Dave, thanks very much for the detailed analysis. You were exactly right: I was writing the cert to the file system as text file, not binary file.
thanks again! dutch Dave Thompson-4 wrote: > >> From: owner-openssl-us...@openssl.org On Behalf Of dutchman1 >> Sent: Friday, 06 November, 2009 09:11 > >> thanks for your reply. The cert was located on a hardware >> device and I'm >> trying to write it to file through C code so something might >> be lost in >> translation. I've attached the cert to the Post. > >> Dave Thompson-4 wrote: > <snip> >> > No you couldn't parse it; you got the same error right there. >> > Dump the file (usually easiest in hex) and look at that point >> > (the second part of issuer DN). If you don't understand it, >> > post a readable dump, or the exact file as an attachment. >> > >> > Usual suspect: was this cert generated on the system where you >> > are using it, or copied from somewhere else, and if so how -- >> > FTP, SFTP, rcp, scp, NFS, SMB, HTTP, email, >> PKCS7/CMS/SMIME, etc. -- >> > and is the original copy usable? > >> http://old.nabble.com/file/p26230528/cert1.txt cert1.txt > (and cert1.zip in a subsequent message) > > Aside: bizarrely, when I try to access those URLs with IE6, > it claims "site unavailable or not found", but with a debug > proxy (webscarab) in place, I see successful connections > and 200 responses that look entirely reasonable to me, and > webscarab -- which is fairly picky -- doesn't complain. > The first one is marked as text/plain when it isn't, which > would mess up rendering, but shouldn't disclaim any response; > the second one is marked as application/zip with charset=utf-8 added, > which is superfluous for that type but should just be ignored. > Well, I got the response body from webscarab and used that. > > 0000 30 82 03 90 30 82 02 78 A0 03 02 01 02 02 07 01 0...0..x........ > 0010 00 23 ED 2E 89 7A 30 0D 06 09 2A 86 48 86 F7 0D .#...z0...*.H... > 0020 01 01 05 05 00 30 7B 31 0B 30 09 06 03 55 04 06 .....0{1.0...U.. > 0030 13 02 55 53 31 17 30 15 06 03 55 04 0D 0A 13 0E ..US1.0...U..... > 0040 4D 6F 74 6F 72 6F 6C 61 2C 20 49 6E 63 2E 31 2B Motorola, Inc.1+ > 0050 30 29 06 03 55 04 0B 13 22 57 69 4D 41 58 20 44 0)..U..."WiMAX D > 0060 65 76 69 63 65 20 43 65 72 74 69 66 69 63 61 74 evice Certificat > 0070 65 20 41 75 74 68 6F 72 69 74 79 31 26 30 24 06 e Authority1&0$. > 0080 03 55 04 03 13 1D 4D 6F 74 6F 72 6F 6C 61 20 57 .U....Motorola W > 0090 69 4D 41 58 20 44 65 76 69 63 65 20 52 6F 6F 74 iMAX Device Root > 00A0 20 43 41 30 1E 17 0D 30 39 30 34 31 34 31 38 34 CA0...090414184 > 00B0 31 31 35 5A 17 0D 33 39 30 34 31 34 31 38 34 31 115Z..3904141841 > 00C0 31 35 5A 30 72 31 0B 30 09 06 03 55 04 06 13 02 15Z0r1.0...U.... > 00D0 55 53 31 17 30 15 06 03 55 04 0D 0A 13 0E 4D 6F US1.0...U.....Mo > 00E0 74 6F 72 6F 6C 61 2C 20 49 6E 63 2E 31 15 30 13 torola, Inc.1.0. > 00F0 06 03 55 04 0B 13 0C 57 69 4D 41 58 20 44 65 76 ..U....WiMAX Dev > 0100 69 63 65 31 1C 30 1A 06 03 55 04 0B 13 13 4D 6F ice1.0...U....Mo > 0110 74 6F 72 6F 6C 61 20 50 4B 49 20 43 65 6E 74 65 torola PKI Cente > 0120 72 31 15 30 13 06 03 55 04 03 13 0C 30 30 32 33 r1.0...U....0023 > 0130 45 44 32 45 38 39 37 41 30 81 9F 30 0D 06 09 2A ED2E897A0..0...* > 0140 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 .H............0. > 0150 89 02 81 81 00 C1 53 87 1C D0 7F 1A CA EE AE BD ......S......... > 0160 78 06 AF EB 19 97 53 99 36 16 CB BC A8 0C 2D CF x.....S.6.....