[openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-05-10 Thread Matt Caswell via RT
This is intended behaviour for the certificate in question, so closing this ticket. Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4301 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-12 Thread Erwann Abalea
Bonjour, Le 12 févr. 2016 à 01:11, Blumenthal, Uri - 0553 - MITLL > a écrit : Again, you are right, but what's the lesser evil‎ - being unable to use the new OpenSSL because it refuses to deal with the cert that some dim-witten TPM maker screwed up, or

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-12 Thread Erwann Abalea via RT
Bonjour, Le 12 févr. 2016 à 01:11, Blumenthal, Uri - 0553 - MITLL > a écrit : Again, you are right, but what's the lesser evil‎ - being unable to use the new OpenSSL because it refuses to deal with the cert that some dim-witten TPM maker screwed up, or

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-12 Thread Cristian Berneanu via RT
FYI, I checked other machines that have a TPM device manufactured by STM, but I could not find another with a serial number less than 20 bytes (I guess they do padding in that case). I also have a certificate from an Atmel device where I get a notice that the serial number is negative. For me

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Blumenthal, Uri - 0553 - MITLL
Testing the previous Github version of OpenSSL-1.1 produced encouraging results (notice the leading zero, right where it belongs): $ x=128; DYLD_LIBRARY_PATH=/Users/ur20980/src/openssl-1.1/lib ~/src/openssl-1.1/bin/openssl asn1parse -genstr "INTEGER:$x" -out d.der && hexdump -C d.der 0:d=0

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Blumenthal, Uri - 0553 - MITLL
On 2/11/16, 14:29 , "openssl-dev on behalf of Salz, Rich" wrote: >If arbitrary leading zero's were allowed in DER, then the encoding >wouldn't be *distinguished*, i.e., unique. I am NOT talking about “arbitrary” leading zeros. I

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Blumenthal, Uri - 0553 - MITLL
>On Thu, Feb 11, 2016 at 12:47 AM, Stephen Henson via RT >wrote: >>On Wed Feb 10 21:59:12 2016, bcri...@gmail.com wrote: >>As the error is suggesting it doesn't like the serialNumber in the >>certificate. >> If you check it with asn1parse it says "BAD INTEGER". Using dumpasn1

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Viktor Dukhovni
> On Feb 11, 2016, at 2:46 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > > Testing the previous Github version of OpenSSL-1.1 produced encouraging > results (notice the leading zero, right where it belongs): > > $ x=128; DYLD_LIBRARY_PATH=/Users/ur20980/src/openssl-1.1/lib >

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Salz, Rich
> Larmouth) that a leading zero *is* necessary and required for a positive > integer when its MSB is one (e.g., 0x80). In other cases it indeed does not > belong. Agreed. Perhaps I mis-read your note. Sorry. -- openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Blumenthal, Uri - 0553 - MITLL
>>On Feb 11, 2016, at 2:46 PM, Blumenthal, Uri - 0553 - MITLL >> wrote: >> >> Testing the previous Github version of OpenSSL-1.1 produced encouraging >> results (notice the leading zero, right where it belongs): >> >> $ x=128; DYLD_LIBRARY_PATH=/Users/ur20980/src/openssl-1.1/lib

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Salz, Rich
If arbitrary leading zero's were allowed in DER, then the encoding wouldn't be *distinguished*, i.e., unique. In BER, almost anything goes :) -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Richard Levitte
Let's put this to rest, shall we? : ; cat > checkasn1int.sh #! /bin/sh CMD="$@" for x in "3003 02011F" \ "3003 020180" \ "3004 0202001F" \ "3004 02020080"; do echo Trying sequence $x echo $x | xxd -r -ps | $CMD

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Erwann Abalea
Bonjour, Le 11 févr. 2016 à 20:25, Blumenthal, Uri - 0553 - MITLL > a écrit : On Thu, Feb 11, 2016 at 12:47 AM, Stephen Henson via RT > wrote: On Wed Feb 10 21:59:12 2016,

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Cristian Berneanu via RT
The EK certificate is generated and burned into the TPM during manufacturing. The extraction operation always returns the same certificate. On Thu, Feb 11, 2016 at 11:16 PM, Stephen Henson via RT wrote: > On Thu Feb 11 07:11:17 2016, bcri...@gmail.com wrote: > > This is the

