openssl: asn1parse: "Error in encoding" in freshly created certificate (all tested OpenSSL versions)

Tested with 1.1.0 tip, but it can be reproduced with 1.0.2h and even OS X bundled 0.9.8zh.

# Error
openssl req -new -subj '/O=1234567890/CN=123456789' -newkey rsa:2048 -nodes -keyout privkey1.pem > example1.csr
openssl x509 -req -in example1.csr -signkey privkey1.pem > example1.crt
# 'Error in encoding' at the end of 'example1.crt.asn1.txt'
# console: '140735153328128:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:crypto/asn1/asn1_lib.c:90:'
openssl asn1parse -in example1.crt > example1.crt.asn1.txt

# OK
openssl req -new -subj '/O=123456789/CN=123456789' -newkey rsa:2048 -nodes -keyout privkey2.pem > example2.csr
openssl x509 -req -in example2.csr -signkey privkey2.pem > example2.crt
openssl asn1parse -in example2.crt > example2.crt.asn1.txt

The only difference between the two cases is a single (0) character removed from -subj option argument in the second, error-free case. The error happens after dumping the whole ASN.1 structure with no apparent problems.

About this issue

Original URL
State: closed
Created 8 years ago
Comments: 38 (21 by maintainers)

Commits related to this issue

bio_b64.c: prevent base64 filter BIO from decoding out-of-bound data Fixes #5405, #1381 The base64 filter BIO reads its input in chunks of B64_BLOCK_SIZE bytes. When processing input in PEM format i... — committed to mspncp/openssl by mspncp 6 years ago
bio_b64.c: prevent base64 filter BIO from decoding out-of-bound data Fixes #5405, #1381 The base64 filter BIO reads its input in chunks of B64_BLOCK_SIZE bytes. When processing input in PEM format i... — committed to openssl/openssl by mspncp 6 years ago
bio_b64.c: prevent base64 filter BIO from decoding out-of-bound data Fixes #5405, #1381 The base64 filter BIO reads its input in chunks of B64_BLOCK_SIZE bytes. When processing input in PEM format i... — committed to openssl/openssl by mspncp 6 years ago
bio_b64.c: prevent base64 filter BIO from decoding out-of-bound data Fixes #5405, #1381 The base64 filter BIO reads its input in chunks of B64_BLOCK_SIZE bytes. When processing input in PEM format i... — committed to openssl/openssl by mspncp 6 years ago
bio_b64.c: prevent base64 filter BIO from decoding out-of-bound data Fixes #5405, #1381 The base64 filter BIO reads its input in chunks of B64_BLOCK_SIZE bytes. When processing input in PEM format i... — committed to bernd-edlinger/openssl by mspncp 6 years ago

Most upvoted comments

I think there’s a real bug here, perhaps not a high priority one, but it is likely that either EVP_DecodeUpdate() in crypto/evp/encode.c, or b64_read() in crypto/evp/bio_b64.c is not quite right. A “-” character is designated as B64_EOF in the EVP_DecodeUpdate() code, but that seems to be forgotten when -----END CERTIFICATE----- or similar is split across an I/O boundary just right.

So we can keep the issue open to resolve after the 1.1.0 release. This certainly leads to rather unexpected behaviour.

vdukhovni on Aug 3, 2016

This seems to work and does not use asn1parse at all.

openssl x509 -noout -pubkey -in cert.pem | openssl ec -pubin -outform d | dd ibs=26 skip=1 | openssl dgst -sha256

nyetwurk on Apr 17, 2019

Tip: built with clang and configured with enable-asan gives a pretty damn accurate crash-trace

levitte on Apr 15, 2019

@vszakats thanks for reporting this issue and for your patience! (which finally is rewarded now 😉 )

mspncp on Feb 27, 2018

@vszakats, using your two scripts from https://github.com/openssl/openssl/issues/1381#issuecomment-237077997, I verified that my patch solves your issue.

Without #5422 (OpenSSL 1.1.0h-dev)

$ opensl version

OpenSSL 1.1.0h-dev  xx XXX xxxx

$ ./ok.sh

+ cat
+ openssl req -new -config example2.config -newkey rsa:2048 -nodes -keyout privkey2.pem
Generating a 2048 bit RSA private key
.......................................+++
...........+++
writing new private key to 'privkey2.pem'
-----
+ openssl x509 -req -in example2.csr -signkey privkey2.pem
Signature ok
subject=O = 123456789, CN = 123456789
Getting Private key
+ openssl asn1parse -in example2.crt

$ ./failed.sh

+ cat
+ openssl req -new -config example1.config -newkey rsa:2048 -nodes -keyout privkey1.pem
Generating a 2048 bit RSA private key
....................+++
.............+++
writing new private key to 'privkey1.pem'
-----
+ openssl x509 -req -in example1.csr -signkey privkey1.pem
Signature ok
subject=O = 1234567890, CN = 123456789
Getting Private key
+ openssl asn1parse -in example1.crt
140466571556608:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:crypto/asn1/asn1_lib.c:91:

With Patch #5422 (master)

$ openssl version

OpenSSL 1.1.1-pre2-dev  xx XXX xxxx

$ ./ok.sh

+ openssl req -new -config example2.config -newkey rsa:2048 -nodes -keyout privkey2.pem
Generating a 2048 bit RSA private key
..........................................+++
.....................+++
writing new private key to 'privkey2.pem'
-----
+ openssl x509 -req -in example2.csr -signkey privkey2.pem
Signature ok
subject=O = 123456789, CN = 123456789
Getting Private key
+ openssl asn1parse -in example2.crt

$ ./failed.sh

+ openssl req -new -config example1.config -newkey rsa:2048 -nodes -keyout privkey1.pem
Generating a 2048 bit RSA private key
..............................+++
................................+++
writing new private key to 'privkey1.pem'
-----
+ openssl x509 -req -in example1.csr -signkey privkey1.pem
Signature ok
subject=O = 1234567890, CN = 123456789
Getting Private key
+ openssl asn1parse -in example1.crt

mspncp on Feb 21, 2018