Fix distinguished name asn1. #140
Conversation
|
thanks for your PR - this is a fine backwards-compatible way solving inconsistencies in respect to #69. there are still some issues, though (repeating from NightBlues#2 (comment)): for a real CA system using ocaml-x509 it should ensure that reading the issuer used for signing is bitwise equal to the subject of the CA certificate. I guess this cannot be done in a backwards-compatible fashion, but instead requires the exposition of different string types (ia5string/utf8string/...) to the user in those parts of a DN where there's choice (and when there's no choice, we should be strict about the decoding and encoding -- and validate that with existing certificate chains / certificate corpusses: the specification/RFC may be more strict than the real world). maybe @paurkedal has an opinion or some insights? |
|
I was too quick replying here, lacking some context. The approach you suggest seems reasonable. |
Earlier, each component was serialised to a UTF8String, which is wrong for DomainComponent (IA5String), Serialnumber (PrintableString), CountryName (PrintableString), DnQualifier (PrintableString), EMail (IA5String). Reported in mirleft#69
hannesm
force-pushed
the
fix_distinguished_name
branch
from
1eb76b0
to
4728757
Compare
|
Thanks. I looked into this PR again, rebased it to the main branch (and rewrote the commit message slightly). This fixes an actual issue, and makes X509 conformant with the specification, and thus is good to be merged. |
CHANGES: * FEATURE PKCS12 support (mirleft/ocaml-x509#114 by @hannesm) * FEATURE ECDSA and EDDSA support via mirage-crypto-ec (mirleft/ocaml-x509#145 by @hannesm) This breaks some clients since the Private_key.t and Public_key.t variants are extended (may result in partial pattern matches of users of this library). * CRL.is_revoked has `crls` as last parameter to avoid warning 16 (4.12 compatibility) (mirleft/ocaml-x509#144 by @hannesm) * Signing_request.sign: add optional labelled argument `~subject` to allow changing the subject when signing a signing request (mirleft/ocaml-x509#139 by @reynir) * BUGFIX Encoding of Distinguished_name components (adhere to specification) DomainComponent and EMail are now serialised using a IA5String; Serialnumber, CountryName and DnQualifier as PrintableString (reported in mirleft/ocaml-x509#69, fixed mirleft/ocaml-x509#140 by @NightBlues) * BREAKING Remove `~sloppy` from Private_key.decode_{pem,der}. The seemingly bad RSA keys were valid and should have been accepted by mirage-crypto. (mirleft/ocaml-x509#142 by @psafont)
No description provided.