[openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

Stephen Henson via RT rt at openssl.org
Wed Feb 10 22:47:40 UTC 2016

On Wed Feb 10 21:59:12 2016, bcristi at gmail.com wrote:
> Version: "OpenSSL 1.1.0-pre2 (alpha) 14 Jan 2016"
> Command: "openssl x509 -inform der -in sample_ekcert.der"
> Result:
> "unable to load certificate
> 140618483803816:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal
> padding:a_int.c:223:
> 140618483803816:error:0D08303A:asn1 encoding
> routines:asn1_template_noexp_d2i:nested asn1
> error:tasn_dec.c:648:Field=serialNumber, Type=X509_CINF
> 140618483803816:error:0D08303A:asn1 encoding
> routines:asn1_template_noexp_d2i:nested asn1
> error:tasn_dec.c:648:Field=cert_info, Type=X509"

As the error is suggesting it doesn't like the serialNumber in the certificate.
If you check it with asn1parse it says "BAD INTEGER". Using dumpasn1 you get:

13 20: INTEGER 00 59 DF E1 E2 94 81 88 77 C5 3E E2 D3 2F 2B A2 BB 5F EB DA
: Error: Integer '00 59 ...' has non-DER encoding.

The problem is that is an invalid encoding. An ASN.1 INTEGER cannot contain
leading zeroes. OpenSSL 1.0.2 and earlier tolerated this but 1.1.0 is stricter.

What was the certificate generated with?

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4301
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list