CI Plus certificates parsing / verification
do you have any plan supporting the almost specific CI Plus certificates format and signature as described page 100 of the CI Plus specification V1.3.1 ( http://www.ci-plus.com ) ?
If I read the specification correctly,
CI Plus uses regular X.509 certificates.. So these are already supported by PolarSSL..
The only things currently not supported would be the 3 extensions: 188.8.131.52 Scrambler capabilities, 184.108.40.206 CI Plus info and 220.127.116.11 CICAM brand identifier.
These are easy to add by any developer, or by us for a potential client.
All the rest is standard and already supported.
It seems to have some others differences:
It fails with error 0x2368, coming from function x509_get_alg_null(..) (call at line 595 of x509_crt.c) because there is parameters in the algorithm identifier.
And then if I patch the file, I've got a 0x262E, because of unknown OID.
If you can provide a few test certificates, we might be able to have a look at it for you..
I can provide test certificate, where can I send them ?
'paul @ (this site)' will work..
Quick update on this... The test certificates you provided (thanks!) are mostly parsed and verified correctly with our development version (to be released soon), except for the following points:
you need to uncomment
config.h, or parsing of the client cert will fail. This allows parsing to complete, but some unrecognised extensions are ignored.
the interpretation of two-digit years differs in CI+ and PKIX, leading to your certificate being considered expired.
We'll be working on improving support for CI+. Please check with Paul for specific requests.