On Monday, 4 March 2019 15:20:36 CET Jan Just Keijser wrote: > Hi Matt, > > On 04/03/19 14:24, Matt Caswell wrote: > > On 04/03/2019 13:16, Jan Just Keijser wrote: > >> On 04/03/19 10:21, Wolfgang Knauf wrote: > >>> Hi, > >>> > >>> the output is this: > >>> > >>> C:\Program Files\OpenVPN\bin>openssl.exe asn1parse -i -in > >>> ..\config\SSL_HUG1@xxxxxxxxxxxxxxxxxxxxxxx\l1139218.vt-security.de.user. > >>> crt > >>> Error: offset too large > >>> > >>> Would it be OK if I send the crt file to only your mail adress? I don't > >>> feel save by posting it to the mailing list ;-)? > >> > >> I ran into the "offset too large" problem myself with my own certs as > >> well. It turns out the 'asn1parse' util only likes PEM blobs, i.e. the > >> parts starting with --BEGIN CERTIFICATE-- > > > > asn1parse will expect PEM by default but is perfectly capable of > > processing raw DER too. Just use the "-inform DER" option. > > 100% true but that is not what I was referring to; my certs usually look > like this: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 5338 (0x14da) > Signature Algorithm: sha256WithRSAEncryption > [...] > -----BEGIN CERTIFICATE----- > MIIEmjCCA4KgAwIBAgICFNowDQYJKoZIhvcNAQELBQAwUjELMAkGA1UEBhMCTkwx > > > it's that part *before* the --BEGIN CERTIFICATE-- on which the > asn1parse command chokes. You can feed it either a DER file or a PEM > blob - but not a certificate file with the certificate info listed in it. ah, yes, that's https://github.com/openssl/openssl/issues/7317 that should be possible to workaround with -strictpem option -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
