invalid x500UniqueIdentifier bitstring in openssl

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

invalid x500UniqueIdentifier bitstring in openssl

Lisa Matias
The x500UniqueIdentifier (OID=2.5.4.45) X500 object is suppose to be a
binary bit-string:

        http://www.alvestrand.no/objectid/2.5.4.45.html

So if I wish to add the unique ID to my certificate object and set its
value to 0xA1B2C3D4E5, I cannot find any proper way to do so.
Consider the following code snippit:

X509_NAME_ENTRY *nameEntry;
X509_NAME *subject = X509_NAME_new ();
X509_NAME_ENTRY_create_by_NID (&nameEntry, NID_x500UniqueIdentifier,
V_ASN1_BIT_STRING, "A1B2C3D4E5", 10);
X509_NAME_add_entry (subject, nameEntry, -1, 0);

The DER encoded value for this object should be:

    03:05:A1:B2:C3:D4:E5

But instead I get:

    03:0B:00:41:31:42:32:43:33:44:34:45:35
            "\0""A""1""B""2""C""3""D""4""E""5"

What am I doing wrong?  Is there a fix I can use?  Or is it that
OpenSSL does not properly handle the x500UniqueIdentifier bitstring?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: invalid x500UniqueIdentifier bitstring in openssl

Dr. Stephen Henson
On Fri, Mar 31, 2006, Lisa Matias wrote:

> The x500UniqueIdentifier (OID=2.5.4.45) X500 object is suppose to be a
> binary bit-string:
>
>         http://www.alvestrand.no/objectid/2.5.4.45.html
>
> So if I wish to add the unique ID to my certificate object and set its
> value to 0xA1B2C3D4E5, I cannot find any proper way to do so.
> Consider the following code snippit:
>
> X509_NAME_ENTRY *nameEntry;
> X509_NAME *subject = X509_NAME_new ();
> X509_NAME_ENTRY_create_by_NID (&nameEntry, NID_x500UniqueIdentifier,
> V_ASN1_BIT_STRING, "A1B2C3D4E5", 10);
> X509_NAME_add_entry (subject, nameEntry, -1, 0);
>
> The DER encoded value for this object should be:
>
>     03:05:A1:B2:C3:D4:E5
>
> But instead I get:
>
>     03:0B:00:41:31:42:32:43:33:44:34:45:35
>             "\0""A""1""B""2""C""3""D""4""E""5"
>
> What am I doing wrong?  Is there a fix I can use?  Or is it that
> OpenSSL does not properly handle the x500UniqueIdentifier bitstring?

If you want to use binary data you should pass binary data instead of a
string. For example:

unsigned char buf[] = {0xA1, 0xB2, 0xC3, 0xD4, 0xE5};

that would be 5 bytes long.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: invalid x500UniqueIdentifier bitstring in openssl

Lisa Matias
>> The x500UniqueIdentifier (OID=2.5.4.45) X500 object is suppose to be a
>> binary bit-string:
>>
>>         http://www.alvestrand.no/objectid/2.5.4.45.html
>>
>> So if I wish to add the unique ID to my certificate object and set its
>> value to 0xA1B2C3D4E5, I cannot find any proper way to do so.
>> Consider the following code snippit:
>> X509_NAME_ENTRY *nameEntry;
>> X509_NAME *subject = X509_NAME_new ();
>> X509_NAME_ENTRY_create_by_NID (&nameEntry, NID_x500UniqueIdentifier,
>> V_ASN1_BIT_STRING, "A1B2C3D4E5", 10);
>> X509_NAME_add_entry (subject, nameEntry, -1, 0);
>> The DER encoded value for this object should be:
>>     03:05:A1:B2:C3:D4:E5
>> But instead I get:
>>     03:0B:00:41:31:42:32:43:33:44:34:45:35
> If you want to use binary data you should pass binary data instead of a
> string. For example:
> unsigned char buf[] = {0xA1, 0xB2, 0xC3, 0xD4, 0xE5};
> that would be 5 bytes long.
> Steve.

I have make the change you specified above and I am now passing the
above binary string.  Now the x500UniqueIdentifer has the following
DER encoded value:

        03:06:00:A1:B2:C3:D4:E5

which contains a null Byte 0x00 in error before the 0xA1B2C3D4E5 value.

How can I remove the null Byte so that I can get the desired DER
encoded value instead?  The value should be set to:

        03:05:A1:B2:C3:D4:E5
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: invalid x500UniqueIdentifier bitstring in openssl

Dr. Stephen Henson
On Fri, Mar 31, 2006, Lisa Matias wrote:

