* [9front] letsencrypt vs rsa2csr
@ 2021-08-08 16:05 ori
2021-08-08 20:23 ` Michael Forney
0 siblings, 1 reply; 3+ messages in thread
From: ori @ 2021-08-08 16:05 UTC (permalink / raw)
To: 9front
Earlier today, sirjofri reported a bug with
acmed:
sirjofri | ori: resp={
sirjofri | "type": "urn:ietf:params:acme:error:malformed",
sirjofri | "detail": "Error parsing certificate request:
asn1: structure error: tags don't match (0 vs {class:2 tag:0
length:0 isCompound:false}) {optional:false explicit:false
application:false private:false defaultValue:\u003cnil\u003e
tag:0xc0026c5548 stringType:0 timeType:0 set:false
omitEmpty:false} @323"
After some investigation into what was different between us
and openssl, it looks like openssl was setting empty containers
as constructed, but we werent:
$ diff -u ok.dump sad.dump
--- ok.dumpSun Aug 8 08:21:57 2021
+++ sad.dumpSun Aug 8 08:27:49 2021
@@ -5,13 +5,13 @@
13:d=3 hl=2 l= 23 cons: SET
15:d=4 hl=2 l= 21 cons: SEQUENCE
17:d=5 hl=2 l= 3 prim: OBJECT :commonName
- 22:d=5 hl=2 l= 14 prim: UTF8STRING :eigenstate.org
+ 22:d=5 hl=2 l= 14 prim: PRINTABLESTRING :eigenstate.org
38:d=2 hl=4 l= 290 cons: SEQUENCE
42:d=3 hl=2 l= 13 cons: SEQUENCE
44:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
55:d=4 hl=2 l= 0 prim: NULL
57:d=3 hl=4 l= 271 prim: BIT STRING
- 332:d=2 hl=2 l= 0 cons: cont [ 0 ]
+ 332:d=2 hl=2 l= 0 prim: cont [ 0 ]
334:d=1 hl=2 l= 13 cons: SEQUENCE
336:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
347:d=2 hl=2 l= 0 prim: NULL
Here's a patch that changes this. I'm not
a native asn.1 speaker, so I'm not entirely
sure that this is correct. Do we only want
to do this for some containers, or do we want
it for all of them?
--- //.git/fs/object/3909b83a90ff0c820ef7c903a03fc12b043ebfea/tree/sys/src/libsec/port/x509.c
+++ sys/src/libsec/port/x509.c
@@ -1025,8 +1025,8 @@
el = e.val.u.setval;
else
err = ASN_EINVAL;
+ *pconstr = CONSTR_MASK;
if(el != nil) {
- *pconstr = CONSTR_MASK;
for(; el != nil; el = el->tl) {
err = enc(&p, el->hd, lenonly);
if(err != ASN_OK)
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [9front] letsencrypt vs rsa2csr
2021-08-08 16:05 [9front] letsencrypt vs rsa2csr ori
@ 2021-08-08 20:23 ` Michael Forney
2021-08-08 23:54 ` ori
0 siblings, 1 reply; 3+ messages in thread
From: Michael Forney @ 2021-08-08 20:23 UTC (permalink / raw)
To: 9front
On 2021-08-08, ori@eigenstate.org <ori@eigenstate.org> wrote:
> Here's a patch that changes this. I'm not
> a native asn.1 speaker, so I'm not entirely
> sure that this is correct.
I think it is correct, it doesn't really make sense to have a
primitive set/sequence.
The basic encoding rules (of which DER is a subset) in X.690 say[0]:
8.9.1 The encoding of a sequence value shall be constructed.
8.10.1 The encoding of a sequence-of value shall be constructed.
8.11.1 The encoding of a set value shall be constructed.
8.12.1 The encoding of a set-of value shall be constructed.
> //.git/fs/object/3909b83a90ff0c820ef7c903a03fc12b043ebfea/tree/sys/src/libsec/port/x509.c
> +++ sys/src/libsec/port/x509.c
> @@ -1025,8 +1025,8 @@
> el = e.val.u.setval;
> else
> err = ASN_EINVAL;
> + *pconstr = CONSTR_MASK;
> if(el != nil) {
> - *pconstr = CONSTR_MASK;
> for(; el != nil; el = el->tl) {
> err = enc(&p, el->hd, lenonly);
> if(err != ASN_OK)
You could go a step further and remove the if-statement as well. It is
already taken care of by the initial for-loop condition.
[0] https://www.itu.int/rec/T-REC-X.690-202102-I/en
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [9front] letsencrypt vs rsa2csr
2021-08-08 20:23 ` Michael Forney
@ 2021-08-08 23:54 ` ori
0 siblings, 0 replies; 3+ messages in thread
From: ori @ 2021-08-08 23:54 UTC (permalink / raw)
To: 9front
Quoth Michael Forney <mforney@mforney.org>:
>
> You could go a step further and remove the if-statement as well. It is
> already taken care of by the initial for-loop condition.
Good point. Updated.
--- //.git/fs/object/3909b83a90ff0c820ef7c903a03fc12b043ebfea/tree/sys/src/libsec/port/x509.c
+++ sys/src/libsec/port/x509.c
@@ -1025,13 +1025,11 @@
el = e.val.u.setval;
else
err = ASN_EINVAL;
- if(el != nil) {
- *pconstr = CONSTR_MASK;
- for(; el != nil; el = el->tl) {
- err = enc(&p, el->hd, lenonly);
- if(err != ASN_OK)
- break;
- }
+ *pconstr = CONSTR_MASK;
+ for(; el != nil; el = el->tl) {
+ err = enc(&p, el->hd, lenonly);
+ if(err != ASN_OK)
+ break;
}
break;
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-09 6:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-08 16:05 [9front] letsencrypt vs rsa2csr ori
2021-08-08 20:23 ` Michael Forney
2021-08-08 23:54 ` ori
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).