, ASN1_OBJECTS),
> > ASN1_OPT(X509_ADMISSION_PROF_INFO, registrationNumber,
> > ASN1_PRINTABLESTRING),
> > ASN1_OPT(X509_ADMISSION_PROF_INFO, addProfessionInfo, ASN1_OCTET_STRING)
> >} ASN1_SEQUENCE_END(X509_ADMISSION_PROF_INFO)
> >
> >IMPLEMENT_ASN1_FUNCTIONS(X509_ADMISSION_PROF_INFO)
> ...
> >X509_ADMISSION_PROF_INFO_SK *sk_apis = i2_admissions->professionInfos;
> >for (int i3 = 0; i3 < sk_X509_ADMISSION_PROF_INFO_num(sk_apis); i3++)
> >{
> > X509_ADMISSION_PROF_INFO *api =
> > sk_X509_ADMISSION_PROF_INFO_value(sk_apis, i3);
> > if (api)
> > {
> > X509_ADMISSION_NAM_AUTH *namingAuthority2 =
> > api->namingAuthority;
> > // namingAuthority2 (s.o. --> namingAuthority)
> > if (namingAuthority2)
> > {
> > avnode *att_na =
> > Attribute_namingAuthority(namingAuthority2);
> > if (att_na)
> > prof->adoptname("namingAuthority", att_na);
> > else
> >
> > prof->addname("namingAuthority").addvalue("[PARSING FAILURE]");
> > }
> ... now look at the professionItems ...
> > for (int i4 = 0; i4 < sk_num(api->professionItems); i4++)
> > {
> > ASN1_STRING *as = sk_value(api->professionItems, i4);
> > prof->addname("professionItem")
> >
> > .addvalue(Certificate::ASN1_STRING_UTF8String(as));
> > }
>
> Curenntly the compiler dislikes sk_num as well as sk_DIRECTORYSTRING_num.
> So we had to fall back to the general ASN1_STRING type and do the checking
> by hand within the code.
>
> It would be nice to have some type that implicitly does the typechecking on
> the ASN1
> objects. So how to define some MB_STRING that makes the lib do the checks?
> We've already noticed some MB_STRING (or so) with a Mask, but don't know how
> to use it.
>
> At last the patch to tasn_dec.c .
> >--- C:/wrk/openssl-1.0.0d/crypto/asn1/tasn_dec.c Tue Jun 15 18:25:06 2010
> >+++ S:/Build/SAK-2.1/openssl-1.0.0d/crypto/asn1/tasn_dec.c Thu Mar 10
> >01:26:40 2011
> >@@ -188,6 +188,8 @@
> > */
> > if ((tag != -1) || opt)
> > {
> >+ /* If OPTIONAL, assume this is OK Patch
> >5.2.2010 ChWe */
> >+ if (opt) return -1;
> > ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
> > ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
> > goto err;
> We wonder if this critical in any aspect? With the patch the lib still seems
> to work for us.
>
> What are we missing? Any hints?
>
The DIRECTORYSTRING primitive definition should exist but it doesn't have a
typedef, it is just an ASN1_STRING.
You shouldn't need that patch. I think your problem is:
ASN1_OPT(X509_ADMISSION_PROF_INFO, professionOIDs, ASN1_OBJECTS),
Which is making an item template optional. Try instead doing:
ASN1_SEQUENCE_OF_OPT(X509_ADMISSION_PROF_INFO, professionOIDs, ASN1_OBJECT),
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