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Peter Waltenberg
check all the little corner cases that it might expose. Peter From: "Blumenthal, Uri - 0553 - MITLL via RT" <r...@openssl.org> To: bcri...@gmail.com Cc: openssl-dev@openssl.org Date: 12/02/2016 10:13 Subject: Re: [openssl-dev] [openssl.org #4301] [BU

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Peter Waltenberg via RT
check all the little corner cases that it might expose. Peter From: "Blumenthal, Uri - 0553 - MITLL via RT" <r...@openssl.org> To: bcri...@gmail.com Cc: openssl-dev@openssl.org Date: 12/02/2016 10:13 Subject: Re: [openssl-dev] [openssl.org #4301] [BU

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Blumenthal, Uri - 0553 - MITLL via RT
Again, you are right, but what's the lesser evil‎ - being unable to use the new OpenSSL because it refuses to deal with the cert that some dim-witten TPM maker screwed up, or accept a certificate with a (minor) violation of DER (but not of BER)? What bad in your opinion could happen if OpenSSL

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Blumenthal, Uri - 0553 - MITLL
Again, you are right, but what's the lesser evil‎ - being unable to use the new OpenSSL because it refuses to deal with the cert that some dim-witten TPM maker screwed up, or accept a certificate with a (minor) violation of DER (but not of BER)? What bad in your opinion could happen if OpenSSL

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Blumenthal, Uri - 0553 - MITLL
penssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format On Thu Feb 11 21:38:18 2016, bcri...@gmail.com wrote: > The EK certificate is generated and burned into the TPM during > manufacturing. The extraction operation always returns the same certificate. >

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Blumenthal, Uri - 0553 - MITLL via RT
penssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format On Thu Feb 11 21:38:18 2016, bcri...@gmail.com wrote: > The EK certificate is generated and burned into the TPM during > manufacturing. The extraction operation always returns the same certificate. >

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Dr. Stephen Henson
On Thu, Feb 11, 2016, Blumenthal, Uri - 0553 - MITLL wrote: > ^ > Probably correct IN THIS ONE CASE, because Most Significant Bit is zero > even without the leading zero byte. See below. > > >>The problem is that is an invalid encoding. An ASN.1 INTEGER cannot >

[openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Stephen Henson via RT
On Thu Feb 11 07:11:17 2016, bcri...@gmail.com wrote: > This is the Endorsement Key certificate extracted from a TPM device. > Does it always do that or is this just an oddity? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see:

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Kurt Roeckx via RT
On Thu, Feb 11, 2016 at 10:53:25PM +, Blumenthal, Uri - 0553 - MITLL wrote: > Might I suggest that the right thing in this case would be to keep generation > strict, but relax the rules on parsing? "Be conservative in what you send, > and liberal with what you receive"? This might be good

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Kurt Roeckx
On Thu, Feb 11, 2016 at 10:53:25PM +, Blumenthal, Uri - 0553 - MITLL wrote: > Might I suggest that the right thing in this case would be to keep generation > strict, but relax the rules on parsing? "Be conservative in what you send, > and liberal with what you receive"? This might be good

[openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-11 Thread Stephen Henson via RT
On Thu Feb 11 21:38:18 2016, bcri...@gmail.com wrote: > The EK certificate is generated and burned into the TPM during > manufacturing. The extraction operation always returns the same certificate. > I meant do you have any other examples of this anomalous encoding or is it some rare glitch in

[openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-10 Thread Stephen Henson via RT
On Wed Feb 10 21:59:12 2016, bcri...@gmail.com wrote: > Version: "OpenSSL 1.1.0-pre2 (alpha) 14 Jan 2016" > > Command: "openssl x509 -inform der -in sample_ekcert.der" > > Result: > "unable to load certificate > 140618483803816:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal >

[openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-10 Thread Cristian Berneanu via RT
Version: "OpenSSL 1.1.0-pre2 (alpha) 14 Jan 2016" Command: "openssl x509 -inform der -in sample_ekcert.der" Result: "unable to load certificate 140618483803816:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal padding:a_int.c:223: 140618483803816:error:0D08303A:asn1 encoding

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

2016-02-10 Thread Cristian Berneanu via RT
This is the Endorsement Key certificate extracted from a TPM device. On Thu, Feb 11, 2016 at 12:47 AM, Stephen Henson via RT wrote: > On Wed Feb 10 21:59:12 2016, bcri...@gmail.com wrote: > > Version: "OpenSSL 1.1.0-pre2 (alpha) 14 Jan 2016" > > > > Command: "openssl x509