gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Help required for CSR validation

From: Wilankar, Trupti
Subject: Help required for CSR validation
Date: Tue, 17 Nov 2009 07:14:19 +0000

Hello,

 

I am from the iTP WebServer development team. The webserver runs on the HP NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1 standards and are using GnuTLS to extend this support.

We are facing problems with regards to validation of the CSR generated using the GnuTLS APIs.

 Though the CSR seems valid (as verified in OpenSSL and other online CSR decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR.

 

We generated CSRs with same DN attributes with GnuTLS and OpenSSL.  After ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by GnuTLS misses NULL paddings separating the CertificationRequestInfo, signatureAlgorithm and Signature.

 
The output from OpenSSL asn1parse for CSR generated by OpenSSL (with similar DN attributes):
 
$ openssl asn1parse -in openssl.req
    0:d=0  hl=4 l= 452 cons: SEQUENCE
    4:d=1  hl=4 l= 301 cons: SEQUENCE
    8:d=2  hl=2 l=   1 prim: INTEGER           :00
   11:d=2  hl=3 l= 131 cons: SEQUENCE
   14:d=3  hl=2 l=  11 cons: SET
   16:d=4  hl=2 l=   9 cons: SEQUENCE
   18:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   23:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :IN
   27:d=3  hl=2 l=  20 cons: SET
   29:d=4  hl=2 l=  18 cons: SEQUENCE
   31:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
   36:d=5  hl=2 l=  11 prim: PRINTABLESTRING   :Maharashtra
   49:d=3  hl=2 l=  15 cons: SET
   51:d=4  hl=2 l=  13 cons: SEQUENCE
   53:d=5  hl=2 l=   3 prim: OBJECT            :localityName
   58:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :Mumbai
   66:d=3  hl=2 l=  34 cons: SET
   68:d=4  hl=2 l=  32 cons: SEQUENCE
   70:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
   75:d=5  hl=2 l=  25 prim: PRINTABLESTRING   :Tata Consultancy Services
  102:d=3  hl=2 l=  15 cons: SET
  104:d=4  hl=2 l=  13 cons: SEQUENCE
  106:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  111:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :HP NED
  119:d=3  hl=2 l=  24 cons: SET
  121:d=4  hl=2 l=  22 cons: SEQUENCE
  123:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  128:d=5  hl=2 l=  15 prim: PRINTABLESTRING   :www.scarlet.com
  145:d=2  hl=3 l= 159 cons: SEQUENCE
  148:d=3  hl=2 l=  13 cons: SEQUENCE
  150:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  161:d=4  hl=2 l=   0 prim: NULL                                    <==========
  163:d=3  hl=3 l= 141 prim: BIT STRING
  307:d=2  hl=2 l=   0 cons: cont [ 0 ]
  309:d=1  hl=2 l=  13 cons: SEQUENCE
  311:d=2  hl=2 l=   9 prim: OBJECT            :md5WithRSAEncryption
  322:d=2  hl=2 l=   0 prim: NULL                                    <==========
  324:d=1  hl=3 l= 129 prim: BIT STRING
 
 
The output from OpenSSL asn1parse for CSR generated by GnuTLS:
 
$ openssl asn1parse -in gnu.req
    0:d=0  hl=4 l= 447 cons: SEQUENCE
    4:d=1  hl=4 l= 298 cons: SEQUENCE
    8:d=2  hl=2 l=   1 prim: INTEGER           :00
   11:d=2  hl=3 l= 131 cons: SEQUENCE
   14:d=3  hl=2 l=  11 cons: SET
   16:d=4  hl=2 l=   9 cons: SEQUENCE
   18:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   23:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :IN
   27:d=3  hl=2 l=  15 cons: SET
   29:d=4  hl=2 l=  13 cons: SEQUENCE
   31:d=5  hl=2 l=   3 prim: OBJECT            :localityName
   36:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :Mumbai
   44:d=3  hl=2 l=  20 cons: SET
   46:d=4  hl=2 l=  18 cons: SEQUENCE
   48:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
   53:d=5  hl=2 l=  11 prim: PRINTABLESTRING   :Maharashtra
   66:d=3  hl=2 l=  24 cons: SET
   68:d=4  hl=2 l=  22 cons: SEQUENCE
   70:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   75:d=5  hl=2 l=  15 prim: PRINTABLESTRING   :www.scarlet.com
   92:d=3  hl=2 l=  15 cons: SET
   94:d=4  hl=2 l=  13 cons: SEQUENCE
   96:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  101:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :HP NED
  109:d=3  hl=2 l=  34 cons: SET
  111:d=4  hl=2 l=  32 cons: SEQUENCE
  113:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
  118:d=5  hl=2 l=  25 prim: PRINTABLESTRING   :Tata Consultancy Services
  145:d=2  hl=3 l= 156 cons: SEQUENCE
  148:d=3  hl=2 l=  11 cons: SEQUENCE
  150:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
                                              --> NULL field missing
  161:d=3  hl=3 l= 140 prim: BIT STRING
  304:d=2  hl=2 l=   0 cons: cont [ 0 ]
  306:d=1  hl=2 l=  11 cons: SEQUENCE
  308:d=2  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
                                              --> NULL field missing
  319:d=1  hl=3 l= 129 prim: BIT STRING
 

The CSR generated using GnuTLS APIs:

 

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIBvzCCASoCAQAwgYMxCzAJBgNVBAYTAklOMQ8wDQYDVQQHEwZNdW1iYWkxFDAS

BgNVBAgTC01haGFyYXNodHJhMRgwFgYDVQQDEw93d3cuc2NhcmxldC5jb20xDzAN

BgNVBAsTBkhQIE5FRDEiMCAGA1UEChMZVGF0YSBDb25zdWx0YW5jeSBTZXJ2aWNl

czCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGAv/FlDNjp+Jer0dfnHpOMu06eaocT

WWugFEZTIJHsq1h2cQAu3aox/aP047umkyvndEFB3lB3wDoIIeu42sC3rvanWXrN

u5QYYxJbqSFjQNjncK5ZBuOkDpT+mr40THP5XasHJpDtyBi/eFLjkG5y8vncM9xM

7i9lwfWEsRHESmkCAwEAAaAAMAsGCSqGSIb3DQEBBQOBgQC8kcFxRVuPKaXZYxBT

AH1uvH7kTr/yeC8L5A3ctdzMX0KR2JSN1eB5PhYXhMzZRfhLrFtx0IP0RJS7uc0/

0mJ30lZpufbQSmJT+EIiamSm+zWvH3+SBn5VrP0gCyD0z5O3AK91YB9QXVFkCS/u

3WDjubwSoK4BmHY1W3z3xRSO1Q==

-----END NEW CERTIFICATE REQUEST-----

 
 
Is it possible that the CAs are unable to generate a valid certificate due to these NULL paddings or is there another reason why these CAs fail to parse the CSR.

 

Thanks,

Trupti

 
 

 

reply via email to
[Prev in Thread] Current Thread [Next in Thread]