Hi all!
I have performed some tests with the comp match module (yes it runs if you work
around ITS 6556 ;-)).
The result is that the comp match module only works
with very simple X509 certs that use old algorithms!
For example if you use X509 certificates with long
serial numbers the snacc generated asn.1 parser (contained in file certificate.c)
fails decoding the serial number.
Another drawback: The attributes in Name components subject
and issuer (cn, c, o, ou) have to be PrintableStrings; if for example there is
an UTF8String present in the issuer the asn.1 parser fails decoding the issuer.
All modern algorithms (sha256WithRSA, sha512WithRSA)
are not recognized by the parser; if your X509 certificate is signed with sha256WithRSA
the asn.1 parser fails decoding the AlgorithmIdentifier.
In modern times these drawbacks aren’t acceptable.
Another appropriate asn.1 module for the X509 certificate structure has to be
compiled with the openldap esnacc compiler. I would have done this but the
openldap esnacc fails parsing its own modules!!!
See something like this:
openldap@ocsp-openldap24:~/Certificate>
~/openldap-snacc-2.3.6/compiler/esnacc -E BER_COMP -
/home/openldap/openldap-snacc-2.3.6/asn1specs/asn1module.asn1(91)
: parse error at symbol ""OID""
Parsing errors---cannot proceed
The code in the asn.1 module:
88 ModuleId ::= SEQUENCE
89 {
90 name MyString,
91 oid OBJECT
IDENTIFIER OPTIONAL --snacc cTypeName:"OID" isPtr:"TRUE"
92 }
93
Does anybody know how the esnacc error can be
avoided?
Regards,
Hartmut