david.cooper@nist.gov wrote:
Full_Name: David A. Cooper Version: 2.4.16 OS: Linux URL: Submission from: (NULL) (129.6.54.72)
I am trying to add certificates to my directory that include unique identifiers (both issuerUniqueID and subjectUniqueID), but the certificates are being rejected as having invalid syntax (note that these certificates have been successfully validated by many different PKI client software products). I believe that the problem is in the certificateValidate function of servers/slapd/schema_init.c. In particular, the ASN.1 tags for the unique identifiers are defined as:
SLAP_X509_OPT_C_ISSUERUNIQUEID = SLAP_X509_OPTION + 1 (which is 81) SLAP_X509_OPT_C_SUBJECTUNIQUEID = SLAP_X509_OPTION + 2 (which is 82)
where "SLAP_X509_OPTION = (LBER_CLASS_CONTEXT|LBER_CONSTRUCTED)" (which is A0)
I believe the tags for the unique identifiers should be 81 and 82 rather than A1 and A2 since the unique identifiers are of type BIT STRING, and are thus are primitive rather than constructed.
Thanks, you're right. Fixed in HEAD.
The same issue probably applies to the tags assigned to some of the fields of GeneralName, but this does not seem to be an issue at the moment since certificateValidate does not parse the contents of the Extensions field.
Right, we really only cared about the issuer and subject. (In previous releases we didn't parse any of this at all...)