-. > 0170 EC 55 2C CF D3 FA 33 AA B3 DE 52 B6 0D 8C 01 A9 .U,...3...R..... > 0180 BF CE 5F 5E 9E 84 32 AF DF 6E A1 92 36 65 AC 7A .._^..2..n..6e.z > 0190 62 C4 33 97 5C 71 52 68 29 CB 71 BF AF CE 2A E4 b.3.\qRh).q...*. > 01A0 03 EF 8E CA CA CE 37 87 BA 7E 55 4A 85 47 12 FE ......7..~UJ.G.. > 01B0 D1 76 43 F8 21 56 7B 5B C7 F8 8D C8 A7 87 E8 16 .vC.!V{[........ > 01C0 EF A1 AA F8 5C 7E 78 F9 93 C4 82 61 8A C8 69 AF ....\~x....a..i. > 01D0 6B 1B 36 9D 75 02 03 01 00 01 A3 81 A5 30 81 A2 k.6.u........0.. > 01E0 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 05 A0 0...U........... > 01F0 30 20 06 03 55 1D 25 01 01 FF 04 16 30 14 06 08 0 ..U.%.....0... > 0200 2B 06 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 +.........+..... > 0210 03 01 30 1F 06 03 55 1D 23 04 18 30 16 80 14 74 ..0...U.#..0...t > 0220 9F F6 2C 2B 60 80 53 17 79 A0 39 6D 77 84 FD BA ..,+`.S.y.9mw... > 0230 D8 88 65 30 4D 06 03 55 1D 1F 04 46 30 44 30 42 ..e0M..U...F0D0B > 0240 A0 40 A0 3E 86 3C 68 74 74 70 3A 2F 2F 77 77 77 ....@.>.<http://www > 0250 2E 61 74 73 65 63 65 6E 67 2E 63 6F 6D 2F 43 52 .atseceng.com/CR > 0260 4C 2F 4D 6F 74 6F 57 69 4D 41 58 44 65 76 69 63 L/MotoWiMAXDevic > 0270 65 52 6F 6F 74 43 41 2F 64 65 76 69 63 65 2E 63 eRootCA/device.c > 0280 72 6C 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 rl0...*.H....... > 0290 00 03 82 01 01 00 06 CB E8 3F 5B F0 1E A1 9C 04 .........?[..... > 02A0 73 67 88 C2 6B D0 3A BF F7 E8 30 C3 DE FE 29 6D sg..k.:...0...)m > 02B0 B9 E5 45 C2 FE 92 2D 29 7B 7E 34 E8 8B 38 08 A2 ..E...-){~4..8.. > 02C0 3E 17 84 41 17 1B 40 62 86 A6 26 77 F4 5A BF BC >.....@b..&w.Z.. > 02D0 DA 90 0B AE 41 5C D7 BB 3E E5 5D E8 2B B8 44 36 ....A\..>.].+.D6 > 02E0 5F 43 E9 CF A5 47 07 6B 2C 27 B2 A2 D1 E0 D2 C3 _C...G.k,'...... > 02F0 D8 AE C9 CA F5 50 A4 BF 26 D9 CA EE CE 5F A1 83 .....P..&...._.. > 0300 53 EC 84 55 A8 7C 73 16 92 EC DD F8 E6 0F 08 4E S..U.|s........N > 0310 A8 ED 52 CB 64 35 ED 97 21 2C C0 AC 84 FB 0D 0A ..R.d5..!,...... > 0320 E2 DE 0D 0A F3 EF A0 87 DF 7C 6F 57 99 B4 F3 0B .........|oW.... > 0330 1D CC 22 D0 00 9C 48 F8 B8 25 E9 6E 58 4F 4E A9 .."...H..%.nXON. > 0340 52 79 D3 96 E2 E3 CA 31 B1 53 0B 7C 84 14 39 27 Ry.....1.S.|..9' > 0350 30 C4 7C DD EE C0 29 E2 24 C4 2E 06 88 61 FE E0 0.|...).$....a.. > 0360 50 E7 27 84 BB EE D2 F2 2A D8 7A 89 1A 22 CA 13 P.'.....*.z..".. > 0370 65 28 F1 1D 43 36 3D 25 F6 7B 57 1F 1C 88 B3 DE e(..C6=%.{W..... > 0380 94 3E 54 D8 61 2A E9 B1 9E 9B FB 45 87 BD 18 00 .>T.a*.....E.... > 0390 E8 95 F5 30 49 0E 84 14 ...0I... > > Right off, this cert is 4 bytes longer than its outermost TLV claims, > so we know it's corrupted. Looking at 52=0x36 (in Issuer) we see > 31 17 30 15 06 03 55 04 0D 0A 13 0E > 4D 6F 74 6F 72 6F 6C 61 2C 20 49 6E 63 (2E) > This is one byte longer than the TLV indicates, and an OID > of 55 04 0A = Org makes more sense than 55 04 0D = description > for "Motorola, Inc.". > Similarly at 0xD2 in Subject, after a reasonable validity. > Following that are valid pubkey and extensions, and sigalg, > but the sigval is 2 bytes longer than TLV claims and it > contains (exactly) two 0A bytes each preceded by 0D. > > This is exactly the symptom of a file being treated as text > when it isn't, in particular by transfer protocols like (S)FTP > and maybe HTTP, or other tools like ZIP. A Unix-style "newline" > (0A) gets converted to a DOS/Win/Inet