Thread: [SignServer-develop] Signserver certificate request not valid

Brought to you by: anatom, karolinhem, malu9369, netmackan, pksf19

signserver-develop

[SignServer-develop] Signserver certificate request not valid

From: Martin K. <mar...@cy...> - 2014-04-02 07:18:09

Hi signserver developers!

I'm writing you to notify that Signserver 3.5.0 provide a bit invalid
certificate request:

In current case the the KeyOne software from Safelayer company does not
accept it like valid request.
Here is this in more detail:
--------
In the ASN.1 specification of PKCS#10 :

CertificationRequestInfo ::= SEQUENCE {
version       INTEGER { v1(0) } (v1,...),
subject       Name,
subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
attributes    [0] Attributes{{ CRIAttributes }}
}

the attributes field is NOT OPTIONAL, then the DER encoding of this
structure in case it doesnt' specify any atribute must be a SET OF of
length 0.

In DER encoding you've sent this SET OF is not present and then is not a
correct PKCS#10
------

It seems like "attributes" field is missing?


Our components are:
RHEL6 + Oracle JDK7 + JBOSS 7.1.1 + Signserver 3.5.0 and nCipher netHSM using PKCS11 library

Best regards

-- 
Martin Kannel

Re: [SignServer-develop] Signserver certificate request not valid

From: Markus K. <ma...@pr...> - 2014-04-02 09:42:11

Hi Martin,

SignServer uses the BouncyCastle library (currently version 1.47) for
constructing the PKCS#10 request.

Looking at the code of BC, it looks like the attributes are not included
if empty. I have forwarded your question to the bouncycastle mailing
list here:
http://bouncycastle.org/devmailarchive/msg13727.html


Best regards,
Markus


On 2014-04-02 09:04, Martin Kannel wrote:
> Hi signserver developers!
> 
> I'm writing you to notify that Signserver 3.5.0 provide a bit invalid
> certificate request:
> 
> In current case the the KeyOne software from Safelayer company does not
> accept it like valid request.
> Here is this in more detail:
> --------
> In the ASN.1 specification of PKCS#10 :
> 
> CertificationRequestInfo ::= SEQUENCE {
> version       INTEGER { v1(0) } (v1,...),
> subject       Name,
> subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
> attributes    [0] Attributes{{ CRIAttributes }}
> }
> 
> the attributes field is NOT OPTIONAL, then the DER encoding of this
> structure in case it doesnt' specify any atribute must be a SET OF of
> length 0.
> 
> In DER encoding you've sent this SET OF is not present and then is not a
> correct PKCS#10
> ------
> 
> It seems like "attributes" field is missing?
> 
> 
> Our components are:
> RHEL6 + Oracle JDK7 + JBOSS 7.1.1 + Signserver 3.5.0 and nCipher netHSM using PKCS11 library
> 
> Best regards
> 



-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Anderstorpsv. 16
171 54 Solna
Sweden

Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...

www.primekey.se

Re: [SignServer-develop] Signserver certificate request not valid

From: Markus K. <ma...@pr...> - 2014-04-02 11:21:43

Hi Martin,

The problem was fixed in a later version of BouncyCastle.

I registered https://jira.primekey.se/browse/DSS-777 to eventually
upgrade BC in SignServer.


Best regards,
Markus

PrimeKey Solutions offers a commercial EJBCA & SignServer support
subscription and training. Please see www.primekey.se or contact
in...@pr... for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/


On 2014-04-02 11:41, Markus Kilås wrote:
> Hi Martin,
> 
> SignServer uses the BouncyCastle library (currently version 1.47) for
> constructing the PKCS#10 request.
> 
> Looking at the code of BC, it looks like the attributes are not included
> if empty. I have forwarded your question to the bouncycastle mailing
> list here:
> http://bouncycastle.org/devmailarchive/msg13727.html
> 
> 
> Best regards,
> Markus
> 
> 
> On 2014-04-02 09:04, Martin Kannel wrote:
>> Hi signserver developers!
>>
>> I'm writing you to notify that Signserver 3.5.0 provide a bit invalid
>> certificate request:
>>
>> In current case the the KeyOne software from Safelayer company does not
>> accept it like valid request.
>> Here is this in more detail:
>> --------
>> In the ASN.1 specification of PKCS#10 :
>>
>> CertificationRequestInfo ::= SEQUENCE {
>> version       INTEGER { v1(0) } (v1,...),
>> subject       Name,
>> subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
>> attributes    [0] Attributes{{ CRIAttributes }}
>> }
>>
>> the attributes field is NOT OPTIONAL, then the DER encoding of this
>> structure in case it doesnt' specify any atribute must be a SET OF of
>> length 0.
>>
>> In DER encoding you've sent this SET OF is not present and then is not a
>> correct PKCS#10
>> ------
>>
>> It seems like "attributes" field is missing?
>>
>>
>> Our components are:
>> RHEL6 + Oracle JDK7 + JBOSS 7.1.1 + Signserver 3.5.0 and nCipher netHSM using PKCS11 library
>>
>> Best regards
>>
> 
> 
> 



-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Anderstorpsv. 16
171 54 Solna
Sweden

Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...

www.primekey.se

Re: [SignServer-develop] Signserver certificate request not valid

From: Martin K. <mar...@cy...> - 2014-04-02 11:26:00

Hi!

Thanks for so guick investigation and reply!
Hope to see version 4.0.0 soon :)

Cheers!
Martin

On 02.04.2014 14:21, Markus Kilås wrote:
> Hi Martin,
>
> The problem was fixed in a later version of BouncyCastle.
>
> I registered https://jira.primekey.se/browse/DSS-777 to eventually
> upgrade BC in SignServer.
>
>
> Best regards,
> Markus
>
>