Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Mar 18, 2019 at 01:06:19AM +0200, Graham Leggett wrote:

> [root@localhost ~]# openssl req -in req.bin -inform der
> unable to load X509 request
> 139903756527504:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287:
> 139903756527504:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:720:Field=algorithm, Type=X509_ALGOR
> 139903756527504:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:720:Field=sig_alg, Type=X509_REQ

The CSR is malformed.

> The CSR can be found here: http://www.sharp.fm/req.bin
> 
> Would it be possible to confirm what is wrong with this request?

Running "openssl asn1parse -inform DER" we get:

	0:d=0  hl=4 l= 509 cons: SEQUENCE
	4:d=1  hl=4 l= 498 cons: SEQUENCE
	8:d=2  hl=2 l=   1 prim: INTEGER           :00
       11:d=2  hl=2 l=  67 cons: SEQUENCE
       13:d=3  hl=2 l=  14 cons: SET
       15:d=4  hl=2 l=  12 cons: SEQUENCE
       17:d=5  hl=2 l=   3 prim: OBJECT            :commonName
       22:d=5  hl=2 l=   5 prim: UTF8STRING        :Test1
       29:d=3  hl=2 l=  49 cons: SET
       31:d=4  hl=2 l=  47 cons: SEQUENCE
       33:d=5  hl=2 l=   3 prim: OBJECT            :serialNumber
       38:d=5  hl=2 l=  40 prim: PRINTABLESTRING   :354616bb0358f9474f1e84af5550567f8b6c4d5b
       80:d=2  hl=4 l= 290 cons: SEQUENCE
       84:d=3  hl=2 l=  13 cons: SEQUENCE
       86:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
       97:d=4  hl=2 l=   0 prim: NULL
       99:d=3  hl=4 l= 271 prim: BIT STRING
      374:d=2  hl=3 l= 129 cons: cont [ 0 ]
      377:d=3  hl=2 l=  42 cons: SEQUENCE
      379:d=4  hl=2 l=   9 prim: OBJECT            :challengePassword
      390:d=4  hl=2 l=  29 cons: SET
      392:d=5  hl=2 l=  27 prim: IA5STRING         :dfwrrdq4uhec96yj23io8soav0
      421:d=3  hl=2 l=  83 cons: SEQUENCE
      423:d=4  hl=2 l=   9 prim: OBJECT            :Extension Request
      434:d=4  hl=2 l=  70 cons: SET
      436:d=5  hl=2 l=  68 cons: SEQUENCE
      438:d=6  hl=2 l=  66 cons: SEQUENCE
      440:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
      445:d=7  hl=2 l=  59 prim: OCTET STRING      [HEX DUMP]:303981373335343631366262303335386639343734663165383461663535353035363766386236633464356240756B2E736173686B65792E6F7267
      506:d=1  hl=2 l=   2 cons: SEQUENCE
      508:d=2  hl=2 l=   0 prim: OBJECT            :BAD OBJECT:[]
      510:d=1  hl=2 l=   1 prim: BIT STRING

Whereas with:

    $ openssl req -config <(
	    printf "distinguished_name = dn\n[dn]\nprompt=yes\n[v3req]\n%s\n" \
                   "subjectAltName = DNS:example.com"
        ) -reqexts v3req -new -newkey rsa:1024 -keyout /dev/null \
          -nodes -subj / 2>/dev/null | openssl asn1parse

we get:

	0:d=0  hl=4 l= 360 cons: SEQUENCE
	4:d=1  hl=3 l= 210 cons: SEQUENCE
	7:d=2  hl=2 l=   1 prim: INTEGER           :00
       10:d=2  hl=2 l=   0 cons: SEQUENCE
       12:d=2  hl=3 l= 159 cons: SEQUENCE
       15:d=3  hl=2 l=  13 cons: SEQUENCE
       17:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
       28:d=4  hl=2 l=   0 prim: NULL
       30:d=3  hl=3 l= 141 prim: BIT STRING
      174:d=2  hl=2 l=  41 cons: cont [ 0 ]
      176:d=3  hl=2 l=  39 cons: SEQUENCE
      178:d=4  hl=2 l=   9 prim: OBJECT            :Extension Request
      189:d=4  hl=2 l=  26 cons: SET
      191:d=5  hl=2 l=  24 cons: SEQUENCE
      193:d=6  hl=2 l=  22 cons: SEQUENCE
      195:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
      200:d=7  hl=2 l=  15 prim: OCTET STRING      [HEX DUMP]:300D820B6578616D706C652E636F6D
      217:d=1  hl=2 l=  13 cons: SEQUENCE
      219:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
      230:d=2  hl=2 l=   0 prim: NULL
      232:d=1  hl=3 l= 129 prim: BIT STRING

which has a non-zero length signature algorithm OID (l = 9).  Your
example has "l=0" where one would expect the signature OID after
the extensions.

-- 
	Viktor.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux