[erlang-questions] Malformed countryName in x509 certs + public_key

Andreas Schultz aschultz@REDACTED
Tue Jun 3 09:54:46 CEST 2014 

Hi,

----- Original Message -----
> Hi All,
> 
>  I'm working on an Erlang project that entails controlling some
>  devices that expose a SOAP api. The device manufacturer made a
>  mistake and shipped the devices with a cert where the countryName
>  field in the cert subject is three characters long.
> 
>  Even with verification disabled via ssl options, we get a crash while
>  parsing the cert (this stack with with R15B01 but I get the
>  same results with 17)
> 
>  {{{badmatch,{error,{asn1,{length,2,<<"USA">>}}}},
>  [{public_key,pkix_decode_cert,2,[{file,"public_key.erl"},{line,215}]},
>  {public_key,validate,2,[{file,"public_key.erl"},{line,630}]},
>  {public_key,path_validation,2,[{file,"public_key.erl"},{line,591}]},
>  {ssl_handshake,certify,7,[{file,"ssl_handshake.erl"},{line,218}]},
>  {ssl_connection,certify,2,[{file,"ssl_connection.erl"},{line,514}]},
>  {ssl_connection,next_state,4,[{file,"ssl_connection.erl"},{line,1929}]},{gen_fsm,handle_msg,7...
>  
>  So presumably the cert runs afoul before the normal verification
>  steps, and disabling verification doesn't help.
> 
>  Normally it wouldn't be a big deal to replace these certs, but there
>  are a bunch of them and the process entails an interruption of
>  service on the device, so I'm hoping to find a workaround.
> 
>  One option would be to modify public_key to accept the three byte
>  value until we can get the certs rotated- I've experimented with
>  modiying PKIX1Explicit88.asn1 and recompiling with asn1ct, but I am
>  totally clueless in this area and suspect I may be on a fools errand :)

The SSL App decodes the certificates as OTPCertificate defined in OTP-PKIX.asn1.
Did you try adjusting OTP-X520countryname?
It is defined as:

OTP-X520countryname ::= CHOICE {
       printableString   PrintableString (SIZE (2)),
       utf8String        UTF8String      (SIZE (2))
}

Andreas

>  Anyhow- my purpose in mailing the list was to see if any other erlang
>  users have run into a similar predicament, and to see if you found a
>  good strategy for working around it.
> 
>  Thanks in advance!
>  .andy
> 
> 
> 
>  
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
> 

-- 
-- 
Dipl. Inform.
Andreas Schultz

email: as@REDACTED
phone: +49-391-819099-224
mobil: +49-170-2226073

------------------- enabling your networks -------------------

Travelping GmbH               phone:         +49-391-819099229
Roentgenstr. 13               fax:           +49-391-819099299
D-39108 Magdeburg             email:       info@REDACTED
GERMANY                       web:   http://www.travelping.com

Company Registration: Amtsgericht Stendal Reg No.:   HRB 10578
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------

More information about the erlang-questions mailing list