style CR LF (0D 0A). > Similarly C internally uses one byte '\n' newline, but *ON > DOS/Win* textfiles use CRLF, so fopen/fwrite/etc. *in text mode* > converts 0A to 0D0A on output, and 0D0A to 0A on input. > If you are running your C program on DOS/Win, you need > to open the file in binary mode i.e. fopen (foo, "wb"). > (But if you're running *on cygwin on Win*, it's more > complicated; cygwin tries to bridge the gap between Unix-format > and Win-format, AFAIK mostly by 'mount' options.) > Even on other platforms it is good to specify this for > clarity/documentation/robustness even if not strictly needed. > As a check it should be 916=0x394 bytes. > > Alternatively, if you *want* a text file, which is usually > more portable and human recognizable: get the cert data, > base64 it and add the -----BEGIN/END lines to make it > PEM format, and write (and read) that as text. > > Removing the 4 spurious 0D's gives a cert (file) that > successfully parses/decodes as: > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 01:00:23:ed:2e:89:7a > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=US, O=Motorola, Inc., OU=WiMAX Device Certificate > Authority, CN=Motorola WiMAX Device Root CA > Validity > Not Before: Apr 14 18:41:15 2009 GMT > Not After : Apr 14 18:41:15 2039 GMT > Subject: C=US, O=Motorola, Inc., OU=WiMAX Device, OU=Motorola PKI > Center, CN=0023ED2E897A > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > 00:c1:53:87:1c:d0:7f:1a:ca:ee:ae:bd:78:06:af: > eb:19:97:53:99:36:16:cb:bc:a8:0c:2d:cf:ec:55: > 2c:cf:d3:fa:33:aa:b3:de:52:b6:0d:8c:01:a9:bf: > ce:5f:5e:9e:84:32:af:df:6e:a1:92:36:65:ac:7a: > 62:c4:33:97:5c:71:52:68:29:cb:71:bf:af:ce:2a: > e4:03:ef:8e:ca:ca:ce:37:87:ba:7e:55:4a:85:47: > 12:fe:d1:76:43:f8:21:56:7b:5b:c7:f8:8d:c8:a7: > 87:e8:16:ef:a1:aa:f8:5c:7e:78:f9:93:c4:82:61: > 8a:c8:69:af:6b:1b:36:9d:75 > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > X509v3 Extended Key Usage: critical > TLS Web Client Authentication, TLS Web Server > Authentication > X509v3 Authority Key Identifier: > > keyid:74:9F:F6:2C:2B:60:80:53:17:79:A0:39:6D:77:84:FD:BA:D8:88:65 > > X509v3 CRL Distribution Points: > > URI:http://www.atseceng.com/CRL/MotoWiMAXDeviceRootCA/device.crl > > Signature Algorithm: sha1WithRSAEncryption > 06:cb:e8:3f:5b:f0:1e:a1:9c:04:73:67:88:c2:6b:d0:3a:bf: > f7:e8:30:c3:de:fe:29:6d:b9:e5:45:c2:fe:92:2d:29:7b:7e: > 34:e8:8b:38:08:a2:3e:17:84:41:17:1b:40:62:86:a6:26:77: > f4:5a:bf:bc:da:90:0b:ae:41:5c:d7:bb:3e:e5:5d:e8:2b:b8: > 44:36:5f:43:e9:cf:a5:47:07:6b:2c:27:b2:a2:d1:e0:d2:c3: > d8:ae:c9:ca:f5:50:a4:bf:26:d9:ca:ee:ce:5f:a1:83:53:ec: > 84:55:a8:7c:73:16:92:ec:dd:f8:e6:0f:08:4e:a8:ed:52:cb: > 64:35:ed:97:21:2c:c0:ac:84:fb:0a:e2:de:0a:f3:ef:a0:87: > df:7c:6f:57:99:b4:f3:0b:1d:cc:22:d0:00:9c:48:f8:b8:25: > e9:6e:58:4f:4e:a9:52:79:d3:96:e2:e3:ca:31:b1:53:0b:7c: > 84:14:39:27:30:c4:7c:dd:ee:c0:29:e2:24:c4:2e:06:88:61: > fe:e0:50:e7:27:84:bb:ee:d2:f2:2a:d8:7a:89:1a:22:ca:13: > 65:28:f1:1d:43:36:3d:25:f6:7b:57:1f:1c:88:b3:de:94:3e: > 54:d8:61:2a:e9:b1:9e:9b:fb:45:87:bd:18:00:e8:95:f5:30: > 49:0e:84:14 > (although I can't verify it without the parent cert). > (On the good side, the CA is apparently fixed for y2.038k!) > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > -- View this message in context: http://old.nabble.com/ASN1_get_object%3Atoo-long-tp26163582p26292424.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
