This is a discussion on [openssl.org #1060] [Bug Report] can't build user/issuer certificate chain with different asn1 types in issuer/subject - Openssl ; [firstname.lastname@example.org - Fri May 6 19:20:48 2005]: > Hello, > > I have noticed a problem while using TC Trustcenter certificates with > OpenSSL. > The encoding of the 'Subject' in the issuer cert contrains 'T61String' > elements while the ...
[email@example.com - Fri May 6 19:20:48 2005]:
> I have noticed a problem while using TC Trustcenter certificates with
> The encoding of the 'Subject' in the issuer cert contrains 'T61String'
> elements while the user cert issued by that sub-CA contains only
> 'Printablestring' in the 'Issuer' field.
> Based on that difference in types, OpenSSL is unable to
> a) find the issuer cert in the certstore because the hashes are different
> b) locate the certificate in the stack using sk_find after I placed the
> issuer cert in the store twice, with both names/hashes.
> Neither 0.9.7e nord 0.9.8 are able to build the cert chain.
> I did some debugging with 0.9.7e, which lead me to the conclusions stated
> I rate this behaviour as a bug because the connection between two certs
> shouldn't be based on the way a string is encoded but on it's value.
> I'm working on a temp workaround for our specific case but it's by no
> a fix for the problem.
Almost all certificates not only keeps the same string type but also the
same encoding. Doing otherwise would break quite a lot of software.
This also violates various standards.
For example in RFC3280.
The DN comparision algorithm states:
(a) attribute values encoded in different types (e.g.,
PrintableString and BMPString) MAY be assumed to represent
Later on it also states:
CAs MUST encode the distinguished name in the subject field of a CA
certificate identically to the distinguished name in the issuer field
in certificates issued by that CA.
Nevertheless newer versions of OpenSSL should handle this situation but
not for the directory (CApath) based lookup. If the certificate is added
in a file based manner (CAfile) or directly it should be OK.
Directory based lookup will be supported at some point but it would
break existing hashes.
OpenSSL Project http://www.openssl.org
Development Mailing List firstname.lastname@example.org
Automated List Manager email@example.com