A quick observation. If I my understanding is correct, d2i_X509() function is only for DER-encoded X509. Could you make sure that your 0.9.8's cert is DER-encoded, not PEM's encoded. The cert file you are attaching is PEM's encoded file.
On Tue, Oct 25, 2011 at 9:41 AM, Nan Luo <luo.nan2...@gmail.com> wrote: > Hi, I used to work with openssl-0.9.7, and all my certificates were > generated by openssl-0.9.8. Openssl-0.9.7 works great with openssl-0.9.8's > certificates, I never had issues in parsing, verification, ...... Recently I > upgraded my application with openssl-1.0.0, I found that none of old > openssl-0.9.8 certificates can be decoded properly. My application code > calls API d2i_X509() to convert a DER (or PEM) certificate to a X509 > structure, following is the error output: > > Oct 24 15:28:22.297 ASN1_item_d2i: entering > Oct 24 15:28:22.297 ASN1_item_d2i: pval is NULL > Oct 24 15:28:22.297 ASN1_item_ex_d2i: entering > Oct 24 15:28:22.297 ASN1_item_ex_d2i: ASN1_ITYPE_SEQUENCE > Oct 24 15:28:22.298 asn1_check_tlen: pclass=0, ptag=0 > Oct 24 15:28:22.298 asn1_check_tlen: ASN1_R_WRONG_TAG > Oct 24 15:28:22.298 ASN1_item_ex_d2i: ERR_R_NESTED_ASN1_ERROR > Oct 24 15:28:22.298 CertVerify:: cannot convert the DER cert to X509 > > The problem certificate is attached. (This specific certificate > was actually generated by openssl-1.0.0. All my openssl-0.9.8 certificates > were having the same issue). I ran the following commands on this > certificate, no command indicated error on the certificate: > > /usr/local/bin/openssl x509 -noout -text -in ssClient100.cert > /usr/local/bin/openssl asn1parse -in ssClient100.cert > > /usr/local/bin/openssl x509 -noout -modulus -in ssClient100.cert > /usr/local/bin/openssl rsa -noout -modulus -in ssClientKey100.pem > > I have been struggling with this error for several days. Your help is > greatly appreciated. > > > Thanks > Nan >
