challengePassword attribute issue?
Closed this issue ยท 1 comments
jstayton commented
Hey! ๐๐ป
I'm working on switching to this library from Forge for CSR generation, and I'm running into a subtle difference with the challengePassword attribute that I think is causing the CSR to be rejected.
If you look at the output below, you'll see that they're almost identical (UID and challengePassword values are different on purpose), except for how OpenSSL outputs the challengePassword attribute. Like I said, my best guess at the moment is that this is causing the CSR to be rejected.
Can you help? Thanks!
CSR from Forge
When I run the CSR through OpenSSL (openssl req -noout -text -in csr.pem), I get this:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=Truepic Lens SDK v0.1.0 in Lens Demo v1.0.0, OU=Development Org Unit, O=Development Org, C=US/UID=cs-cf338b81e63274f810cec6f9aa61675b
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c5:21:6d:96:51:78:b6:8a:7b:d4:13:c2:85:fe:
99:0e:4f:b0:2b:72:0b:35:f4:bb:64:c0:af:89:91:
ae:c5:8f:d0:dc:51:63:94:80:32:bb:c9:a9:35:eb:
6d:6f:47:fd:cb:33:dc:2d:95:87:9b:f0:7d:65:1a:
c9:fa:18:cf:e1:c4:55:aa:8c:82:6b:a4:c3:04:67:
22:4b:b7:e0:10:ac:c0:03:53:f4:77:87:74:11:29:
48:39:84:60:87:fa:2f:be:35:58:aa:2a:88:a1:06:
29:28:f7:5d:cb:71:5d:f3:98:0a:91:b5:56:02:a0:
95:4d:a5:a2:3e:cb:90:02:12:a6:a7:39:d8:b2:91:
56:9a:6f:0b:d4:5a:99:91:a6:30:d4:fa:ab:22:26:
fa:51:19:56:40:63:7d:44:e0:fe:c0:33:2b:cf:5b:
07:8c:ca:1c:51:54:36:69:69:56:a7:69:aa:85:55:
8c:85:e6:e2:1a:f6:b6:0d:86:48:2a:98:f7:b1:36:
3f:20:a4:70:c6:7d:8f:31:97:12:71:e4:7b:6e:44:
2f:dd:50:1e:ce:87:1a:a6:1a:8a:bf:ec:f8:42:ae:
df:c8:c0:19:da:69:db:fb:58:97:01:54:0b:43:33:
cd:ad:bc:eb:28:69:88:1d:e8:6c:20:ee:d4:c9:6c:
c6:03
Exponent: 65537 (0x10001)
Attributes:
challengePassword :unable to print attribute
Signature Algorithm: sha384WithRSAEncryption
98:58:bb:2d:d6:ba:54:87:f8:9a:b2:ea:1b:4d:f0:89:0b:ab:
27:25:d7:0d:93:0e:7a:e9:d9:0a:a6:cb:e4:84:30:6a:dc:b5:
7e:c6:7b:05:94:0d:03:14:af:aa:ba:89:2a:06:ae:3d:ee:12:
ea:1f:1e:54:96:37:5f:91:38:a3:41:b7:d1:e5:45:3f:6d:3a:
d8:3a:39:e5:e6:e8:9e:d5:ae:0a:ad:4e:91:95:f2:29:b3:31:
a0:de:4b:9c:45:9a:44:02:f3:e5:ba:8c:3a:89:e4:47:c4:7b:
a5:4d:0a:7e:d7:7a:d4:05:26:f0:d4:53:0a:80:1f:1e:36:1c:
7e:68:09:cf:ae:7c:79:a9:53:f3:85:55:65:f5:df:01:68:a2:
e1:df:c8:35:2e:7d:72:64:3e:b0:b2:98:be:5b:71:3a:27:fb:
9a:8d:2e:36:15:34:51:5d:b4:d7:f5:c4:8e:ea:a8:5e:07:f0:
