i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

Viktor Dukhovni openssl-users at dukhovni.org
Mon Mar 18 16:49:41 UTC 2019

> On Mar 18, 2019, at 6:51 AM, Graham Leggett <minfrin at sharp.fm> wrote:
> The CSR is incomplete, but isn’t malformed.

A mandatory part of the CSR is missing.  It is malformed.

> The CSR is the in the process of being built. Part of that process involves sending the partially complete CSR to another module, which then completes the CSR structure. This used to work, but has regressed when moving from rhel6 to rhel7.
>> which has a non-zero length signature algorithm OID (l = 9).  Your
>> example has "l=0" where one would expect the signature OID after
>> the extensions.
> How do I fix openssl to parse this as it did before?

Since you don't have a CSR, the fix is to not attempt to encode the data
as a CSR.  It sounds like what you have is a CRI (that is a
CertificationRequestInfo structure) so you'll need to encode that instead.


The relevant codec functions are:  i2d_X509_REQ_INFO and d2i_X509_REQ_INFO.

A CSR is:

   CertificationRequest ::= SEQUENCE {
        certificationRequestInfo CertificationRequestInfo,
        signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
        signature          BIT STRING

which encapsulates the CRI a larger signed structure, adding precisely
the bits you're missing.

An alternative (if you must) is to create an actual CSR, with a dummy
signature OID, and signature and then ignore the signature on the other


More information about the openssl-users mailing list