wbond/ocspbuilder

id-sha1 AlgorithmIdentifier encoding

Closed this issue · 1 comments

mttcpr commented

Hi Will,

Experiencing a problem with several different production responders accepting requests, After comparing your requests to those from openssl (which do work) I believe it's due to the way id-sha1 is encoded.

Specifically, to maximize interoperability, id-sha1 should include NULL parameters (0500) in the AlgorithmIdentifier, i.e. 300906052B0E03021A0500

9: SEQUENCE {
5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
: (OIW)
0: NULL
: }

The requests from ocspbuilder omit the parameters, which is technically correct, but is almost certainly causing problems:

300706052B0E03021A

7: SEQUENCE {
5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
: (OIW)
: }

Note that the OCSP servers should also be fixed; they should be accepting these requests because they are technically correct.

https://www.ietf.org/rfc/rfc4055.txt gives some explanation of how we ended up here:

There are two possible encodings for the AlgorithmIdentifier
parameters field associated with these object identifiers. The two
alternatives arise from the loss of the OPTIONAL associated with the
algorithm identifier parameters when the 1988 syntax for
AlgorithmIdentifier was translated into the 1997 syntax. Later the
OPTIONAL was recovered via a defect report, but by then many people
thought that algorithm parameters were mandatory. Because of this
history some implementations encode parameters as a NULL element
while others omit them entirely. The correct encoding is to omit the
parameters field; however, when RSASSA-PSS and RSAES-OAEP were
defined, it was done using the NULL parameters rather than absent
parameters.

All implementations MUST accept both NULL and absent parameters as
legal and equivalent encodings.

To be clear, the following algorithm identifiers are used when a NULL
parameter MUST be present:

 sha1Identifier  AlgorithmIdentifier  ::=  { id-sha1, NULL }
 sha224Identifier  AlgorithmIdentifier  ::=  { id-sha224, NULL }
 sha256Identifier  AlgorithmIdentifier  ::=  { id-sha256, NULL }
 sha384Identifier  AlgorithmIdentifier  ::=  { id-sha384, NULL }
 sha512Identifier  AlgorithmIdentifier  ::=  { id-sha512, NULL }
wbond commented

This should be resolved by version 0.19.0 of asn1crypto.