91:49:4e:19:20:eb:03:63:76:f7:28:74:e4:ae:04:98:4e:bd:
eb:7c:3f:1c:3f:68:9b:c2:88:08:8c:93:be:7a:9f:26:84:88:
54:64:18:d5:5b:c1:58:56:35:d9:b4:6a:fb:62:e2:1c:16:ad:
94:b7:9d:14:90:27:03:7c:70:4d:97:4c:ea:1b:d1:dc:44:76:
c5:2f:07:5d
Here's how this library parses it:
Pkcs10CertificateRequest {
rawData: ArrayBuffer {
[Uint8Contents]: <30 82 03 28 30 82 02 10 02 01 00 30 81 b1 31 34 30 32 06 03 55 04 03 13 2b 54 72 75 65 70 69 63 20 4c 65 6e 73 20 53 44 4b 20 76 30 2e 31 2e 30 20 69 6e 20 4c 65 6e 73 20 44 65 6d 6f 20 76 31 2e 30 2e 30 31 1d 30 1b 06 03 55 04 0b 13 14 44 65 76 65 6c 6f 70 6d 65 6e 74 20 4f 72 67 20 55 6e 69 74 31 ... 712 more bytes>,
byteLength: 812
},
tbs: ArrayBuffer {
[Uint8Contents]: <30 82 02 10 02 01 00 30 81 b1 31 34 30 32 06 03 55 04 03 13 2b 54 72 75 65 70 69 63 20 4c 65 6e 73 20 53 44 4b 20 76 30 2e 31 2e 30 20 69 6e 20 4c 65 6e 73 20 44 65 6d 6f 20 76 31 2e 30 2e 30 31 1d 30 1b 06 03 55 04 0b 13 14 44 65 76 65 6c 6f 70 6d 65 6e 74 20 4f 72 67 20 55 6e 69 74 31 18 30 16 06 ... 432 more bytes>,
byteLength: 532
},
publicKey: PublicKey {
rawData: ArrayBuffer {
[Uint8Contents]: <30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c9 73 75 99 76 4f 66 9e be 81 d9 d7 2e 6e 64 3c 2d 99 f1 a6 90 ee 8d b6 40 9b 7b 72 62 5c b4 5e 8d 98 0a b8 22 0b dc 21 a7 ba 5f ac c4 74 9d cf 73 6e b2 a7 3c 00 ce 41 f6 8b d0 1c 27 72 36 c0 64 75 5c ... 194 more bytes>,
byteLength: 294
},
algorithm: {
name: 'RSASSA-PKCS1-v1_5',
publicExponent: [Uint8Array],
modulusLength: 2048
},
tag: 'PUBLIC KEY'
},
signatureAlgorithm: { name: 'RSASSA-PKCS1-v1_5', hash: { name: 'SHA-384' } },
signature: ArrayBuffer {
[Uint8Contents]: <06 40 7e 70 1f 41 10 c2 e9 29 2c da 9e 48 ed f7 2f e8 cb 67 26 f8 0a 91 d0 51 aa cd 55 de a4 ec 5a c0 a7 7d 49 8d 50 af f2 01 ed 5a 8e a7 9a bc 46 69 0f 66 95 71 9d a9 2f 55 20 bb 10 dc d7 97 bc 25 62 89 56 9b 2a ee 5d 7e 4e 8d cf 21 1a d8 ed b0 a9 6d 61 c4 38 05 6f f6 2a 11 90 6e ae f7 93 08 8b c8 ... 156 more bytes>,
byteLength: 256
},
attributes: Attributes(1) [
ChallengePasswordAttribute {
rawData: [ArrayBuffer],
type: '1.2.840.113549.1.9.7',
values: [Array],
password: '559b06e9b9f0a2e157a31d7ff8671d45'
}
],
extensions: [],
subjectName: Name {
extraNames: NameIdentifier { items: {} },
asn: Name(5) [
[RelativeDistinguishedName],
[RelativeDistinguishedName],
[RelativeDistinguishedName],
[RelativeDistinguishedName],
