000014731 - Cert-C: C_GetCertDER() or C_GetNameDER() returns 0x0712 (E_ATTRIBUTE_VALUE_LEN)

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014731
Applies ToRSA BSAFE Cert-C
IssueCert-C: C_GetCertDER() or C_GetNameDER() returns 0x0712 (E_ATTRIBUTE_VALUE_LEN)
C_GetCertDER() returns 0x0712 (E_ATTRIBUTE_VALUE_LEN)
CausecountryName in certificate is not a 2-letter country code, e.g. "Japan" instead of "JP"

The countryName attribute should be of length 2 because it should be a 2-letter country code from ISO 3166 (http://www.iso.org/iso/country_codes/iso_3166_code_lists/english_country_names_and_code_elements.htm).  For Japan, the code is "JP".

From RFC 3280 (http://www.ietf.org/rfc/rfc3280.txt):

-- Naming attributes of type X520countryName (digraph from IS 3166)

id-at-countryName       AttributeType ::= { id-at 6 }

X520countryName ::=     PrintableString (SIZE (2))

The Cert-C Developer's Guide has some information about the checking of name attributes in the section Objects > Name Object > Attribute Types and Constraints.

If you want to have a correct certificate, have the CA re-issue the certificate with a valid countryName.  If you want to get the encoding of the certificate back from the certificate object, even though it does not conform to the standard, use C_GetCertDERLenient() (which calls C_GetNameDERLenient() ), which was added in Cert-C 2.9 to address Bugzilla 116307.

Legacy Article IDa49094