[Date Prev][Date Next] [Chronological] [Thread] [Top]

comp match module has unusable X509 cert code



Hi all!
I have performed some tests with the comp match module (yes it runs if you work around ITS 6556 ;-)).

The result is that the comp match module only works with very simple X509 certs that use old algorithms!

For example if you use X509 certificates with long serial numbers the snacc generated asn.1 parser (contained in file certificate.c) fails decoding the serial number.

Another drawback: The attributes in Name components subject and issuer (cn, c, o, ou) have to be PrintableStrings; if for example there is an UTF8String present in the issuer the asn.1 parser fails decoding the issuer.

All modern algorithms (sha256WithRSA, sha512WithRSA) are not recognized by the parser; if your X509 certificate is signed with sha256WithRSA the asn.1 parser fails decoding the AlgorithmIdentifier.

In modern times these drawbacks aren’t acceptable. Another appropriate asn.1 module for the X509 certificate structure has to be compiled with the openldap esnacc compiler. I would have done this but the openldap esnacc fails parsing its own modules!!!

See something like this:

 

openldap@ocsp-openldap24:~/Certificate> ~/openldap-snacc-2.3.6/compiler/esnacc  -E BER_COMP -E GSER -t -d -f  -I /home/openldap/openldap-snacc-2.3.6/asn1specs -I . Certificate.asn1

/home/openldap/openldap-snacc-2.3.6/asn1specs/asn1module.asn1(91) : parse error at symbol ""OID""

Parsing errors---cannot proceed

 

The code in the asn.1 module:

 

88 ModuleId ::= SEQUENCE

89 {

90     name MyString,

91     oid  OBJECT IDENTIFIER OPTIONAL --snacc cTypeName:"OID" isPtr:"TRUE"

92 }

93

 

 

Does anybody know how the esnacc error can be avoided?

Regards,

Hartmut