[openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

Cristian Berneanu via RT rt at openssl.org
Thu Feb 11 07:11:17 UTC 2016


This is the Endorsement Key certificate extracted from a TPM device.

On Thu, Feb 11, 2016 at 12:47 AM, Stephen Henson via RT <rt at openssl.org>
wrote:

> On Wed Feb 10 21:59:12 2016, bcristi at gmail.com wrote:
> > Version: "OpenSSL 1.1.0-pre2 (alpha) 14 Jan 2016"
> >
> > Command: "openssl x509 -inform der -in sample_ekcert.der"
> >
> > Result:
> > "unable to load certificate
> > 140618483803816:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal
> > padding:a_int.c:223:
> > 140618483803816:error:0D08303A:asn1 encoding
> > routines:asn1_template_noexp_d2i:nested asn1
> > error:tasn_dec.c:648:Field=serialNumber, Type=X509_CINF
> > 140618483803816:error:0D08303A:asn1 encoding
> > routines:asn1_template_noexp_d2i:nested asn1
> > error:tasn_dec.c:648:Field=cert_info, Type=X509"
> >
>
> As the error is suggesting it doesn't like the serialNumber in the
> certificate.
> If you check it with asn1parse it says "BAD INTEGER". Using dumpasn1 you
> get:
>
> 13 20: INTEGER 00 59 DF E1 E2 94 81 88 77 C5 3E E2 D3 2F 2B A2 BB 5F EB DA
> : Error: Integer '00 59 ...' has non-DER encoding.
>
>
> The problem is that is an invalid encoding. An ASN.1 INTEGER cannot contain
> leading zeroes. OpenSSL 1.0.2 and earlier tolerated this but 1.1.0 is
> stricter.
>
> What was the certificate generated with?
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
>
> --
> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4301
> Please log in as guest with password guest if prompted
>
>

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4301
Please log in as guest with password guest if prompted



More information about the openssl-dev mailing list