Open pbogdan opened 7 years ago
in the twisted maze of asn1, it's easy to miss full encoding of extensions. we shouldn't ignore the rest of the asn1, but someone need to add what's necessary. Changing the current implementation for making things more correct is not a problem.
Firstly I apologise if any of my terminology is off or if this is a user error as I'm not very well versed in this domain.
While attempting to parse and use information provided by ExtAuthorityKeyId extension I came across an issue while trying to extract the extension from QuoVadis Root CA 2 certificate. The certificate is available at http://trust.quovadisglobal.com/qvrca2.crt and checking with
openssl
tool:yields the following data for ExtAuthorityKeyId:
and the following ExtensionRaw representation:
To my understanding current implementation of parsing ExtAuthorityKeyId expects that only keyIdentifier field will be present and as such fails to extract the extension in presence of the additional fields. According to this RFC authorityCertIssuer and authorityCertSerialNumber may also be present.
I was able to work around it by introducing the following instance:
with MyExtAuthorityKeyId having the same representation as ExtAuthorityKeyId. The instance has the unfortunate property of decoding and encoding losing data due to not being aware of the additional fields, while keeping the representation of ExtAuthorityKeyId the same which would otherwise be a breaking change.
In any case I wanted to check whether this was intentional behaviour, or perhaps your thoughts on changing its current implementation.