i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

Graham Leggett minfrin at sharp.fm
Sun Mar 17 23:06:19 UTC 2019 

Hi all,

While porting some code across from RHEL6 (openssl-1.0.1e-42) to RHEL7 (openssl-1.0.2k-16), I am getting the failure below where previously the code worked.

The code creates an X509_REQ, populates it, and then passes this to a module. Before passing it to the module, the structure is canonicalised by passing it through i2d_X509_REQ() and then d2i_X509_REQ() on the other side.

On RHEL7, d2i_X509_REQ fails as follows:

[root at localhost ~]# openssl req -in req.bin -inform der
unable to load X509 request
139903756527504:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287:
139903756527504:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:720:Field=algorithm, Type=X509_ALGOR
139903756527504:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:720:Field=sig_alg, Type=X509_REQ

The failure occurs in the openssl code here:

424	        for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
(gdb) 
427	            seqtt = asn1_do_adb(pval, tt, 1);
(gdb) 
428	            if (seqtt == NULL)
(gdb) 
427	            seqtt = asn1_do_adb(pval, tt, 1);
(gdb) 
428	            if (seqtt == NULL)
(gdb) 
430	            pseqval = asn1_get_field_ptr(pval, seqtt);
(gdb) 
432	            if (!len)
(gdb) 
430	            pseqval = asn1_get_field_ptr(pval, seqtt);
(gdb) 
432	            if (!len)
(gdb) 
435	            if (asn1_check_eoc(&p, len)) {
(gdb) 
434	            q = p;
(gdb) 
435	            if (asn1_check_eoc(&p, len)) {
(gdb) 
451	            if (i == (it->tcount - 1))
(gdb) 
459	            ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx,
(gdb) 
461	            if (!ret) {
[————error here————]
(gdb) 
520	    if (combine == 0)
(gdb) 
521	        ASN1_item_ex_free(pval, it);
(gdb) 
522	    if (errtt)
(gdb) 
523	        ERR_add_error_data(4, "Field=", errtt->field_name,
(gdb) 
527	    return 0;
(gdb) 
528	}

The CSR can be found here: http://www.sharp.fm/req.bin

Would it be possible to confirm what is wrong with this request?

Regards,
Graham
—

More information about the openssl-users mailing list