BasicConstraints should be inside of a sequence, but this certificate uses it without sequence and that is breaking it. You can find more information from BasicConstraints here: https://tools.ietf.org/html/rfc5280
This is valid certificate, generated with openSSL.
You are right, BasicConstraints itself is a sequence, but this sequence is inside another "extension" sequence.
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
-- contains the DER encoding of an ASN.1 value
-- corresponding to the extension type identified
-- by extnID
}
If "critical" flag is absent (default), BasicConstraints sequence follow extnID immideately.
But if "critical" flag presents it included before BasicConstraints sequence.
DLMS library doesn't check if critical flag presents. And try to parse next field as sequence.
The same rule applies to KeyUsage field. And this field DLMS handle correctly.
Hi Vitaly,
Hi Vitaly,
BasicConstraints should be inside of a sequence, but this certificate uses it without sequence and that is breaking it. You can find more information from BasicConstraints here:
https://tools.ietf.org/html/rfc5280
BR
Mikko
Hi, Mikko
Hi, Mikko
This is valid certificate, generated with openSSL.
You are right, BasicConstraints itself is a sequence, but this sequence is inside another "extension" sequence.
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
-- contains the DER encoding of an ASN.1 value
-- corresponding to the extension type identified
-- by extnID
}
If "critical" flag is absent (default), BasicConstraints sequence follow extnID immideately.
But if "critical" flag presents it included before BasicConstraints sequence.
DLMS library doesn't check if critical flag presents. And try to parse next field as sequence.
The same rule applies to KeyUsage field. And this field DLMS handle correctly.
Regards,
Vitaly
Hi,
Hi,
This is tested and validated also with OpenSSL. BasicConstraint is inside of Sequence as I told.
I have made an introduction to how to generate a custom certificate with OpenSSL.
http://gurux.fi/CustomCertificate
I hope it helps you.
BR,
Mikko
Hi, Mikko
Hi, Mikko
Your description is not correct.
In ca.ext file you need to have a string:
basicConstraints=critical, CA:TRUE
In accordance to DLMS green book basicConstraints must set it's "Critical" flag to TRUE.
The same for the KeyUsage.
regards,
Vitaly
Hi Vitaly,
Hi Vitaly,
You are right on this and thank you for pointing this out. The critical flag was missing. This is now fixed and the new version is released on Monday.
BR,
Mikko