Help required for CSR validation

Wilankar, Trupti trupti.wilankar at hp.com
Tue Nov 17 08:14:19 CET 2009 

Hello,

I am from the iTP WebServer development team. The webserver runs on the HP NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1 standards and are using GnuTLS to extend this support.
We are facing problems with regards to validation of the CSR generated using the GnuTLS APIs.
 Though the CSR seems valid (as verified in OpenSSL and other online CSR decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR.

We generated CSRs with same DN attributes with GnuTLS and OpenSSL.  After ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by GnuTLS misses NULL paddings separating the CertificationRequestInfo, signatureAlgorithm and Signature.



The output from OpenSSL asn1parse for CSR generated by OpenSSL (with similar DN attributes):



$ openssl asn1parse -in openssl.req

    0:d=0  hl=4 l= 452 cons: SEQUENCE

    4:d=1  hl=4 l= 301 cons: SEQUENCE

    8:d=2  hl=2 l=   1 prim: INTEGER           :00

   11:d=2  hl=3 l= 131 cons: SEQUENCE

   14:d=3  hl=2 l=  11 cons: SET

   16:d=4  hl=2 l=   9 cons: SEQUENCE

   18:d=5  hl=2 l=   3 prim: OBJECT            :countryName

   23:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :IN

   27:d=3  hl=2 l=  20 cons: SET

   29:d=4  hl=2 l=  18 cons: SEQUENCE

   31:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName

   36:d=5  hl=2 l=  11 prim: PRINTABLESTRING   :Maharashtra

   49:d=3  hl=2 l=  15 cons: SET

   51:d=4  hl=2 l=  13 cons: SEQUENCE

   53:d=5  hl=2 l=   3 prim: OBJECT            :localityName

   58:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :Mumbai

   66:d=3  hl=2 l=  34 cons: SET

   68:d=4  hl=2 l=  32 cons: SEQUENCE

   70:d=5  hl=2 l=   3 prim: OBJECT            :organizationName

   75:d=5  hl=2 l=  25 prim: PRINTABLESTRING   :Tata Consultancy Services

  102:d=3  hl=2 l=  15 cons: SET

  104:d=4  hl=2 l=  13 cons: SEQUENCE

  106:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName

  111:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :HP NED

  119:d=3  hl=2 l=  24 cons: SET

  121:d=4  hl=2 l=  22 cons: SEQUENCE

  123:d=5  hl=2 l=   3 prim: OBJECT            :commonName

  128:d=5  hl=2 l=  15 prim: PRINTABLESTRING   :www.scarlet.com

  145:d=2  hl=3 l= 159 cons: SEQUENCE

  148:d=3  hl=2 l=  13 cons: SEQUENCE

  150:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption

  161:d=4  hl=2 l=   0 prim: NULL                                    <==========

  163:d=3  hl=3 l= 141 prim: BIT STRING

  307:d=2  hl=2 l=   0 cons: cont [ 0 ]

  309:d=1  hl=2 l=  13 cons: SEQUENCE

  311:d=2  hl=2 l=   9 prim: OBJECT            :md5WithRSAEncryption

  322:d=2  hl=2 l=   0 prim: NULL                                    <==========

  324:d=1  hl=3 l= 129 prim: BIT STRING





The output from OpenSSL asn1parse for CSR generated by GnuTLS:



$ openssl asn1parse -in gnu.req

    0:d=0  hl=4 l= 447 cons: SEQUENCE

    4:d=1  hl=4 l= 298 cons: SEQUENCE

    8:d=2  hl=2 l=   1 prim: INTEGER           :00

   11:d=2  hl=3 l= 131 cons: SEQUENCE

   14:d=3  hl=2 l=  11 cons: SET

   16:d=4  hl=2 l=   9 cons: SEQUENCE

   18:d=5  hl=2 l=   3 prim: OBJECT            :countryName

   23:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :IN

   27:d=3  hl=2 l=  15 cons: SET

   29:d=4  hl=2 l=  13 cons: SEQUENCE

   31:d=5  hl=2 l=   3 prim: OBJECT            :localityName

   36:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :Mumbai

   44:d=3  hl=2 l=  20 cons: SET

   46:d=4  hl=2 l=  18 cons: SEQUENCE

   48:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName

   53:d=5  hl=2 l=  11 prim: PRINTABLESTRING   :Maharashtra

   66:d=3  hl=2 l=  24 cons: SET

   68:d=4  hl=2 l=  22 cons: SEQUENCE

   70:d=5  hl=2 l=   3 prim: OBJECT            :commonName

   75:d=5  hl=2 l=  15 prim: PRINTABLESTRING   :www.scarlet.com

   92:d=3  hl=2 l=  15 cons: SET

   94:d=4  hl=2 l=  13 cons: SEQUENCE

   96:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName

  101:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :HP NED

  109:d=3  hl=2 l=  34 cons: SET

  111:d=4  hl=2 l=  32 cons: SEQUENCE

  113:d=5  hl=2 l=   3 prim: OBJECT            :organizationName

  118:d=5  hl=2 l=  25 prim: PRINTABLESTRING   :Tata Consultancy Services

  145:d=2  hl=3 l= 156 cons: SEQUENCE

  148:d=3  hl=2 l=  11 cons: SEQUENCE

  150:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption

                                              --> NULL field missing

  161:d=3  hl=3 l= 140 prim: BIT STRING

  304:d=2  hl=2 l=   0 cons: cont [ 0 ]

  306:d=1  hl=2 l=  11 cons: SEQUENCE

  308:d=2  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption

                                              --> NULL field missing

  319:d=1  hl=3 l= 129 prim: BIT STRING


The CSR generated using GnuTLS APIs:


-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBvzCCASoCAQAwgYMxCzAJBgNVBAYTAklOMQ8wDQYDVQQHEwZNdW1iYWkxFDAS
BgNVBAgTC01haGFyYXNodHJhMRgwFgYDVQQDEw93d3cuc2NhcmxldC5jb20xDzAN
BgNVBAsTBkhQIE5FRDEiMCAGA1UEChMZVGF0YSBDb25zdWx0YW5jeSBTZXJ2aWNl
czCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGAv/FlDNjp+Jer0dfnHpOMu06eaocT
WWugFEZTIJHsq1h2cQAu3aox/aP047umkyvndEFB3lB3wDoIIeu42sC3rvanWXrN
u5QYYxJbqSFjQNjncK5ZBuOkDpT+mr40THP5XasHJpDtyBi/eFLjkG5y8vncM9xM
7i9lwfWEsRHESmkCAwEAAaAAMAsGCSqGSIb3DQEBBQOBgQC8kcFxRVuPKaXZYxBT
AH1uvH7kTr/yeC8L5A3ctdzMX0KR2JSN1eB5PhYXhMzZRfhLrFtx0IP0RJS7uc0/
0mJ30lZpufbQSmJT+EIiamSm+zWvH3+SBn5VrP0gCyD0z5O3AK91YB9QXVFkCS/u
3WDjubwSoK4BmHY1W3z3xRSO1Q==
-----END NEW CERTIFICATE REQUEST-----





Is it possible that the CAs are unable to generate a valid certificate due to these NULL paddings or is there another reason why these CAs fail to parse the CSR.

Thanks,
Trupti





-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091117/a236c877/attachment.htm>

More information about the Gnutls-devel mailing list