microshine
commented
2 years ago @defacto64 Could you show difference between BER and DER encoded CSR?
I guess they are equal
Closed defacto64 closed 2 years ago
microshine
commented
2 years ago @defacto64 Could you show difference between BER and DER encoded CSR?
I guess they are equal
defacto64
commented
2 years ago Hi Stepan,
In some cases they are not the same at all. Let's say you have a CSR containing a multi-value RDN in the Subject field. In a case like this, if the CSR is encoded in BER then the elements of that RDN can appear in any order you like; if instead the CSR is encoded in DER, then the elements of that RDN must appear in a precise order, as prescribed by the X.690 standard (ASN.1 encoding rules).
microshine
commented
2 years ago @defacto64 Thank you!
I don't see any DER functions in ASN1.js. There is only a couple of methods in the Integer class with DER names
defacto64
commented
2 years ago I think there is a problem, here, that I will try to gradually explain. Maybe I am wrong, but please follow my reasoning.
The example page [1] shows how to build a CSR with PKI.js. In that example, a single RDN (the commonName) is inserted into the Subject in the following way:
pkcs10.subject.typesAndValues.push(new AttributeTypeAndValue({
type: "2.5.4.3",
value: new Utf8String({
value: "Simple test (простой тест)"
})
}));Now, in which way do you recommend to insert multiple RDNs into the Subject? Let's say we wanted to insert in the CSR a Subject such as "/CN=Test/OU=SomeDept/O=SomeOrg/C=US" (in string representation). How should we proceed? Should we use the above statement "AS IS" multiple times, one for each RDN we want to add (of course setting the type OID accordingly)?
The problem is, that by adding several RNDs to the Subject in the said way, we end up with a single multi-value RDN which is not always DER-encoded (while it should be).
microshine
commented
2 years ago Am I right that you've got subject name like CN=Test+OU=SomeDept+O=SomeOrg+C=US instead of CN=Test, OU=SomeDept, O=SomeOrg, C=US
SEQUENCE (1 elem)
SET (4 elem)
SEQUENCE (2 elem)
OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
PrintableString Test
SEQUENCE (2 elem)
OBJECT IDENTIFIER 2.5.4.11 organizationalUnitName (X.520 DN component)
PrintableString SomeDept
SEQUENCE (2 elem)
OBJECT IDENTIFIER 2.5.4.10 organizationName (X.520 DN component)
PrintableString SomeOrg
SEQUENCE (2 elem)
OBJECT IDENTIFIER 2.5.4.6 countryName (X.520 DN component)
PrintableString USSEQUENCE (4 elem)
SET (1 elem)
SEQUENCE (2 elem)
OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
PrintableString Test
SET (1 elem)
SEQUENCE (2 elem)
OBJECT IDENTIFIER 2.5.4.11 organizationalUnitName (X.520 DN component)
PrintableString SomeDept
SET (1 elem)
SEQUENCE (2 elem)
OBJECT IDENTIFIER 2.5.4.10 organizationName (X.520 DN component)
PrintableString SomeOrg
SET (1 elem)
SEQUENCE (2 elem)
OBJECT IDENTIFIER 2.5.4.6 countryName (X.520 DN component)
PrintableString USTo implement that using PKIjs we use fixName function on foritfy-web
Do you know about our package @peculiar/x509?
Here is CSR generation example https://github.com/PeculiarVentures/x509#create-a-pkcs10-certificate-request
It allows creating names using DN string
defacto64
commented
2 years ago It's not a matter of wanting, but yes: you caputured what I mean.
rmhrisk
commented
2 years ago @defacto64 is the answer sufficient? Can this be closed?
defacto64
commented
2 years ago Sorry for the delay. Yes, I have confirmed that a call to the fixName function "fixes" the problematic Subject encoding. (I have not yet tried the additional peculiar/x509 package, but I will do in the next future.) This can be closed, thank you.
Hello, I would like to know if it is possible, after creating a
CertificationRequestvia PKI.js, to obtain its DER encoding.After getting the asn1js object via
toSchema(), I understand from the ASN1.js sources that only atoBER()method is available: I don't see atoDER()method ....