[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Help required for CSR validation
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
Re: Help required for CSR validation |
|
Date: |
Wed, 18 Nov 2009 20:14:48 +0200 |
|
User-agent: |
Thunderbird 2.0.0.23 (X11/20090817) |
Wilankar, Trupti wrote:
> Hello,
>
> I am from the iTP WebServer development team. The webserver runs on the HP
> NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1
> standards and are using GnuTLS to extend this support.
> We are facing problems with regards to validation of the CSR generated using
> the GnuTLS APIs.
> Though the CSR seems valid (as verified in OpenSSL and other online CSR
> decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR.
>
> We generated CSRs with same DN attributes with GnuTLS and OpenSSL. After
> ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by
> GnuTLS misses NULL paddings separating the CertificationRequestInfo,
> signatureAlgorithm and Signature.
[...]
> Is it possible that the CAs are unable to generate a valid certificate due to
> these NULL paddings or is there another reason why these CAs fail to parse
> the CSR.
Hi,
Thanks for bringing that up to me. Probably it might be some error in
the parsing library of the CA. I attach you a quick fix and if it works
for you I will add an option to encode using this format in certtool.
regards,
Nikos
diff --git a/lib/x509/common.c b/lib/x509/common.c
index d3ca210..76e13e6 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -1172,7 +1172,7 @@ _gnutls_x509_encode_and_copy_PKI_params (ASN1_TYPE dst,
*/
_gnutls_str_cpy (name, sizeof (name), dst_name);
_gnutls_str_cat (name, sizeof (name), ".algorithm.parameters");
- result = asn1_write_value (dst, name, NULL, 0);
+ result = asn1_write_value (dst, name, "\x05\x00", 2);
if (result != ASN1_SUCCESS)
{
gnutls_assert ();
diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c
index dc18eaa..f5724dc 100644
--- a/lib/x509/mpi.c
+++ b/lib/x509/mpi.c
@@ -468,7 +468,7 @@ _gnutls_x509_write_sig_params (ASN1_TYPE dst, const char
*dst_name,
}
else
{ /* RSA */
- result = asn1_write_value (dst, name, NULL, 0);
+ result = asn1_write_value (dst, name, "\x05\x00", 2);
if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND)
{
- Help required for CSR validation, Wilankar, Trupti, 2009/11/17
- Re: Help required for CSR validation,
Nikos Mavrogiannopoulos <=
- RE: Help required for CSR validation, Wilankar, Trupti, 2009/11/19
- Re: Help required for CSR validation, Simon Josefsson, 2009/11/19
- RE: Help required for CSR validation, Wilankar, Trupti, 2009/11/20
- Re: Help required for CSR validation, Nikos Mavrogiannopoulos, 2009/11/21
- RE: Help required for CSR validation, Wilankar, Trupti, 2009/11/23
- Re: Help required for CSR validation, Daniel Kahn Gillmor, 2009/11/23
- RE: Help required for CSR validation, Wilankar, Trupti, 2009/11/24
- Re: Help required for CSR validation, Nikos Mavrogiannopoulos, 2009/11/24
- Re: Help required for CSR validation, Nikos Mavrogiannopoulos, 2009/11/24
- Re: Help required for CSR validation, Boyan Kasarov, 2009/11/24