Skip Menu |

This queue is for tickets about the Crypt-X509 CPAN distribution.

Report information
The Basics
Id: 38602
Status: resolved
Priority: 0/
Queue: Crypt-X509
People
Owner: Nobody in particular
Requestors: js [...] joergschneider.com
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in:
  • 0.01
  • 0.2
  • 0.21
  • 0.32
Fixed in: (no value)

History Show all quoted text
  Wed Aug 20 05:06:59 2008 http://joergschneider.com/id/ - Ticket created
Subject: AlgorithmIdentifier.parameters not being optional breaks parsing of DSA/ECDSA signed certificates
PROBLEM DESCRIPTION The problem is independent of Perl version and OS. Crypt::X509 runs into an error when parsing DSA/ECDSA signed certificates which follow RFC2459 (and newer). The problem is the definition of AlgorithmIdentifier, which should be defined as (according to RFC2459): AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } Crypt::X509 uses the following definition (line 1271): AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY } Note the missing OPTIONAL. This is no problem for RSA, as RFC2459 requires NULL for parameters. For DSA signed certificates OPTIONAL is needed, because RFC2459 7.2.2 requires to omit the parameters field. The same problem exists for ECDSA signed certificates. FIX The problem can be fixed with the following one line patch: diff -ur Crypt-X509-0.32/lib/Crypt/X509.pm Crypt-X509-0.32-algid-fix/lib/Crypt/X509.pm --- Crypt-X509-0.32/lib/Crypt/X509.pm 2007-01-09 20:12:53.000000000 +0100 +++ Crypt-X509-0.32-algid-fix/lib/Crypt/X509.pm 2008-08-20 09:34:44.000000000 +0200 @@ -1270,7 +1270,7 @@ AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, - parameters ANY + parameters ANY OPTIONAL } HOW TO REPRODUCE $ openssl dsaparam -genkey 1024 >/tmp/dsakey.pem Generating DSA parameters, 1024 bit long prime This could take some time ......+......+............+......+..+......+..........+....+........+.+....+..+.....+............+..........+....+++++++++++++++++++++++++++++++++++++++++++++++++++* .+.....+....+....+....+......+...............+...........+....................+...................+...+.+..+..............+.........+...+.+...............+....................+.+.+..............................+..........+........+++++++++++++++++++++++++++++++++++++++++++++++++++* $ openssl req -x509 -new -key /tmp/dsakey.pem -subj /C=de/O=foo/CN=bar -outform der -out /tmp/dsacert.der $ perl -I Crypt-X509-0.32/lib/ -e 'use Crypt::X509; use Data::Dumper; undef $/; $servercert = Crypt::X509->new(cert => <>); if ($servercert->error) { print $servercert->error,"\n"; } else { print "ok\n"; }' /tmp/dsacert.der decode error at /usr/share/perl5/Convert/ASN1/_decode.pm line 119, <> chunk 1.
Subject: Crypt-X509-0.32-algid-fix.diff
diff -ur Crypt-X509-0.32/lib/Crypt/X509.pm Crypt-X509-0.32-algid-fix/lib/Crypt/X509.pm --- Crypt-X509-0.32/lib/Crypt/X509.pm 2007-01-09 20:12:53.000000000 +0100 +++ Crypt-X509-0.32-algid-fix/lib/Crypt/X509.pm 2008-08-20 09:34:44.000000000 +0200 @@ -1270,7 +1270,7 @@ AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, - parameters ANY + parameters ANY OPTIONAL }
  Thu Apr 23 08:01:57 2009 alexander.w.jung [...] gmail.com - Correspondence added
Hallo, Danke für den Patch. Das ist in Version 0.40 des Moduls ab heute Nachmittag enthalten. Mit freundlichen Grüßen, Alexander Jung
  Thu Apr 23 08:01:58 2009 The RT System itself - Status changed from 'new' to 'open'
  Thu Apr 23 08:01:59 2009 alexander.w.jung [...] gmail.com - Status changed from 'open' to 'resolved'