Dear MBEDTLS team,
I’m a developer at SIEMENS, my name is Xiao Nian Jun. Please accept my sincere gratitude for your excellent work and to spend extra time to read my email. We are using MBEDTLS to generate ECC key and certificates, we found an issue regarding algorithm identifier in the final ASN.1 certificate. For certificate signed by ECC key, the algorithm identifier is “NULL” which doesn’t conforms to RFC7427 specification.
[cid:image001.png@01D6DD01.C51C7290] You can see the “NULL” string in the certificate, Chrome will treat this kind of certificate as invalid.
This issue has blocked us for a while, and after some investigation, we found an easy fix –- probably immature fix --- to make it works right--- we just commented out this line of code “MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_null( p, start ) )" in function mbedtls_asn1_write_algorithm_identifier.
To be honesty, we’ve been using MBEDTLS for very short time, probably this is not an issue, probably our fix will end up break up something…currently, it’s just looks correct.
Please check if my fix works or not, if not, please do not hesitate to correct me.
B.R.
Xiao Nian Jun.
mbed-tls@lists.trustedfirmware.org