This is intended behaviour for the certificate in question, so closing this
ticket.
Matt
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4301
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe:
Bonjour,
Le 12 févr. 2016 à 01:11, Blumenthal, Uri - 0553 - MITLL
> a écrit :
Again, you are right, but what's the lesser evil - being unable to use the new
OpenSSL because it refuses to deal with the cert that some dim-witten TPM maker
screwed up, or
Bonjour,
Le 12 févr. 2016 à 01:11, Blumenthal, Uri - 0553 - MITLL
> a écrit :
Again, you are right, but what's the lesser evil - being unable to use the new
OpenSSL because it refuses to deal with the cert that some dim-witten TPM maker
screwed up, or
FYI, I checked other machines that have a TPM device manufactured by STM,
but I could not find another with a serial number less than 20 bytes (I
guess they do padding in that case).
I also have a certificate from an Atmel device where I get a notice that
the serial number is negative.
For me
Testing the previous Github version of OpenSSL-1.1 produced encouraging
results (notice the leading zero, right where it belongs):
$ x=128; DYLD_LIBRARY_PATH=/Users/ur20980/src/openssl-1.1/lib
~/src/openssl-1.1/bin/openssl asn1parse -genstr "INTEGER:$x" -out d.der &&
hexdump -C d.der
0:d=0
On 2/11/16, 14:29 , "openssl-dev on behalf of Salz, Rich"
wrote:
>If arbitrary leading zero's were allowed in DER, then the encoding
>wouldn't be *distinguished*, i.e., unique.
I am NOT talking about “arbitrary” leading zeros. I
>On Thu, Feb 11, 2016 at 12:47 AM, Stephen Henson via RT
>wrote:
>>On Wed Feb 10 21:59:12 2016, bcri...@gmail.com wrote:
>>As the error is suggesting it doesn't like the serialNumber in the
>>certificate.
>> If you check it with asn1parse it says "BAD INTEGER". Using dumpasn1
> On Feb 11, 2016, at 2:46 PM, Blumenthal, Uri - 0553 - MITLL
> wrote:
>
> Testing the previous Github version of OpenSSL-1.1 produced encouraging
> results (notice the leading zero, right where it belongs):
>
> $ x=128; DYLD_LIBRARY_PATH=/Users/ur20980/src/openssl-1.1/lib
>
> Larmouth) that a leading zero *is* necessary and required for a positive
> integer when its MSB is one (e.g., 0x80). In other cases it indeed does not
> belong.
Agreed. Perhaps I mis-read your note. Sorry.
--
openssl-dev mailing list
To unsubscribe:
>>On Feb 11, 2016, at 2:46 PM, Blumenthal, Uri - 0553 - MITLL
>> wrote:
>>
>> Testing the previous Github version of OpenSSL-1.1 produced encouraging
>> results (notice the leading zero, right where it belongs):
>>
>> $ x=128; DYLD_LIBRARY_PATH=/Users/ur20980/src/openssl-1.1/lib
If arbitrary leading zero's were allowed in DER, then the encoding wouldn't be
*distinguished*, i.e., unique.
In BER, almost anything goes :)
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Let's put this to rest, shall we?
: ; cat > checkasn1int.sh
#! /bin/sh
CMD="$@"
for x in "3003 02011F" \
"3003 020180" \
"3004 0202001F" \
"3004 02020080"; do
echo Trying sequence $x
echo $x | xxd -r -ps | $CMD
Bonjour,
Le 11 févr. 2016 à 20:25, Blumenthal, Uri - 0553 - MITLL
> a écrit :
On Thu, Feb 11, 2016 at 12:47 AM, Stephen Henson via RT
>
wrote:
On Wed Feb 10 21:59:12 2016,
The EK certificate is generated and burned into the TPM during
manufacturing. The extraction operation always returns the same certificate.
On Thu, Feb 11, 2016 at 11:16 PM, Stephen Henson via RT
wrote:
> On Thu Feb 11 07:11:17 2016, bcri...@gmail.com wrote:
> > This is the
check all the little corner cases that it might expose.
