0

If openssl (e.g. x509 or s_client) thinks a DER encoded x509 self-signed certificate is well formed, can I definitively say that the certificate is well formed? For instance, openssl is able to load the certificate but a widely used closed source framework does not.

Thanks.

pmf
  • 577
  • 4
  • 14
  • Please define well-formed first of all. Next move to more specific problem which the framework has. – Eugene Mayevski 'Callback Jun 01 '12 at 16:37
  • By well formed I meant 'valid binary DER'; I don't care if the certificate is valid as in 'the certificate chain is valid'. The issue was not with the framework (I doubted that, and now I'm sure that is not). However, I'm still wondering if it is possible that a certificate in binary DER that openssl is able to load can be formed in such a way that other implementation would not recognize as valid. Or if openssl thinks it is valid, I can be certain that the problem is on the other side. – pmf Jun 01 '12 at 19:47

1 Answers1

0

In general, yes, if OpenSSL can load it, than most likely there are no inherent problems with the format. However, some libraries and applications don't handle ASN.1 (DER) tags with undefined length. This is the most likely case with your certificate.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121