Is there a spec for CSR 'BEGIN' headers?

Is there a spec for CSRs 'BEGIN' headers?

Yes, but it depends on what standard you are following.

As @jariq pointed out, RFC 7468 is one of them.

But its also a lot like xkcd: Standards.


I've noticed a subtle difference in how OpenSSL...

The PEM encodings OpenSSL recognizes can be found in <openssl dir>/crypto/pem/pem.h>. Using NEW is apparently an old way of doing it.

Here is the list:

# define PEM_STRING_X509_OLD     "X509 CERTIFICATE"
# define PEM_STRING_X509         "CERTIFICATE"
# define PEM_STRING_X509_PAIR    "CERTIFICATE PAIR"
# define PEM_STRING_X509_TRUSTED "TRUSTED CERTIFICATE"
# define PEM_STRING_X509_REQ_OLD "NEW CERTIFICATE REQUEST"
# define PEM_STRING_X509_REQ     "CERTIFICATE REQUEST"
# define PEM_STRING_X509_CRL     "X509 CRL"
# define PEM_STRING_EVP_PKEY     "ANY PRIVATE KEY"
# define PEM_STRING_PUBLIC       "PUBLIC KEY"
# define PEM_STRING_RSA          "RSA PRIVATE KEY"
# define PEM_STRING_RSA_PUBLIC   "RSA PUBLIC KEY"
# define PEM_STRING_DSA          "DSA PRIVATE KEY"
# define PEM_STRING_DSA_PUBLIC   "DSA PUBLIC KEY"
# define PEM_STRING_PKCS7        "PKCS7"
# define PEM_STRING_PKCS7_SIGNED "PKCS #7 SIGNED DATA"
# define PEM_STRING_PKCS8        "ENCRYPTED PRIVATE KEY"
# define PEM_STRING_PKCS8INF     "PRIVATE KEY"
# define PEM_STRING_DHPARAMS     "DH PARAMETERS"
# define PEM_STRING_DHXPARAMS    "X9.42 DH PARAMETERS"
# define PEM_STRING_SSL_SESSION  "SSL SESSION PARAMETERS"
# define PEM_STRING_DSAPARAMS    "DSA PARAMETERS"
# define PEM_STRING_ECDSA_PUBLIC "ECDSA PUBLIC KEY"
# define PEM_STRING_ECPARAMETERS "EC PARAMETERS"
# define PEM_STRING_ECPRIVATEKEY "EC PRIVATE KEY"
# define PEM_STRING_PARAMETERS   "PARAMETERS"
# define PEM_STRING_CMS          "CMS"

And a quick grep reveals:

$ grep -R -B 3 PEM_STRING_X509_OLD *
...
--
crypto/pem/pem_lib.c-
crypto/pem/pem_lib.c-    /* Permit older strings */
crypto/pem/pem_lib.c-
crypto/pem/pem_lib.c:    if (!strcmp(nm, PEM_STRING_X509_OLD) && !strcmp(name, PEM_STRING_X509))
--
...

I would like to be able to handle as many formats of CSRs as possible

It looks like "NEW CERTIFICATE REQUEST" (old style) and "CERTIFICATE REQUEST" (new style) are the two winners.


Someone once asked for a list of the PEM headers and footers (they are called pre- and post- encapsulation methods or strings, IIRC). The IETF's PKIX Working Group declined it. See PEM file format rfc draft request.


Take a look at RFC7468 for CSR headers and footers.