Thanks to both Erwin and Steve
This indeed helps. My old malfunctioned code looks like this:
unsigned char *p;
p = (unsigned char*)pCertificate;
pX509 = d2i_X509(NULL, reinterpret_cast<const unsigned char **>(p),
certLength);
After I changed the code to:
const unsigned char *p = (const unsigned char*)pCertificate;
pX509 = d2i_X509(NULL, &p, certLength);
Everything works fine now
Thanks again
Nan
On Tue, Oct 25, 2011 at 2:44 PM, Erwin Himawan <ehima...@gmail.com> wrote:
> This is a snippet of my code that converts DER encoded X509 into OPENSSL
> X509
>
> /* Convert X509 from DER to openssl X509 struct */
> X509 *x509CertificateTemp = NULL;
> const unsigned char *x509CertificateDERNext;
>
> x509CertificateDERNext = x509CertificateDER;
> if(d2i_X509(&x509CertificateTemp, &x509CertificateDERNext,
> x509CertificateDERLen) == NULL)
> {
> printf("Error converting x509CertificateDER to OPENSSL
> X509\n");
> }
> else
> {
> retX509 = x509CertificateTemp;
> }
>
>
> On Tue, Oct 25, 2011 at 9:41 AM, Nan Luo <luo.nan2...@gmail.com> wrote:
>
>> Hi, I used to work with openssl-0.9.7, and all my certificates were
>> generated by openssl-0.9.8. Openssl-0.9.7 works great with openssl-0.9.8's
>> certificates, I never had issues in parsing, verification, ...... Recently
>> I upgraded my application with openssl-1.0.0, I found that none of old
>> openssl-0.9.8 certificates can be decoded properly. My application code
>> calls API d2i_X509() to convert a DER (or PEM) certificate to a X509
>> structure, following is the error output:
>>
>> Oct 24 15:28:22.297 ASN1_item_d2i: entering
>> Oct 24 15:28:22.297 ASN1_item_d2i: pval is NULL
>> Oct 24 15:28:22.297 ASN1_item_ex_d2i: entering
>> Oct 24 15:28:22.297 ASN1_item_ex_d2i: ASN1_ITYPE_SEQUENCE
>> Oct 24 15:28:22.298 asn1_check_tlen: pclass=0, ptag=0
>> Oct 24 15:28:22.298 asn1_check_tlen: ASN1_R_WRONG_TAG
>> Oct 24 15:28:22.298 ASN1_item_ex_d2i: ERR_R_NESTED_ASN1_ERROR
>> Oct 24 15:28:22.298 CertVerify:: cannot convert the DER cert to X509
>>
>> The problem certificate is attached. (This specific certificate
>> was actually generated by openssl-1.0.0. All my openssl-0.9.8 certificates
>> were having the same issue). I ran the following commands on this
>> certificate, no command indicated error on the certificate:
>>
>> /usr/local/bin/openssl x509 -noout -text -in ssClient100.cert
>> /usr/local/bin/openssl asn1parse -in ssClient100.cert
>>
>> /usr/local/bin/openssl x509 -noout -modulus -in ssClient100.cert
>> /usr/local/bin/openssl rsa -noout -modulus -in ssClientKey100.pem
>>
>> I have been struggling with this error for several days. Your help is
>> greatly appreciated.
>>
>>
>> Thanks
>> Nan
>>
>
>
