000022212 - Cert-C: C_SetCertBER returns error E_CERT_EXTENSIONS (0x72A)

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022212
Applies ToRSA BSAFE Cert-C
The certificate has an empty SEQUENCE (0x30 0x00) as the value of the authority key identifier extension
Cert-C 2.7 and earlier
Beginning in Cert-C 2.7.2.0, Cert-C allows an empty SEQUENCE (0x30 0x00) as the value of the authority key identifier extension
This has been observed in certificates issued by

E = info@valicert.com

CN = http://www.valicert.com/

OU = ValiCert Class 2 Policy Validation Authority

O = ValiCert, Inc.

L = ValiCert Validation Network

Example of certificate:

-----BEGIN CERTIFICATE-----

MIIEQTCCA6qgAwIBAgICAQQwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1Zh

bGlDZXJ0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIElu

Yy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g

QXV0aG9yaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAe

BgkqhkiG9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTA0MDExNDIxMDUyMVoX

DTI0MDEwOTIxMDUyMVowgewxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25h

MRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5v

bG9naWVzLCBJbmMuMTAwLgYDVQQLEydodHRwOi8vd3d3LnN0YXJmaWVsZHRlY2gu

Y29tL3JlcG9zaXRvcnkxMTAvBgNVBAMTKFN0YXJmaWVsZCBTZWN1cmUgQ2VydGlm

aWNhdGlvbiBBdXRob3JpdHkxKjAoBgkqhkiG9w0BCQEWG3ByYWN0aWNlc0BzdGFy

ZmllbGR0ZWNoLmNvbTCBnTANBgkqhkiG9w0BAQEFAAOBiwAwgYcCgYEA2xFDa9zR

aXhZSehudBQIdBFsfrcqqCLYQjx6z59QskaupmcaIyK+D7M0+6yskKpbKMJw9raK

gCrgm5xS4JGocqAW4cROfREJs5651POyUMRtSAi9vCqXDG2jimo8ms9KNNwe3upa

JsChooKpSvuGIhKQOrKC1JKRn6lFn8Ok2/sCAQOjggEhMIIBHTAMBgNVHRMEBTAD

AQH/MAsGA1UdDwQEAwIBBjBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vY2VydGlm

aWNhdGVzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvcm9vdC5jcmwwTwYD

VR0gBEgwRjBEBgtghkgBhvhFAQcXAzA1MDMGCCsGAQUFBwIBFidodHRwOi8vd3d3

LnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkwOQYIKwYBBQUHAQEELTArMCkG

CCsGAQUFBzABhh1odHRwOi8vb2NzcC5zdGFyZmllbGR0ZWNoLmNvbTAdBgNVHQ4E

FgQUrFXet+oT6/yYaOJTYB7xJT6M7ucwCQYDVR0jBAIwADANBgkqhkiG9w0BAQUF

AAOBgQB+HJi+rQONJYXufJCIIiv+J/RCsux/tfxyaAWkfZHvKNF9IDk7eQg3aBhS

1Y8D0olPHhHR6aV0S/xfZ2WEcYR4WbfWydfXkzXmE6uUPI6TQImMwNfy5wdS0XCP

mIzroG3RNlOQoI8WMB7ew79/RqWVKvnI3jvbd/TyMrEzYaIwNQ==

-----END CERTIFICATE-----

IssueC_SetCertBER returns error E_CERT_EXTENSIONS (0x72A)
CauseNormally, a certificate extension is omitted if it does not have a value, rather than being encoded as an empty sequence.
Workaround

You can override the extension handler for the authority key identifier extension. The Cert-C sample samples/cert/saltname.c shows how to replace the subject alternative name extension handler (which parses the extension value as an ALTERNATE_NAME structure) with the default extension handler (which simply stores the value in an ITEM structure). Your code would look like this:

 EXTENSION_TYPE_INFO authorityKeyIdTypeInfo;

/* Get the standard extension handler for the authority key identifier extension */

status = C_GetExtensionTypeInfo (ctx, ET_AUTHORITY_KEY_ID,

  ET_AUTHORITY_KEY_ID_LEN,

  &authorityKeyIdTypeInfo);

if (status != 0)

  goto CLEANUP;

/* Get the default extension handler for an unknown extension */

status = C_GetExtensionTypeInfo (ctx, ET_UNKNOWN_TYPE, ET_UNKNOWN_TYPE_LEN,

  &defaultTypeInfo);

if (status != 0)

  goto CLEANUP;

authorityKeyIdTypeInfo.handler = defaultTypeInfo.handler;

status = C_RegisterExtensionType (ctx, &authorityKeyIdTypeInfo);

if (status != 0)

  goto CLEANUP;

 

If you still want to parse the authority key identifier extension, you can do that afterwards, like saltname.c parses the subject alternative name after calling C_SetCertBER().

Legacy Article IDa27516

Attachments

    Outcomes