i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

Graham Leggett minfrin at sharp.fm
Mon Mar 18 10:51:53 UTC 2019

On 18 Mar 2019, at 04:55, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:

> On Mon, Mar 18, 2019 at 01:06:19AM +0200, Graham Leggett wrote:
>> [root at localhost ~]# openssl req -in req.bin -inform der
>> unable to load X509 request
>> 139903756527504:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287:
>> 139903756527504:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:720:Field=algorithm, Type=X509_ALGOR
>> 139903756527504:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:720:Field=sig_alg, Type=X509_REQ
> The CSR is malformed.

The CSR is incomplete, but isn’t malformed.

The CSR is the in the process of being built. Part of that process involves sending the partially complete CSR to another module, which then completes the CSR structure. This used to work, but has regressed when moving from rhel6 to rhel7.

> which has a non-zero length signature algorithm OID (l = 9).  Your
> example has "l=0" where one would expect the signature OID after
> the extensions.

How do I fix openssl to parse this as it did before?


More information about the openssl-users mailing list