X.509 boolean values recognized on Windows and Linux, but not on OS X #318

jleroy · 2015-10-12T00:19:00Z

I've created a self-signed CA with the mbedtls_cert_write command. This certificate works on Windows 10 and Fedora 21, but not on OS X 10.11 (El Capitan).

The Basic Constraints extension critical flag is recognized on Windows, Linux, and with openssl command on Mac OS X 10.11, but not by OS X Keychain app:

Also, the CA flag is not recognized on OS X.
Maybe OS X is expecting a value of 0xff (255) for TRUE, not 1 ?

The text was updated successfully, but these errors were encountered:

NWilson · 2015-10-14T07:38:04Z

In mbedtls_asn1_write_bool, BOOLEAN is written out with a 1. In BER, any non-zero value is 'true', but in DER, only 0xff is permitted.

rainierwolfcastle · 2015-10-16T15:47:13Z

ARM Internal Ref: IOTSSL-508

jleroy · 2015-10-16T15:56:41Z

@rainierwolfcastle FYI this bug is fixed by PR #320.

In BER encoding, any boolean with a non-zero value is considered as TRUE. However, DER encoding require a value of 255 (0xFF) for TRUE. This commit makes `mbedtls_asn1_write_bool` function uses `255` instead of `1` for BOOLEAN values. With this fix, boolean values are now reconized by OS X keychain (tested on OS X 10.11). Fixes #318.

* Mbed-TLS#292: Make psa_close_key(0) and psa_destroy_key(0) succeed * Mbed-TLS#299: Allow xxx_drbg_set_entropy_len before xxx_drbg_seed * Mbed-TLS#259: Check `len` against buffers size upper bound in PSA tests * Mbed-TLS#288: Add ECDSA tests with hash and key of different lengths * Mbed-TLS#305: CTR_DRBG: grab a nonce from the entropy source if needed * Mbed-TLS#316: Stop transactions from being reentrant * Mbed-TLS#317: getting_started: Make it clear that keys are passed in * Mbed-TLS#314: Fix pk_write with EC key to use a constant size for the private value * Mbed-TLS#298: Test a build without any asymmetric cryptography * Mbed-TLS#284: Fix some possibly-undefined variable warnings * Mbed-TLS#315: Define MBEDTLS_PK_SIGNATURE_MAX_SIZE * Mbed-TLS#318: Finish side-porting commits from mbedtls-restricted that missed the split

* Mbed-TLS#292: Make psa_close_key(0) and psa_destroy_key(0) succeed * Mbed-TLS#299: Allow xxx_drbg_set_entropy_len before xxx_drbg_seed * Mbed-TLS#304: Make sure Asan failures are detected in 'make test' * Mbed-TLS#259: Check `len` against buffers size upper bound in PSA tests * Mbed-TLS#288: Add ECDSA tests with hash and key of different lengths * Mbed-TLS#305: CTR_DRBG: grab a nonce from the entropy source if needed * Mbed-TLS#316: Stop transactions from being reentrant * Mbed-TLS#317: getting_started: Make it clear that keys are passed in * Mbed-TLS#314: Fix pk_write with EC key to use a constant size for the private value * Mbed-TLS#298: Test a build without any asymmetric cryptography * Mbed-TLS#284: Fix some possibly-undefined variable warnings * Mbed-TLS#315: Define MBEDTLS_PK_SIGNATURE_MAX_SIZE * Mbed-TLS#318: Finish side-porting commits from mbedtls-restricted that missed the split * Mbed-TLS#321: Replace config.pl by config.py * Mbed-TLS#322: Update Mbed Crypto with latest Mbed TLS changes as of 2019-11-15 * Mbed-TLS#308: Small performance improvement of mbedtls_mpi_div_mpi() * Mbed-TLS#324: test_psa_constant_names: support key agreement, better code structure * Mbed-TLS#320: Link to the PSA crypto portal page from README.md * Mbed-TLS#293: Always gather MBEDTLS_ENTROPY_BLOCK_SIZE bytes of entropy * Mbed-TLS#310: Clarify test descriptions in test_suite_memory_buffer_alloc * Mbed-TLS#307: Add ASN.1 ENUMERATED tag support * Mbed-TLS#328: Remove dependency of crypto_values.h on crypto_extra.h * Mbed-TLS#325: Rename psa_asymmetric_{sign_verify} to psa_{sign,verify}_hash

…nder-crypto Finish side-porting commits from mbedtls-restricted that missed the split

MPS: Numerous minor simplifications and improvements

jleroy changed the title ~~Critical extensions works on Windows / Linux~~ X.509 boolean values recognized on Windows and Linux, but not on OS X Oct 12, 2015

jleroy mentioned this issue Oct 14, 2015

Fix boolean values according to DER specs #320

Merged

mpg added the bug label Oct 14, 2015

rainierwolfcastle added scraped and removed scraped labels Oct 15, 2015

mpg added the patch label Oct 21, 2015

mpg closed this as completed in #320 Nov 1, 2015

rainierwolfcastle added the closed_in_jira label Nov 2, 2015

Patater pushed a commit to Patater/mbedtls that referenced this issue Feb 10, 2020

Merge pull request Mbed-TLS#318 from gilles-peskine-arm/prr_573-remai…

0b3dd8d

…nder-crypto Finish side-porting commits from mbedtls-restricted that missed the split

hanno-becker pushed a commit to hanno-becker/mbedtls that referenced this issue Jul 27, 2021

Merge pull request Mbed-TLS#318 from hanno-arm/mps_simplify

2556d8a

MPS: Numerous minor simplifications and improvements

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

X.509 boolean values recognized on Windows and Linux, but not on OS X #318

X.509 boolean values recognized on Windows and Linux, but not on OS X #318

jleroy commented Oct 12, 2015

NWilson commented Oct 14, 2015

rainierwolfcastle commented Oct 16, 2015

jleroy commented Oct 16, 2015

X.509 boolean values recognized on Windows and Linux, but not on OS X #318

X.509 boolean values recognized on Windows and Linux, but not on OS X #318

Comments

jleroy commented Oct 12, 2015

NWilson commented Oct 14, 2015

rainierwolfcastle commented Oct 16, 2015

jleroy commented Oct 16, 2015