Invalid_argument "X509: failed to parse certificate" when using X509.Encoding.Pem.Certificate.of_pem_cstruct1 #108
Comments
|
When I decode the above certificate with |
|
I looked again into this issue and the above certificate. My earlier assessment is wrong, the provided certificate contains a public key, but is signed with an RSA key. The reason why this certificate fails to parse is that the AlgorithmIdentifier is not followed by the mandatory (!?) param field set to NULL. I'm in the process of figuring out whether the NULL is actually mandatory (RFCs are slightly contradictory, lots of implementations seem to use/require NULL). |
|
since I comment here every 8-9 months, let me add some more information. the |
… not present this fixes mirleft#108 - though ECC support is still lacking
CHANGES:
* BREAKING add a whitelist of hash algorithms used for signatures. The default
whitelist is the SHA-2 family (without SHA-224), Validation.valid_ca{,s} use
all algorithms as default
reported by @emillon in mirleft/ocaml-x509#123, fixed in mirleft/ocaml-x509#128
* BREAKING Certificate.hostnames and Signing_request.hostnames (new) return a
set of [`Wildcard|`Strict] * [`host] Domain_name.t (Certificate.Host_set.t)
reported by @mmaker in mirleft/ocaml-x509#88, fixed in mirleft/ocaml-x509#127
* BREAKING mirleft/ocaml-x509#127 Signing_request.sign returns a result type now, an error is
returned if the signing request was not properly signed
* BREAKING mirleft/ocaml-x509#127 Validation.{verify_chain_of_trust, trust_key_fingerprint,
trust_cert_fingerptint} and the type Authenticator.t changed, no longer use
of a Certificate.host, but instead a [`host] Domain_name.t (previously, it was
a pair)
* BUGFIX support AlgorithmIdentifier of RSA signature algorithms with parameter
not present
reported by @Ulrar in mirleft/ocaml-x509#108, fixed in mirleft/ocaml-x509#129
* BUGFIX mirleft/ocaml-x509#127 preserve a signed signing request (Country in a DN sometimes uses
a non-utf8 string encoding)
* remove deprecation from Validation.trust_cert_fingerprint and
Authenticator.server_cert_fingerprint
requested by @mben-romdhane in mirleft/ocaml-x509#125, fixed in mirleft/ocaml-x509#126
* Certificate.signature_algorithm, CRL.signature_algorithm, and
Signing_request.signature_algorithm are now provided, returning a
([`RSA|`ECDSA] * Nocrypto.Hash.hash) option
requested by @psafont in mirleft/ocaml-x509#123, fixed in mirleft/ocaml-x509#128
Hi,
I'm trying to implement the server side of U2F in ocaml, and for that I have to verify a signature. I'm trying to import the pem certificate provided by the hardware token, but it seems like the library is failing to parse it. It looks like this (that's the example certificate from the yubico docs) :
It seems valid when I decode it with openssl, so I assume the problem must be what it contains.
Do you have by any chance an idea about what makes the parsing fail ? I've read in the doc some X503v3 extensions aren't supported, and that certificate seems to have some. Or is it the public key's format ?
The text was updated successfully, but these errors were encountered: