c2i_ASN1_INTEGER function in Openssl 1.1.0

Matt Caswell matt at openssl.org
Fri May 31 08:41:04 UTC 2019

On 31/05/2019 04:55, Swamy J-S wrote:
> Hi,
> I recently updated openssl from 1.0.2n to 1.1.0g in linux system.
> Earlier I was using
> "ASN1_INTEGER **c2i_ASN1_INTEGER*(ASN1_INTEGER **a, const unsigned char **pp,
> long len) " function. As this function is removed in openssl 1.1.0, now i
> replaced this with
> "ASN1_INTEGER **d2i_ASN1_UINTEGER*(ASN1_INTEGER **a, const unsigned char **pp,
> long length)". 
> Now when i build my application then i get warning as
> *"Warning:0:-- SSL Error queue report --*
> *Warning:0: - asn1 encoding routines|d2i_ASN1_UINTEGER|expecting an
> integer:218718323".*
> *
> *
> *
> *
> What is the solution for this problem?

I spotted your stack exchange question on this before I spotted your question on
this list. I'll repost my stack exchange answer here as well:

ASN.1 encoding of an INTEGER (as BER or DER) consists of 1 or more "identifier"
octets (usually 1), followed by 1 or more "length" octets, followed by "content"
octets (the length of which is determined by the previous "length" octets).

The function c2i_ASN1_INTEGER assumes you have already parsed the "identifier"
and "length" octets and coverts the "content" bytes into an integer. This was
removed from OpenSSL 1.1.0 because this is considered a very low level parsing
operation that applications should not be calling directly.

The function d2i_ASN1_UINTEGER is not a direct drop in replacement for
c2i_ASN1_INTEGER. It parses the whole integer (including the "identifier" and
"length" octets). If you pass it just the content octets then it will interpret
the first byte as an "identifier" octet. This will likely have the wrong value
for an integer and so this is probably why you are seeing the "expecting an
integer" error.

You will need to rewrite your code to pass the whole integer to d2i_ASN1_UINTEGER.


More information about the openssl-users mailing list