i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Mar 18 02:55:41 UTC 2019
On Mon, Mar 18, 2019 at 01:06:19AM +0200, Graham Leggett wrote:
> [root at localhost ~]# openssl req -in req.bin -inform der
> unable to load X509 request
> 139903756527504:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287:
> 139903756527504:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:720:Field=algorithm, Type=X509_ALGOR
> 139903756527504:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:720:Field=sig_alg, Type=X509_REQ
The CSR is malformed.
> The CSR can be found here: http://www.sharp.fm/req.bin
>
> Would it be possible to confirm what is wrong with this request?
Running "openssl asn1parse -inform DER" we get:
0:d=0 hl=4 l= 509 cons: SEQUENCE
4:d=1 hl=4 l= 498 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 67 cons: SEQUENCE
13:d=3 hl=2 l= 14 cons: SET
15:d=4 hl=2 l= 12 cons: SEQUENCE
17:d=5 hl=2 l= 3 prim: OBJECT :commonName
22:d=5 hl=2 l= 5 prim: UTF8STRING :Test1
29:d=3 hl=2 l= 49 cons: SET
31:d=4 hl=2 l= 47 cons: SEQUENCE
33:d=5 hl=2 l= 3 prim: OBJECT :serialNumber
38:d=5 hl=2 l= 40 prim: PRINTABLESTRING :354616bb0358f9474f1e84af5550567f8b6c4d5b
80:d=2 hl=4 l= 290 cons: SEQUENCE
84:d=3 hl=2 l= 13 cons: SEQUENCE
86:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
97:d=4 hl=2 l= 0 prim: NULL
99:d=3 hl=4 l= 271 prim: BIT STRING
374:d=2 hl=3 l= 129 cons: cont [ 0 ]
377:d=3 hl=2 l= 42 cons: SEQUENCE
379:d=4 hl=2 l= 9 prim: OBJECT :challengePassword
390:d=4 hl=2 l= 29 cons: SET
392:d=5 hl=2 l= 27 prim: IA5STRING :dfwrrdq4uhec96yj23io8soav0
421:d=3 hl=2 l= 83 cons: SEQUENCE
423:d=4 hl=2 l= 9 prim: OBJECT :Extension Request
434:d=4 hl=2 l= 70 cons: SET
436:d=5 hl=2 l= 68 cons: SEQUENCE
438:d=6 hl=2 l= 66 cons: SEQUENCE
440:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
445:d=7 hl=2 l= 59 prim: OCTET STRING [HEX DUMP]:303981373335343631366262303335386639343734663165383461663535353035363766386236633464356240756B2E736173686B65792E6F7267
506:d=1 hl=2 l= 2 cons: SEQUENCE
508:d=2 hl=2 l= 0 prim: OBJECT :BAD OBJECT:[]
510:d=1 hl=2 l= 1 prim: BIT STRING
Whereas with:
$ openssl req -config <(
printf "distinguished_name = dn\n[dn]\nprompt=yes\n[v3req]\n%s\n" \
"subjectAltName = DNS:example.com"
) -reqexts v3req -new -newkey rsa:1024 -keyout /dev/null \
-nodes -subj / 2>/dev/null | openssl asn1parse
we get:
0:d=0 hl=4 l= 360 cons: SEQUENCE
4:d=1 hl=3 l= 210 cons: SEQUENCE
7:d=2 hl=2 l= 1 prim: INTEGER :00
10:d=2 hl=2 l= 0 cons: SEQUENCE
12:d=2 hl=3 l= 159 cons: SEQUENCE
15:d=3 hl=2 l= 13 cons: SEQUENCE
17:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
28:d=4 hl=2 l= 0 prim: NULL
30:d=3 hl=3 l= 141 prim: BIT STRING
174:d=2 hl=2 l= 41 cons: cont [ 0 ]
176:d=3 hl=2 l= 39 cons: SEQUENCE
178:d=4 hl=2 l= 9 prim: OBJECT :Extension Request
189:d=4 hl=2 l= 26 cons: SET
191:d=5 hl=2 l= 24 cons: SEQUENCE
193:d=6 hl=2 l= 22 cons: SEQUENCE
195:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
200:d=7 hl=2 l= 15 prim: OCTET STRING [HEX DUMP]:300D820B6578616D706C652E636F6D
217:d=1 hl=2 l= 13 cons: SEQUENCE
219:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
230:d=2 hl=2 l= 0 prim: NULL
232:d=1 hl=3 l= 129 prim: BIT STRING
which has a non-zero length signature algorithm OID (l = 9). Your
example has "l=0" where one would expect the signature OID after
the extensions.
--
Viktor.
More information about the openssl-users
mailing list