Unusual certificates
Hubert Kario
hkario at redhat.com
Thu Jun 25 11:25:43 UTC 2020
On Thursday, 25 June 2020 12:15:00 CEST, Angus Robertson - Magenta Systems
Ltd wrote:
> A client is having problems reading Polish Centum issued personal
> certificates with OpenSSL 1.1.1, which read OK with 1.1.0 and earlier,
> mostly.
>
> Using PEM_read_bio_X509 with some of these certificates says
> error:00000000:lib(0):func(0):reason(0), while the X509 command line
> tool says 'unable to load certificate'. Some certificates work with
> both methods.
>
> Using the asn1parse command from any version of OpenSSL says 'Error:
> offset out of range', while a Javascript based web tool is able to
> decode the ASN1, but is perhaps more tolerant of errors.
>
> So it seems there is something in the creation of these certificates
> that OpenSSL has never liked, but until 1.1.1 was tolerated
> sufficiently to allow them to be read.
>
> This certificate reads OK in 1.1.1 but fails asn1parse:
works just fine for me with 1.1.1g
> This certificate can not be read in 1.1.1 but is OK in 1.1.0.
>
but this one fails parsing
>
> Is there a more tolerant way to read ASN1 than the asn1parse command?
asn1parse expects BER encoding, that already is the most lenient, while
still standards-compliant, encoding that is supported.
Given that it errors out with
139628293990208:error:0D07209B:asn1 encoding routines:ASN1_get_object:too
long:crypto/asn1/asn1_lib.c:91:
I'm guessing a mismatch between utf-8 and string encoding that makes
the lengths inconsistent. Some tools may just ignore them, but that doesn't
make the certificate well-formed.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
More information about the openssl-users
mailing list