Peter
From: "Blumenthal, Uri - 0553 - MITLL via RT" <r...@openssl.org>
To: bcri...@gmail.com
Cc: openssl-dev@openssl.org
Date: 12/02/2016 10:13
Subject: Re: [openssl-dev] [openssl.org #4301] [BU
check all the little corner cases that it might expose.
Peter
From: "Blumenthal, Uri - 0553 - MITLL via RT" <r...@openssl.org>
To: bcri...@gmail.com
Cc: openssl-dev@openssl.org
Date: 12/02/2016 10:13
Subject: Re: [openssl-dev] [openssl.org #4301] [BU
Again, you are right, but what's the lesser evil - being unable to use the new
OpenSSL because it refuses to deal with the cert that some dim-witten TPM maker
screwed up, or accept a certificate with a (minor) violation of DER (but not of
BER)? What bad in your opinion could happen if OpenSSL
Again, you are right, but what's the lesser evil - being unable to use the new
OpenSSL because it refuses to deal with the cert that some dim-witten TPM maker
screwed up, or accept a certificate with a (minor) violation of DER (but not of
BER)? What bad in your opinion could happen if OpenSSL
penssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to
parse x509 certificate in DER format
On Thu Feb 11 21:38:18 2016, bcri...@gmail.com wrote:
> The EK certificate is generated and burned into the TPM during
> manufacturing. The extraction operation always returns the same certificate.
>
penssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to
parse x509 certificate in DER format
On Thu Feb 11 21:38:18 2016, bcri...@gmail.com wrote:
> The EK certificate is generated and burned into the TPM during
> manufacturing. The extraction operation always returns the same certificate.
>
On Thu, Feb 11, 2016, Blumenthal, Uri - 0553 - MITLL wrote:
> ^
> Probably correct IN THIS ONE CASE, because Most Significant Bit is zero
> even without the leading zero byte. See below.
>
> >>The problem is that is an invalid encoding. An ASN.1 INTEGER cannot
>
On Thu Feb 11 07:11:17 2016, bcri...@gmail.com wrote:
> This is the Endorsement Key certificate extracted from a TPM device.
>
Does it always do that or is this just an oddity?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see:
On Thu, Feb 11, 2016 at 10:53:25PM +, Blumenthal, Uri - 0553 - MITLL wrote:
> Might I suggest that the right thing in this case would be to keep generation
> strict, but relax the rules on parsing? "Be conservative in what you send,
> and liberal with what you receive"?
This might be good
On Thu, Feb 11, 2016 at 10:53:25PM +, Blumenthal, Uri - 0553 - MITLL wrote:
> Might I suggest that the right thing in this case would be to keep generation
> strict, but relax the rules on parsing? "Be conservative in what you send,
> and liberal with what you receive"?
This might be good
On Thu Feb 11 21:38:18 2016, bcri...@gmail.com wrote:
> The EK certificate is generated and burned into the TPM during
> manufacturing. The extraction operation always returns the same certificate.
>
I meant do you have any other examples of this anomalous encoding or is it some
rare glitch in
On Wed Feb 10 21:59:12 2016, bcri...@gmail.com wrote:
> Version: "OpenSSL 1.1.0-pre2 (alpha) 14 Jan 2016"
>
> Command: "openssl x509 -inform der -in sample_ekcert.der"
>
> Result:
> "unable to load certificate
> 140618483803816:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal
>
Version: "OpenSSL 1.1.0-pre2 (alpha) 14 Jan 2016"
Command: "openssl x509 -inform der -in sample_ekcert.der"
Result:
"unable to load certificate
140618483803816:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal
padding:a_int.c:223:
140618483803816:error:0D08303A:asn1 encoding
This is the Endorsement Key certificate extracted from a TPM device.
On Thu, Feb 11, 2016 at 12:47 AM, Stephen Henson via RT
wrote:
> On Wed Feb 10 21:59:12 2016, bcri...@gmail.com wrote:
> > Version: "OpenSSL 1.1.0-pre2 (alpha) 14 Jan 2016"
> >
> > Command: "openssl x509
28 matches
Mail list logo