Before commenting read Forum rules
Don't comment the topic if you have a new question.
You can create a new topic selecting correct category from Gurux Forum and then create a new topic selecting "New Topic" from the top left.
Forums
Hi,
DLMS library throws exception if imported certificate has a BasicConstraints field with a critical flag.
Example of such Certificate:
-----BEGIN CERTIFICATE-----
MIIBlzCCAT2gAwIBAgIJAMpe+tZzflJHMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMM
B1Jvb3QtQ0EwHhcNMjAwMjAzMTA0MzA1WhcNMjEwMjAyMTA0MzA1WjAYMRYwFAYD
VQQDDA1FTkVSR09NRVJBLUNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPhVo
mqevnKuzyDAs49FcPpxJDUPVmpO07RQ2NL4TcgMX4VqaJ73rmgY05b0cGbn/LtA/
YtX81QKJ1UvgRkMWZ6N2MHQwHwYDVR0jBBgwFoAU1RVzQOf66nzqIoqgTOEIO19j
tSMwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUrOs0o+LBjXAn51YHHgT5FV0N
rB0wDgYDVR0PAQH/BAQDAgIEMBEGA1UdIAQKMAgwBgYEVR0gADAKBggqhkjOPQQD
AgNIADBFAiBlkpiaa1kZi0UPXM88dugiVFLnu+r10Cy2xUsfs9nnkQIhALbBjtkG
xlqfBY431tV1INKI1c855eBGJvgeusvMl69G
-----END CERTIFICATE-----
regards,
Vitaly
Hi Vitaly,
Hi Vitaly,
BasicConstraints should be inside of a sequence, but this certificate uses it without sequence and that is breaking it. You can find more information from BasicConstraints here:
https://tools.ietf.org/html/rfc5280
BR
Mikko
Hi, Mikko
Hi, Mikko
This is valid certificate, generated with openSSL.
You are right, BasicConstraints itself is a sequence, but this sequence is inside another "extension" sequence.
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
-- contains the DER encoding of an ASN.1 value
-- corresponding to the extension type identified
-- by extnID
}
If "critical" flag is absent (default), BasicConstraints sequence follow extnID immideately.
But if "critical" flag presents it included before BasicConstraints sequence.
DLMS library doesn't check if critical flag presents. And try to parse next field as sequence.
The same rule applies to KeyUsage field. And this field DLMS handle correctly.
Regards,
Vitaly
Hi,
Hi,
This is tested and validated also with OpenSSL. BasicConstraint is inside of Sequence as I told.
I have made an introduction to how to generate a custom certificate with OpenSSL.
http://gurux.fi/CustomCertificate
I hope it helps you.
BR,
Mikko
Hi, Mikko
Hi, Mikko
Your description is not correct.
In ca.ext file you need to have a string:
basicConstraints=critical, CA:TRUE
In accordance to DLMS green book basicConstraints must set it's "Critical" flag to TRUE.
The same for the KeyUsage.
regards,
Vitaly
Hi Vitaly,
Hi Vitaly,
You are right on this and thank you for pointing this out. The critical flag was missing. This is now fixed and the new version is released on Monday.
BR,
Mikko