[RelativeDistinguishedName]
]
},
subject: 'CN=Truepic Lens SDK v0.1.0 in Lens Demo v1.0.0, OU=Development Org Unit, O=Development Org, C=US, 0.9.2342.19200300.100.1.1=cs-cb2500d6dc56d7e69bfe0720de317c1b',
tag: 'CERTIFICATE REQUEST'
}
CSR from this library
When I run the CSR through OpenSSL (openssl req -noout -text -in csr.pem), I get this:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=Truepic Lens SDK v0.1.0 in Lens Demo v1.0.0, OU=Development Org Unit, O=Development Org, C=US/UID=cs-ee1b2a5a06878bca6a230f648ee44e9f
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bf:9e:6d:fe:fc:9b:c2:de:c2:c2:18:c2:17:84:
a2:a9:40:07:73:5f:da:9f:c9:f2:86:af:58:d2:53:
8d:55:95:87:37:5d:71:e8:66:32:e3:63:a6:2b:3d:
7b:64:90:4f:33:81:fa:b9:9b:0a:a9:47:38:c2:1c:
bc:81:3c:01:c5:af:b9:1f:88:f1:0a:e6:c4:20:4a:
e8:38:36:ce:75:15:f1:e4:3b:43:a1:a7:9c:4d:f9:
4c:9d:96:b6:bc:3c:38:a0:ae:40:1a:1d:50:f3:a9:
cd:b3:aa:ef:f0:99:8c:ae:74:68:93:3a:45:34:53:
d1:80:45:88:f3:97:74:c6:8a:13:ac:a6:e4:0c:cc:
52:3f:0f:69:95:4a:f0:f7:e2:64:75:47:13:f3:fe:
c7:3d:bc:e4:a9:e5:2c:de:ad:17:31:d9:15:62:eb:
16:3a:a1:25:80:85:ab:3d:94:3b:b8:07:67:aa:42:
33:d7:ec:c9:07:7a:af:73:59:1a:e0:50:1e:07:97:
59:3f:b0:25:ed:b0:29:50:79:b1:57:40:6a:01:09:
ef:d4:14:5f:ee:9e:3c:6c:be:9e:03:b1:98:72:a6:
1c:a3:e3:15:b1:96:91:d7:81:53:b8:b4:e4:95:47:
e4:bf:a3:e1:fe:84:dd:48:ec:cb:e2:4f:8b:ef:43:
dc:f3
Exponent: 65537 (0x10001)
Attributes:
challengePassword :87d9ea7672cd0551e0e5e297ddf01232
Signature Algorithm: sha384WithRSAEncryption
a5:a6:74:09:d1:3f:39:8b:63:ab:64:b8:e4:d6:7f:63:23:ec:
8c:47:c1:b2:b9:ce:bb:d8:b7:00:d1:51:d6:48:59:48:1a:bc:
e2:60:8a:b7:d2:8c:11:2e:6e:b4:bb:b2:a2:41:17:98:77:93:
10:71:fd:2d:d1:87:c2:d2:db:6b:60:04:c1:39:c6:49:c8:70:
22:85:c4:08:9a:dd:f5:29:03:ba:52:e7:2f:3e:14:f5:7f:02:
62:df:a4:c1:bc:18:c5:9a:a6:8e:b6:06:bd:01:f4:66:b9:30:
43:a2:c5:81:b5:b7:49:8d:04:19:7e:ff:46:9a:ad:d7:a3:e4:
9f:ed:eb:dc:73:b9:00:19:61:1b:85:81:b0:f4:f4:41:27:c9:
05:92:6b:8d:c1:12:96:3f:0f:d9:9e:98:47:8f:cb:ad:81:7e:
a1:9e:61:68:2a:cb:4f:0a:fa:00:1b:d1:70:3d:84:95:59:17:
bb:b4:b9:1e:9b:c1:11:36:8d:f4:b9:8a:f2:b8:4b:17:b3:06:
d6:a7:b4:30:f6:fc:db:0f:89:29:f0:09:bf:91:85:f0:fe:82:
41:66:7b:4c:45:80:cb:fb:fc:4d:fc:a7:40:78:ba:96:0f:f4:
10:46:4f:5b:3d:cb:4a:2d:d6:f4:b5:0b:fe:2d:3d:56:e7:ea:
8b:86:d5:07
Here's the CSR object from this library:
Pkcs10CertificateRequest {
rawData: ArrayBuffer {
