[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

x509 AlgorithmIdentifier parameters

From: Philip Martin <philip_at_codematters.co.uk>
Date: Tue, 23 Jan 2018 17:40:08 +0000

Marc Strapetz <marc.strapetz_at_syntevo.com> writes:

> We have cherry-picked your fix onto 1.9.7 tag but unfortunately it
> doesn't solve the problem for the user.

Looking back at the original mail it looks as if the error is produced
by x509parse.c:x509_get_alg() via svn_x509_parse_cert(), in particular
it is probably this assumption:

  /*
   * assume the algorithm parameters must be NULL
   */
  err = asn1_get_tag(p, end, &len, ASN1_NULL);
  if (err)
    return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL);

  if (*p != end)
    {
      err = svn_error_create(SVN_ERR_ASN1_LENGTH_MISMATCH, NULL, NULL);
      return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL);
    }

The failing cert probably provides non-NULL "algorithm parameters".

I suspect the reason the command line client "works" while your Java
code fails is that the command line client only invokes x509_get_alg()
for the "svn auth" operation, and then only if the cert has been
permanently stored as a failure exception. Your Java code is probably
using svn_x509_parse_cert() as part of handling cert failures in more
cases, perhaps all operations.

Can you make the cert in question available, either on list or to me?

The fix is for our code to allow and parse the "algorithm parameters"
but I'm not sure what our code should do with the parsed values. We
currently compare algorithms for equality using x509parse.c:oid_equal(),
perhaps we should be checking the parameters are equal as well?

-- 
Philip
Received on 2018-01-23 18:40:20 CET

This is an archived mail posted to the Subversion Dev mailing list.