Thank you, Erwin, for your quick response. I actually had tried the same certificate using DER format too, the same decoding error was spilled. I used the following command to convert this certificate from PEM to DER:
/usr/local/bin/openssl x509 -in ssClient100.cert -inform PEM -outform DER -out ssClient100.der The ssClient100.der is attached, and d2i_X509() can not decode this format either with the same ASN1_R_WRONG_TAG error. From what I can tell from the debug printing that asn1_check_tlen() (called inside d2i_X509()) was expecting a TAG value of 16 for the ASN1_ITYPE_SEQUENCE, however a tag value of 0 was read from the certificate, thus the wrong tag error was spilled out. I don't have any idea how a tag value of 0 can be read from the certificate in openssl-1.0.0. The tag value was read properly in openssl-0.9.7. And I don't see obvious changes in asn1_check_tlen() (and associated routines) between openssl-1.0.0 and openssl-0.9.7 Thanks Nan On Tue, Oct 25, 2011 at 11:35 AM, Erwin Himawan <ehima...@gmail.com> wrote: > A quick observation. If I my understanding is correct, d2i_X509() > function is only for DER-encoded X509. Could you make sure that your > 0.9.8's cert is DER-encoded, not PEM's encoded. The cert file you are > attaching is PEM's encoded file. > > > > On Tue, Oct 25, 2011 at 9:41 AM, Nan Luo <luo.nan2...@gmail.com> wrote: > >> Hi, I used to work with openssl-0.9.7, and all my certificates were >> generated by openssl-0.9.8. Openssl-0.9.7 works great with openssl-0.9.8's >> certificates, I never had issues in parsing, verification, ...... Recently >> I upgraded my application with openssl-1.0.0, I found that none of old >> openssl-0.9.8 certificates can be decoded properly. My application code >> calls API d2i_X509() to convert a DER (or PEM) certificate to a X509 >> structure, following is the error output: >> >> Oct 24 15:28:22.297 ASN1_item_d2i: entering >> Oct 24 15:28:22.297 ASN1_item_d2i: pval is NULL >> Oct 24 15:28:22.297 ASN1_item_ex_d2i: entering >> Oct 24 15:28:22.297 ASN1_item_ex_d2i: ASN1_ITYPE_SEQUENCE >> Oct 24 15:28:22.298 asn1_check_tlen: pclass=0, ptag=0 >> Oct 24 15:28:22.298 asn1_check_tlen: ASN1_R_WRONG_TAG >> Oct 24 15:28:22.298 ASN1_item_ex_d2i: ERR_R_NESTED_ASN1_ERROR >> Oct 24 15:28:22.298 CertVerify:: cannot convert the DER cert to X509 >> >> The problem certificate is attached. (This specific certificate >> was actually generated by openssl-1.0.0. All my openssl-0.9.8 certificates >> were having the same issue). I ran the following commands on this >> certificate, no command indicated error on the certificate: >> >> /usr/local/bin/openssl x509 -noout -text -in ssClient100.cert >> /usr/local/bin/openssl asn1parse -in ssClient100.cert >> >> /usr/local/bin/openssl x509 -noout -modulus -in ssClient100.cert >> /usr/local/bin/openssl rsa -noout -modulus -in ssClientKey100.pem >> >> I have been struggling with this error for several days. Your help is >> greatly appreciated. >> >> >> Thanks >> Nan >> > >
ssClient100.der
Description: Binary data