> >> The x500UniqueIdentifier (OID=2.5.4.45) X500 object is suppose to be a
> >> binary bit-string:
> >>
> >>         http://www.alvestrand.no/objectid/2.5.4.45.html
> >>
> >> So if I wish to add the unique ID to my certificate object and set its
> >> value to 0xA1B2C3D4E5, I cannot find any proper way to do so.
> >> Consider the following code snippit:
> >> X509_NAME_ENTRY *nameEntry;
> >> X509_NAME *subject = X509_NAME_new ();
> >> X509_NAME_ENTRY_create_by_NID (&nameEntry, NID_x500UniqueIdentifier,
> >> V_ASN1_BIT_STRING, "A1B2C3D4E5", 10);
> >> X509_NAME_add_entry (subject, nameEntry, -1, 0);
> >> The DER encoded value for this object should be:
> >>     03:05:A1:B2:C3:D4:E5
> >> But instead I get:
> >>     03:0B:00:41:31:42:32:43:33:44:34:45:35
> > If you want to use binary data you should pass binary data instead of a
> > string. For example:
> > unsigned char buf[] = {0xA1, 0xB2, 0xC3, 0xD4, 0xE5};
> > that would be 5 bytes long.
> > Steve.
>
> I have make the change you specified above and I am now passing the
> above binary string.  Now the x500UniqueIdentifer has the following
> DER encoded value:
>
>         03:06:00:A1:B2:C3:D4:E5
>
> which contains a null Byte 0x00 in error before the 0xA1B2C3D4E5 value.
>
> How can I remove the null Byte so that I can get the desired DER
> encoded value instead?  The value should be set to:
>
>         03:05:A1:B2:C3:D4:E5

Err no you don't want to remove the zero. That is the number of unused bits.
If you set it to 0xA1 that would be illegal, it cann take a value from 0-7
only and in the case of a BIT STRING without named bits it will always take
the value 0.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: invalid x500UniqueIdentifier bitstring in openssl

Lisa Matias
>> I have make the change you specified above and I am now passing the
>> above binary string.  Now the x500UniqueIdentifer has the following
>> DER encoded value:
>>         03:06:00:A1:B2:C3:D4:E5
>> which contains a null Byte 0x00 in error before the 0xA1B2C3D4E5 value.
>> How can I remove the null Byte so that I can get the desired DER
>> encoded value instead?  The value should be set to:
>>         03:05:A1:B2:C3:D4:E5
> Err no you don't want to remove the zero. That is the number of unused bits.
> If you set it to 0xA1 that would be illegal, it cann take a value from 0-7
> only and in the case of a BIT STRING without named bits it will always take
> the value 0.

Now that I think about it, you are correct.  It is the same problem
that occurs with the PKCS1 signature in a certificate which is also
bitstring, and also has a null character prepended before the RSA
encrypted value.

I guess the real problem is that the PKIX idiots decided to use
bitstrings instead of octetstrings for signatures, unique identifiers,
etc.!  I cannot find any valid reason why they would do this.  If it
would up to me, I would replaced all bitstrings containing unnamed
bits with octetstrings, since they are only binary blobs of data.

Thank you for your help Steve.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: invalid x500UniqueIdentifier bitstring in openssl

JoelKatz

> I guess the real problem is that the PKIX idiots decided to use
> bitstrings instead of octetstrings for signatures, unique identifiers,
> etc.!  I cannot find any valid reason why they would do this.  If it
> would up to me, I would replaced all bitstrings containing unnamed
> bits with octetstrings, since they are only binary blobs of data.

        Bingo. This has annoyed the hell out of me too. The biggest nuisance for me
is when my analysis tools display them as long strings of ones and zeroes.

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: invalid x500UniqueIdentifier bitstring in openssl

Peter Sylvester-3

- Signatures, uniqueIdentifiers etc. were not created by PKIX as far as
I remember.
  It  may be that they the same who are creating an inflation of data
encapsulated
  in octet strings in PKIX are probably the same people.
  If they didn't not understand ASN.1 20 years ago and did not make
progress ...
  I said "IF".
 
- Binary blobs of data do not necessarily have an octet boundary.
  It is a hack to encapsulate in a bit/octetstring date that have a
defined structure,
  e.g., X509 extensions, to circumvent problems with incomplete
coders/decoders.
  The developers of these tools may be the same people described above.

:-)

David Schwartz wrote:

>> I guess the real problem is that the PKIX idiots decided to use
>> bitstrings instead of octetstrings for signatures, unique identifiers,
>> etc.!  I cannot find any valid reason why they would do this.  If it
>> would up to me, I would replaced all bitstrings containing unnamed
>> bits with octetstrings, since they are only binary blobs of data.
>>    
>
> Bingo. This has annoyed the hell out of me too. The biggest nuisance for me
> is when my analysis tools display them as long strings of ones and zeroes.
>
> DS
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
>
>  

--
To verify the signature, see http://edelpki.edelweb.fr/ 
Cela vous permet de charger le certificat de l'autorité;
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: invalid x500UniqueIdentifier bitstring in openssl

Richard Salz
I'm fairly sure the BITSTRING datatype for signatures was chosen by the
PKCS working group, which at the time was a mostly self-selected group of
experts organized by RSA. It certainly wasn't chosen by IETF.  The X509v3
extension format was chosen by the X.509 group of ITU/ISO.

Hindsight's 20/20.

        /r$

--
SOA Appliance Group
IBM Application Integration Middleware

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]