Hello.
I have a problem with NSS. Here's what I'm trying to achieve:
I have systems A and B which have a connection established. Then
system C connects to system A through SSL, identifying itself with a
client certificate. System C is then also expeted to connect to system
B, and in doing so, it must identify with the same client certificate
as it did to A. So, I made A encode C's certificate to DER format and
send it to system B, before ordering C to connect to B. Once C
connects to B, B byte-compares the peer provided ant the server
provided certificates to make sure they match.
Here's how I encoded the certificate (on system A once handshake is
done, and on B inside the SSL_AuthCertificateHook callback):
CERTCertificate *cert = SSL_PeerCertificate(client->ssl_prfd);
...
PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
...
SECItem der;
der.len = 0;
der.data = NULL;
SEC_ASN1EncodeItem(arena, &der, cert,
SEC_ASN1_GET(CERT_CertificateTemplate)
...
It worked, the two DER encoded certificates matched on system B.
However, now I decided that B needs to know the common name of C
before C actually connects to B, for logging purposes. It could
determine that by parsing the DER cerificate provided by system A. I
tried several functions which appear to be for parsing a certificate
into a CERTCertificate object (CERT_DecodeCertFromPackage,
CERT_NewTempCertificate, CERT_DecodeDERCertificate). However it always
failed. CERT_DecodeCertFromPackage fails with error
SEC_ERROR_LIBRARY_FAILURE, which was translated from
NSS_ERROR_NOT_FOUND.
I tried parsing the DER certificate (as encoded by SEC_ASN1EncodeItem)
with openssl, and it too has problems:
$ openssl x509 -inform der -in cert.der
unable to load certificate
139697169598120:error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
139697169598120:error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:
381:Type=X509_CINF
139697169598120:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:
751:Field=cert_info, Type=X509
$ openssl asn1parse -in cert.der -inform DER
0:d=0 hl=4 l= 311 cons: SEQUENCE
4:d=1 hl=2 l= 3 cons: cont [ 0 ]
6:d=2 hl=2 l= 1 prim: INTEGER :02
9:d=1 hl=2 l= 5 prim: INTEGER :913ED80F
16:d=1 hl=2 l= 13 cons: SEQUENCE
18:d=2 hl=2 l= 9 prim: OBJECT:sha1WithRSAEncryption
29:d=2 hl=2 l= 0 prim: NULL
31:d=1 hl=2 l= 19 cons: SEQUENCE
33:d=2 hl=2 l= 17 cons: SET
35:d=3 hl=2 l= 15 cons: SEQUENCE
37:d=4 hl=2 l= 3 prim: OBJECT:commonName
42:d=4 hl=2 l= 8 prim: PRINTABLESTRING :ca-local
52:d=1 hl=2 l= 30 cons: SEQUENCE
54:d=2 hl=2 l= 13 prim: UTCTIME :100626225323Z
69:d=2 hl=2 l= 13 prim: UTCTIME :110626225323Z
84:d=1 hl=2 l= 21 cons: SEQUENCE
86:d=2 hl=2 l= 19 cons: SET
88:d=3 hl=2 l= 17 cons: SEQUENCE
90:d=4 hl=2 l= 3 prim: OBJECT:commonName
95:d=4 hl=2 l= 10 prim: PRINTABLESTRING :peer-plata
107:d=1 hl=3 l= 159 cons: SEQUENCE
110:d=2 hl=2 l= 13 cons: SEQUENCE
112:d=3 hl=2 l= 9 prim: OBJECT:rsaEncryption
123:d=3 hl=2 l= 0 prim: NULL
125:d=2 hl=3 l= 141 prim: BIT STRING
269:d=1 hl=2 l= 44 cons: cont [ 3 ]
271:d=2 hl=2 l= 42 cons: SEQUENCE
273:d=3 hl=2 l= 9 cons: SEQUENCE
275:d=4 hl=2 l= 3 prim: OBJECT:X509v3 Basic
Constraints
280:d=4 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
284:d=3 hl=2 l= 29 cons: SEQUENCE
286:d=4 hl=2 l= 3 prim: OBJECT:X509v3 Extended Key
Usage
291:d=4 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:
301406082B0601050507030106082B06010505070302
So, why is the certificate being encoded incorrectly? Also, is this a
portable way of comparing cetificates (e.g. can I be sure that another
SSL library will produce the same data)? I read that the DER format is
specifically designed so that there is only one way to encode a given
input. Is there some function that provides me with the raw
certificate as provided by the peer (rather than NSS deconding it and
my program encoding it back)? Or, should I be comparing only specific
parts of the certificate (common name, public key)?
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto