Re: openssl 1.0.0 d2i_X509() error ASN1_R_WRONG_TAG

Tue, 25 Oct 2011 11:47:22 -0700 

This is a snippet of my code that converts DER encoded X509 into OPENSSL
X509

        /* Convert X509 from DER to openssl X509 struct */
        X509 *x509CertificateTemp = NULL;
        const unsigned char *x509CertificateDERNext;

        x509CertificateDERNext = x509CertificateDER;
        if(d2i_X509(&x509CertificateTemp, &x509CertificateDERNext,
x509CertificateDERLen) == NULL)
        {
            printf("Error converting x509CertificateDER to OPENSSL X509\n");
        }
        else
        {
            retX509 = x509CertificateTemp;
        }


On Tue, Oct 25, 2011 at 9:41 AM, Nan Luo <luo.nan2...@gmail.com> wrote:

> Hi, I used to work with openssl-0.9.7, and all my certificates were
> generated by openssl-0.9.8. Openssl-0.9.7 works great with openssl-0.9.8's
> certificates, I never had issues in parsing, verification, ...... Recently I
> upgraded my application with openssl-1.0.0, I found that none of old
> openssl-0.9.8 certificates can be decoded properly. My application code
> calls API d2i_X509() to convert a DER (or PEM) certificate to a X509
> structure, following is the error output:
>
> Oct 24 15:28:22.297 ASN1_item_d2i: entering
> Oct 24 15:28:22.297 ASN1_item_d2i: pval is NULL
> Oct 24 15:28:22.297 ASN1_item_ex_d2i: entering
> Oct 24 15:28:22.297 ASN1_item_ex_d2i: ASN1_ITYPE_SEQUENCE
> Oct 24 15:28:22.298 asn1_check_tlen: pclass=0, ptag=0
> Oct 24 15:28:22.298 asn1_check_tlen: ASN1_R_WRONG_TAG
> Oct 24 15:28:22.298 ASN1_item_ex_d2i: ERR_R_NESTED_ASN1_ERROR
> Oct 24 15:28:22.298 CertVerify:: cannot convert the DER cert to X509
>
> The problem certificate is attached. (This specific certificate
> was actually generated by openssl-1.0.0. All my openssl-0.9.8 certificates
> were having the same issue). I ran the following commands on this
> certificate, no command indicated error on the certificate:
>
> /usr/local/bin/openssl x509 -noout -text -in ssClient100.cert
> /usr/local/bin/openssl asn1parse -in ssClient100.cert
>
> /usr/local/bin/openssl x509 -noout -modulus -in ssClient100.cert
> /usr/local/bin/openssl rsa -noout -modulus -in ssClientKey100.pem
>
> I have been struggling with this error for several days. Your help is
> greatly appreciated.
>
>
> Thanks
> Nan
>

Reply via email to