This is the Endorsement Key certificate extracted from a TPM device. On Thu, Feb 11, 2016 at 12:47 AM, Stephen Henson via RT <[email protected]> wrote:
> On Wed Feb 10 21:59:12 2016, [email protected] wrote: > > Version: "OpenSSL 1.1.0-pre2 (alpha) 14 Jan 2016" > > > > Command: "openssl x509 -inform der -in sample_ekcert.der" > > > > Result: > > "unable to load certificate > > 140618483803816:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal > > padding:a_int.c:223: > > 140618483803816:error:0D08303A:asn1 encoding > > routines:asn1_template_noexp_d2i:nested asn1 > > error:tasn_dec.c:648:Field=serialNumber, Type=X509_CINF > > 140618483803816:error:0D08303A:asn1 encoding > > routines:asn1_template_noexp_d2i:nested asn1 > > error:tasn_dec.c:648:Field=cert_info, Type=X509" > > > > As the error is suggesting it doesn't like the serialNumber in the > certificate. > If you check it with asn1parse it says "BAD INTEGER". Using dumpasn1 you > get: > > 13 20: INTEGER 00 59 DF E1 E2 94 81 88 77 C5 3E E2 D3 2F 2B A2 BB 5F EB DA > : Error: Integer '00 59 ...' has non-DER encoding. > > > The problem is that is an invalid encoding. An ASN.1 INTEGER cannot contain > leading zeroes. OpenSSL 1.0.2 and earlier tolerated this but 1.1.0 is > stricter. > > What was the certificate generated with? > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4301 > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4301 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