[Uint8Contents]: <30 82 03 1b 30 82 02 03 02 01 00 30 81 a4 31 34 30 32 06 03 55 04 03 13 2b 54 72 75 65 70 69 63 20 4c 65 6e 73 20 53 44 4b 20 76 30 2e 31 2e 30 20 69 6e 20 4c 65 6e 73 20 44 65 6d 6f 20 76 31 2e 30 2e 30 31 1d 30 1b 06 03 55 04 0b 13 14 44 65 76 65 6c 6f 70 6d 65 6e 74 20 4f 72 67 20 55 6e 69 74 31 ... 699 more bytes>,
byteLength: 799
},
tbs: ArrayBuffer {
[Uint8Contents]: <30 82 02 03 02 01 00 30 81 a4 31 34 30 32 06 03 55 04 03 13 2b 54 72 75 65 70 69 63 20 4c 65 6e 73 20 53 44 4b 20 76 30 2e 31 2e 30 20 69 6e 20 4c 65 6e 73 20 44 65 6d 6f 20 76 31 2e 30 2e 30 31 1d 30 1b 06 03 55 04 0b 13 14 44 65 76 65 6c 6f 70 6d 65 6e 74 20 4f 72 67 20 55 6e 69 74 31 18 30 16 06 ... 419 more bytes>,
byteLength: 519
},
publicKey: PublicKey {
rawData: ArrayBuffer {
[Uint8Contents]: <30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 e0 04 91 d4 07 22 69 3a 9f 57 cb 5b 27 fc 3b 6d 10 d9 e2 7e 29 ca 4b 80 39 c9 76 7c 88 0b 3f 7b ff f8 2a 35 e4 19 9f ec 52 0c df 8a 2a d6 22 6f 48 92 97 51 34 4a 48 2c 5d 72 74 52 fd 65 be 71 20 1d 53 ... 194 more bytes>,
byteLength: 294
},
algorithm: {
name: 'RSASSA-PKCS1-v1_5',
publicExponent: [Uint8Array],
modulusLength: 2048
},
tag: 'PUBLIC KEY'
},
signatureAlgorithm: { name: 'RSASSA-PKCS1-v1_5', hash: { name: 'SHA-384' } },
signature: ArrayBuffer {
[Uint8Contents]: <0f d3 c3 80 81 9b ce 17 70 c7 9d a1 a3 4e 1f 60 e4 6d ac 57 39 86 ba 9f b7 c1 de 74 1c 1c cc 95 92 80 b6 61 22 fd 2d 35 0f 97 c1 44 0b b9 c1 bc d5 c9 75 8f ae cf 78 b6 7f 54 db 4d 4c ac 3d d1 fa 11 84 e3 0e 97 cb a5 2b c3 5e 84 01 28 4f 7d 37 98 b2 c7 d6 c4 6b 5e 2a df f7 b7 fe 00 ac 59 2c 23 b9 cc ... 156 more bytes>,
byteLength: 256
},
attributes: Attributes(1) [
ChallengePasswordAttribute {
rawData: [ArrayBuffer],
type: '1.2.840.113549.1.9.7',
values: [Array],
password: '87d9ea7672cd0551e0e5e297ddf01232'
}
],
extensions: [],
subjectName: Name {
extraNames: NameIdentifier { items: {} },
asn: Name(4) [
[RelativeDistinguishedName],
[RelativeDistinguishedName],
[RelativeDistinguishedName],
[RelativeDistinguishedName]
]
},
subject: 'CN=Truepic Lens SDK v0.1.0 in Lens Demo v1.0.0, OU=Development Org Unit, O=Development Org, C=US/UID=cs-ee1b2a5a06878bca6a230f648ee44e9f',
tag: 'CERTIFICATE REQUEST'
}
jstayton commented
I figured it out. It turned out not to be related to challengePassword, but instead how UID was added to the subject DN.
Sorry for the false alarm!