Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix generation of ASN.1 representation of RelativeDistinguishedNames #235

Closed
wants to merge 1 commit into from
Closed

Fix generation of ASN.1 representation of RelativeDistinguishedNames #235

wants to merge 1 commit into from

Conversation

damyanmitev
Copy link

Certificates, created by current version of PKI.js, have their issuer and subject generated as multi-valued RDNs. All the sequences, containing TypeAndValue, are in the same set.
The ASN.1 representation of the subject of the certificate, generated by X509_cert_complex_example, is as follows:

        SEQUENCE
        {
            SET
            {
                SEQUENCE
                {
                    OBJECT IDENTIFIER=CountryName (2.5.4.6)
                    PRINTABLE STRING='RU'
                }
                SEQUENCE
                {
                    OBJECT IDENTIFIER=CommonName (2.5.4.3)
                    BMP STRING='Test'
                }
            }
        }

Although conforming implementation should be able to parse this certificate correctly, at least in one occasion it has shown to be problematic. Specific example is Adobe Reader, which fails to build certificate chain out of the certificates inside signed PDF document, and subsequently fails validation.
Current approach of generating RDNs also differs from the approach, used in popular open source crypto libraries like OpenSSL and BouncyCastle. There each TypeAndValue sequence resides in it's own set. ASN.1 representation of the same subject, generated by OpenSSL looks like this:

        SEQUENCE
        {
            SET
            {
                SEQUENCE
                {
                    OBJECT IDENTIFIER=CountryName (2.5.4.6)
                    PRINTABLE STRING='RU'
                }
            }
            SET
            {
                SEQUENCE
                {
                    OBJECT IDENTIFIER=CommonName (2.5.4.3)
                    UTF8 STRING='Test'
                }
            }
        }

The proposed fix alters RDN generation to align with OpenSSL RDN generation.

@YuryStrozhevsky
Copy link
Collaborator

@damyanmitev Really bit strange for me, but this kind of "fix" I used to see from time to time in PKI.js issues/PRs (1, 2, 3 and probably there are others). You could check all these links I mentioned for my borring explanations about "why I would not change PKI.js". Especially you could be interested in this comment where I mentioned a way how you could easily change how RDN for certificate's object proceed.

Also I should say that I made many and many PDF signing for about 3-4 years using PKI.js and had no issues with certificates. Could you, please, make an example signed PDF where Adobe could not recognize certificate chain "because PKI.js made something wrong"?

@rmhrisk rmhrisk closed this Sep 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@damyanmitev @YuryStrozhevsky @rmhrisk