000024166 - C_GetCertDER returns a 0x70d (E_ATTRIBUTE_TAG) error code

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024166
Applies ToRSA BSAFE Cert-C
A name object consists of attribute types and values.  Each attribute value (AT_* identifiers in Cert-C) must have a particular string value tag (VT_* identifiers in Cert-C) identifying the format of the encoded value.
Appendix B of the Library Reference Manual contains a listing of attribute types and corresponding value tags.
In section 5.4.2 of X.520, the organizational unit attribute is defined as follows:

organizationalUnitName ATTRIBUTE ::= {
 WITH SYNTAX  DirectoryString {ub-organizational-unit-name}
 ID  id-at-organizationalUnitName

Note that the associated value tag must be a directory string.  The latest version of valid directory strings are listed in RFC 2459:

DirectoryString ::= CHOICE {
 teletexString  TeletexString (SIZE (1..MAX)),
 printableString  PrintableString (SIZE (1..MAX)),
 universalString  UniversalString (SIZE (1..MAX)),
 utf8String  UTF8String (SIZE (1.. MAX)),
 bmpString  BMPString (SIZE (1..MAX))
IssueC_GetCertDER returns a 0x70d (E_ATTRIBUTE_TAG) error code
When an E_ATTRIBUTE_TAG error code is associated with a certificate, that usually points to a discrepancy in the encoding of an attribute in the issuer name or subject name fields of the certificate.
An example of a problematic name attribute is the following:

Organizational Unit, IA5 String (3 bytes):
52 26 44                                             [R&D]
ResolutionIf you cannot determine the source of the discrepancy, send the certificate binary to RSA Developer Support for further analysis.

For this particular example, the best solution would be for the customer to use a T61 string for the string value tag associated with the organizational unit; an IA5 string is not a valid directory string choice and that is enforced by Cert-C during export.

Modifying the IA5 string tag to be a T61 string tag will invalidate the signature.  The signer must compute a new signature on the certificate once this adjustment is made.
Legacy Article IDa7207