Mbed forum

Missing attribute

(Milos Turicik) #1

Hi all!
In my application, I need to check the list and attribute values in the accepted certificate under “issuer”. For this I plane to use “mbedtls_x509_dn_gets”. For one of the attributes “Organization Identifier - (0x61)”, the function returned “??” - unknown attribute.
How do I proceed? Should I add the attribute to the code?
Is it possible to use “issuer_raw” for this check? Does the “issue_raw” value change with the same number of attribute values but changed their order?

Thanks.
Milos.

0 Likes

(Ron Eldor) #2

Hi @xmilos
Thank you for your question!

The reason you are receiving this sting is because mbedtls_oid_get_attr_short_name() couldn’t find the attribute name in its list.

As you can see in rfc 1776 Table 1, “Organization Identifier” is not part of the standard key words.

However, the attribute itself is in the mbedtls_x509_name *dn parameter you are sending, so there wasn’t a parsing issue, only a string representation issue. This means you can:

  • Search for this attribute by your self in the parsed mbedtls_x509_name structure you have.
  • Add the Organization identifier oid and attribute, and submit a PR. What is the RFC that mentions this attribute as part of the X 509 DN?

Is it possible to use “issuer_raw” for this check? Does the “issue_raw” value change with the same number of attribute values but changed their order?

I don’t understand your question. “Issuer raw” is the raw unparsed data of the issuer name. The way it is parsed, is the way it is ordered in the parsed mbedtls_x509_name. ( with exceptions in case of duplication etc…). I don’t think it’s necessary for you to handle the “Issuer raw”, because as mentioned, the “Organization Identifier” is parsed, just not recognized for printing.

Regards,
Mbed TLS Team member
Ron

0 Likes

(Milos Turicik) #3

Thank you for your response.

The certificate with the specified “OrganizationIdentifier” attribute is from state office and must be followed. Meanwhile, his name has changed :slight_smile: .

I have the following options to check the attribute values (“Org.Ident.”, O, CN, C)
test1. - use the values in the “issuer” section of the certificate, and checking each attribute and its value separately (eg: if instr (mbedtls_x509_dn_gets (), “C = SK”)> 0), … “CN = xxxx”, … “O = xxx” … In this case, the order of attributes in the certificate does not matter.
test2. - use the value in the “issuer_raw” section to checking with the sample pattern. In this case, I check the whole value but it depends on the order of attributes in the certificate.

If I received a certificate with the same attributes but another order, test1 will evaluate it as OK, test2 as FAIL.
It is a question of creating certificates, whether the order of the mentioned attributes has exact rules (as in cannonization) or not.

Thanks.

0 Likes

(Ron Eldor) #4

HI Milos,

It is a question of creating certificates, whether the order of the mentioned attributes has exact rules (as in cannonization) or not.

As you can see in this post, the order is not enforced or mandatory, however it is a convention.
Regards,
Ron

0 Likes