[erlang-questions] Malformed countryName in x509 certs + public_key

Andy Bailey andy.bailey@REDACTED
Mon Jun 2 23:28:44 CEST 2014


Hi All,

 I'm working on an Erlang project that entails controlling some
 devices that expose a SOAP api. The device manufacturer made a
 mistake and shipped the devices with a cert where the countryName
 field in the cert subject is three characters long.

 Even with verification disabled via ssl options, we get a crash while
 parsing the cert (this stack with with R15B01 but I get the
 same results with 17)

 {{{badmatch,{error,{asn1,{length,2,<<"USA">>}}}},
 [{public_key,pkix_decode_cert,2,[{file,"public_key.erl"},{line,215}]},
 {public_key,validate,2,[{file,"public_key.erl"},{line,630}]},
 {public_key,path_validation,2,[{file,"public_key.erl"},{line,591}]},
 {ssl_handshake,certify,7,[{file,"ssl_handshake.erl"},{line,218}]},
 {ssl_connection,certify,2,[{file,"ssl_connection.erl"},{line,514}]},
 {ssl_connection,next_state,4,[{file,"ssl_connection.erl"},{line,1929}]},{gen_fsm,handle_msg,7...
 
 So presumably the cert runs afoul before the normal verification
 steps, and disabling verification doesn't help.

 Normally it wouldn't be a big deal to replace these certs, but there
 are a bunch of them and the process entails an interruption of
 service on the device, so I'm hoping to find a workaround.

 One option would be to modify public_key to accept the three byte
 value until we can get the certs rotated- I've experimented with
 modiying PKIX1Explicit88.asn1 and recompiling with asn1ct, but I am
 totally clueless in this area and suspect I may be on a fools errand :)

 Anyhow- my purpose in mailing the list was to see if any other erlang
 users have run into a similar predicament, and to see if you found a
 good strategy for working around it. 

 Thanks in advance!
 .andy



 



More information about the erlang-questions mailing list