Simon's Musings

September 4, 2008

Certificate problems with the Symbian web browser

Filed under: Uncategorized — sxw @ 10:20 am

It recently came to light that none of the secure DICE web sites would load on the browser that ships with Symbian (Symbian is the operating system on many Nokia, and other, mobile phones). The browser would get as far as connecting to the server, but then reject its SSL certificate with an obscure error message.It turns out that this problem is because the DICE certificate signing service, SIXKTS is generating X509 certificates that, whilst being valid ASN.1, are not acceptable to the Symbian browser. The problem is with the ‘parameters’ section of the algorithm identifier. The ASN.1 syntax indicates that this is ‘ANY DEFINED BY algorithm OPTIONAL’ – this means that the parameter may have any type, but that the type is determined by the OID contained in ‘algorithm’. In addition, it says that the parameter is optional – it may or may not be included in the certificate. The RSA algorithm that we are using defines the type of ‘parameters’ as being NULL.The X509 signing service was taking the path of least resistance by simply choosing to take advantage of the ‘OPTIONAL’ definition, and didn’t include a parameters value at all. OpenSSL and NSS based X509 libraries were fine with this. Symbian’s error message is sufficiently opaque that it doesn’t really help with tracking down the problem at all.

However, examining our certificates in Safari provided a helpful pointer. Safari’s crypto library is a little more picky – and would display a parser error when these certificates were inspected. Amending the signing service so it includes a NULL parameter, rather than omitting it completely, resolves the parser error on Safari and allows these sites to work on Symbian.

Theme: Rubric.