> On Mar 18, 2019, at 6:51 AM, Graham Leggett <minf...@sharp.fm> wrote:
>
> The CSR is incomplete, but isn’t malformed.
A mandatory part of the CSR is missing. It is malformed.
> The CSR is the in the process of being built. Part of that process involves
> sending the partially complete CSR to another module, which then completes
> the CSR structure. This used to work, but has regressed when moving from
> rhel6 to rhel7.
>
>> which has a non-zero length signature algorithm OID (l = 9). Your
>> example has "l=0" where one would expect the signature OID after
>> the extensions.
>
> How do I fix openssl to parse this as it did before?
Since you don't have a CSR, the fix is to not attempt to encode the data
as a CSR. It sounds like what you have is a CRI (that is a
CertificationRequestInfo structure) so you'll need to encode that instead.
https://tools.ietf.org/html/rfc2986#section-4
The relevant codec functions are: i2d_X509_REQ_INFO and d2i_X509_REQ_INFO.
A CSR is:
CertificationRequest ::= SEQUENCE {
certificationRequestInfo CertificationRequestInfo,
signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
signature BIT STRING
}
which encapsulates the CRI a larger signed structure, adding precisely
the bits you're missing.
An alternative (if you must) is to create an actual CSR, with a dummy
signature OID, and signature and then ignore the signature on the other
side.
--
Viktor.
