Re: Encoding of AlgorithmIdentifier with NULL parameters

Thu, 28 Jan 2021 18:09:50 -0800 

Also note that the official ASN.1 declaration for
AlgorithmIdentifier (from X.509 (2012), section 7.2) marks
the parameters field as OPTIONAL, so parsers really should
accept its absence.

However if broken parsers are common (this thread
only found one such parser), maybe it would be
good practice to include the NULL value for compatibility.

AlgorithmIdentifier{ALGORITHM:SupportedAlgorithms} ::= SEQUENCE {
    algorithm ALGORITHM.&id({SupportedAlgorithms}),
    parameters ALGORITHM.&Type({SupportedAlgorithms}{@algorithm}) OPTIONAL,
... }

On 2021-01-28 20:07, Thulasi Goriparthi wrote:
I am trying to provide a test certificate generated by openssl-3.0.0-alpha10 to a third party certificate parser/manager. This software expects AlgorithmIdentifier to either have parameters or to have null encoded (05 00) parameters which seems to be missing in the certificate. 

Certificate generated by openssl-3.0.0-alpha10

    0:d=0  hl=4 l=1030 cons: SEQUENCE

    4:d=1  hl=4 l= 752 cons: SEQUENCE

    8:d=2  hl=2 l=   3 cons: cont [ 0 ]

   10:d=3  hl=2 l=   1 prim: INTEGER           :02

   13:d=2  hl=2 l=   1 prim: INTEGER           :01

*   16:d=2  hl=2 l=  11 cons: SEQUENCE *

*   18:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption*

*   29:d=2  hl=3 l= 143 cons: *SEQUENCE

   32:d=3  hl=2 l=  11 cons: SET

   34:d=4  hl=2 l=   9 cons: SEQUENCE

   36:d=5  hl=2 l=   3 prim: OBJECT            :countryName


Certificate generated by openssl-1.1.1g

    0:d=0  hl=4 l= 988 cons: SEQUENCE

    4:d=1  hl=4 l= 708 cons: SEQUENCE

    8:d=2  hl=2 l=   3 cons: cont [ 0 ]

   10:d=3  hl=2 l=   1 prim: INTEGER           :02

   13:d=2  hl=2 l=   1 prim: INTEGER           :01

*   16:d=2  hl=2 l=  13 cons: SEQUENCE *

*   18:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption*

*   29:d=3  hl=2 l=   0 prim: NULL *

   31:d=2  hl=3 l= 143 cons: SEQUENCE

   34:d=3  hl=2 l=  11 cons: SET

   36:d=4  hl=2 l=   9 cons: SEQUENCE

   38:d=5  hl=2 l=   3 prim: OBJECT            :countryName
From https://tools.ietf.org/html/rfc5280#section-4.1.1.2, It isn't clear if NULL parameters can be completely omitted or if it should still have NULL encoding.
Is this a too stringent check in the third-party s/w or a miss in openss-3.0.0-alpha10? 

Thanks,
Thulasi.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

Reply via email to