[openssl-users] openssl crl fails to parse a CRL file, which seems correct

Wouter Verhelst wouter.verhelst at fedict.be
Wed Sep 14 12:31:22 UTC 2016 

Hi,

(this is a resend because my MUA crashed while I tried to send this mail 
earlier. If you get it twice, my apologies)

When I try to parse some of the CRLs at <http://crl.eid.belgium.be/>, I 
sometimes get this error:

wouter at gangtai:~$ openssl version
OpenSSL 1.0.2h  3 May 2016
wouter at gangtai:~$ openssl crl -in eidc201203.crl -inform der -noout -text
unable to load CRL
140694432685592:error:0D09E09B:asn1 encoding 
routines:X509_NAME_EX_D2I:too long:x_name.c:203:
140694432685592:error:0D08303A:asn1 encoding 
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:697:Field=issuer, Type=X509_CRL_INFO
140694432685592:error:0D08303A:asn1 encoding 
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:697:Field=crl, Type=X509_CRL

This isn't the case for all of the CRLs, just for some of them; e.g., 
everything works fine for eidc201503.crl

However, if I try the same on another machine nearby, which has a much 
older version of OpenSSL, then things seem to work fine:

eidmac:~ buildslave$ openssl version
OpenSSL 0.9.8zh 14 Jan 2016
eidmac:~ buildslave$ openssl crl -in eidc201203.crl -inform der -noout 
-text | head
Certificate Revocation List (CRL):
          Version 2 (0x1)
          Signature Algorithm: sha1WithRSAEncryption
          Issuer: /C=BE/CN=Citizen CA/serialNumber=201203
          Last Update: Sep 14 10:22:50 2016 GMT
          Next Update: Sep 21 10:22:50 2016 GMT
          CRL extensions:
              X509v3 Authority Key Identifier:
  keyid:7A:5F:3A:FF:2D:46:91:90:53:3F:BB:91:2D:29:82:ED:BB:78:6A:E0

This machine is a mac running OSX 10.11, the OpenSSL is the default as 
shipped with that OS; the other is my personal laptop, which runs Debian 
unstable (and the openssl is again the default). I've reproduced the 
same issue on Debian stable, haven't tried much else yet.

I've been trying to figure out why my OpenSSL fails to parse the CRL, 
whereas others do not,. Any hints would be greatly appreciated.

Thanks,

-- 
Wouter Verhelst

More information about the openssl-users mailing list