From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
	autolearn_force=no version=3.4.4
Received: (qmail 13024 invoked from network); 8 Aug 2021 19:32:11 -0000
Received: from 1ess.inri.net (216.126.196.35)
  by inbox.vuxu.org with ESMTPUTF8; 8 Aug 2021 19:32:11 -0000
Received: from mimir.eigenstate.org ([206.124.132.107]) by 1ess; Sun Aug  8 15:09:27 -0400 2021
Received: from stockyard.fios-router.home (pool-100-37-247-10.nycmny.fios.verizon.net [100.37.247.10])
	by mimir.eigenstate.org (OpenSMTPD) with ESMTPSA id 53358e41 (TLSv1.2:ECDHE-RSA-AES256-SHA:256:NO)
	for <9front@9front.org>;
	Sun, 8 Aug 2021 09:05:23 -0700 (PDT)
Message-ID: <ABE4F143AA41FE67CB5ADEF1A69DBA02@eigenstate.org>
To: 9front@9front.org
Date: Sun, 08 Aug 2021 12:05:20 -0400
From: ori@eigenstate.org
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: self-healing general-purpose shader 
Subject: [9front] letsencrypt vs rsa2csr
Reply-To: 9front@9front.org
Precedence: bulk

Earlier today, sirjofri reported a bug with
acmed:

	sirjofri | ori: resp={
	sirjofri | "type": "urn:ietf:params:acme:error:malformed",
	sirjofri | "detail": "Error parsing certificate request:
		asn1: structure error: tags don't match (0 vs {class:2 tag:0
		length:0 isCompound:false}) {optional:false explicit:false
		application:false private:false defaultValue:\u003cnil\u003e
		tag:0xc0026c5548 stringType:0 timeType:0 set:false
		omitEmpty:false} @323"

After some investigation into what was different between us
and openssl, it looks like openssl was setting empty containers
as constructed, but we werent:

	$ diff -u ok.dump sad.dump                                                                                                       
	--- ok.dumpSun Aug  8 08:21:57 2021
	+++ sad.dumpSun Aug  8 08:27:49 2021
	@@ -5,13 +5,13 @@
	    13:d=3  hl=2 l=  23 cons:    SET               
	    15:d=4  hl=2 l=  21 cons:     SEQUENCE          
	    17:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
	-   22:d=5  hl=2 l=  14 prim:      UTF8STRING        :eigenstate.org
	+   22:d=5  hl=2 l=  14 prim:      PRINTABLESTRING   :eigenstate.org
	    38:d=2  hl=4 l= 290 cons:   SEQUENCE          
	    42:d=3  hl=2 l=  13 cons:    SEQUENCE          
	    44:d=4  hl=2 l=   9 prim:     OBJECT            :rsaEncryption
	    55:d=4  hl=2 l=   0 prim:     NULL              
	    57:d=3  hl=4 l= 271 prim:    BIT STRING        
	-  332:d=2  hl=2 l=   0 cons:   cont [ 0 ]        
	+  332:d=2  hl=2 l=   0 prim:   cont [ 0 ]        
	   334:d=1  hl=2 l=  13 cons:  SEQUENCE          
	   336:d=2  hl=2 l=   9 prim:   OBJECT            :sha256WithRSAEncryption
	   347:d=2  hl=2 l=   0 prim:   NULL              
	
Here's a patch that changes this. I'm not
a native asn.1 speaker, so I'm not entirely
sure that this is correct. Do we only want
to do this for some containers, or do we want
it for all of them?

--- //.git/fs/object/3909b83a90ff0c820ef7c903a03fc12b043ebfea/tree/sys/src/libsec/port/x509.c
+++ sys/src/libsec/port/x509.c
@@ -1025,8 +1025,8 @@
 			el = e.val.u.setval;
 		else
 			err = ASN_EINVAL;
+		*pconstr = CONSTR_MASK;
 		if(el != nil) {
-			*pconstr = CONSTR_MASK;
 			for(; el != nil; el = el->tl) {
 				err = enc(&p, el->hd, lenonly);
 				if(err != ASN_OK)