On Thursday, 25 June 2020 12:15:00 CEST, Angus Robertson - Magenta Systems
Ltd wrote:
A client is having problems reading Polish Centum issued personal
certificates with OpenSSL 1.1.1, which read OK with 1.1.0 and earlier,
mostly.
Using PEM_read_bio_X509 with some of these certificates says
error:00000000:lib(0):func(0):reason(0), while the X509 command line
tool says 'unable to load certificate'. Some certificates work with
both methods.
Using the asn1parse command from any version of OpenSSL says 'Error:
offset out of range', while a Javascript based web tool is able to
decode the ASN1, but is perhaps more tolerant of errors.
So it seems there is something in the creation of these certificates
that OpenSSL has never liked, but until 1.1.1 was tolerated
sufficiently to allow them to be read.
This certificate reads OK in 1.1.1 but fails asn1parse:
works just fine for me with 1.1.1g
This certificate can not be read in 1.1.1 but is OK in 1.1.0.
but this one fails parsing
Is there a more tolerant way to read ASN1 than the asn1parse command?
asn1parse expects BER encoding, that already is the most lenient, while
still standards-compliant, encoding that is supported.
Given that it errors out with
139628293990208:error:0D07209B:asn1 encoding routines:ASN1_get_object:too
long:crypto/asn1/asn1_lib.c:91:
I'm guessing a mismatch between utf-8 and string encoding that makes
the lengths inconsistent. Some tools may just ignore them, but that doesn't
make the certificate well-formed.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
