Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hi, I used X509_add1_ext_i2d(x509Cert, NID_subject_key_identifier, keyid, 0, 0); to set the SKID value and it works now!! Thanks for all the help!! -Ujwal
RE: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hi,
I modified the code as you mentioned, I am just trying to verify if signing the
certificate using private key works.
I signed the certificate using private key.
But I still get the same error from CMS_verify. It complains about "signer
certificate not found".
Is this the right way to create the self-signed dummy certificate? It seems to
behave exactly the same way as before.
Please find the modified code below (just added a block of code for signing the
cert). Also I printed the certificate for reference.
-Ujwal
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: dsaWithSHA1
Issuer:
Validity
Not Before: Feb 3 20:02:06 2010 GMT
Not After : Feb 3 20:02:06 2011 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: dsaEncryption
DSA Public Key:
pub:
63:c5:5b:b8:c2:e0:75:94:c1:5e:8c:bb:49:a5:67:
ef:38:c7:2c:0b:02:3f:2c:6c:ec:ae:9d:c3:10:51:
f7:6e:33:eb:8e:1b:9c:6c:2f:ae:48:f5:bb:4d:26:
ae:5a:16:dd:c8:26:78:96:28:e8:37:21:86:dc:a4:
a9:2c:96:46:57:a9:05:ef:61:c6:42:04:8c:1b:a9:
fe:7e:f1:70:e2:74:c7:dd:c9:0f:80:0f:30:83:12:
93:47:5a:4e:b9:9e:8f:4c:da:2c:ee:3a:a7:3a:9e:
95:38:11:77:f7:44:64:c5:5c:09:26:03:26:2f:fd:
43:5d:0d:5e:e4:60:31:08
P:
00:f5:fc:96:4d:f4:79:a2:f5:47:92:32:15:7f:23:
a2:63:a1:c5:c8:42:8b:93:a0:70:e0:5b:5a:3a:79:
43:3f:f5:b5:03:85:25:96:a2:77:e6:88:a0:ab:8a:
64:23:44:8b:40:a5:64:57:22:87:dd:e0:0b:f8:24:
0c:3a:43:24:15:57:69:72:39:3a:f6:ce:3f:15:39:
41:1d:d3:18:ea:78:43:64:c5:7d:a0:27:25:33:8e:
80:17:40:73:43:ef:03:2b:da:18:75:ee:8b:09:cb:
10:2d:21:da:d9:51:54:1d:4f:00:10:29:b6:e2:ff:
38:ad:03:50:bc:46:da:c4:c5
Q:
00:ef:66:e9:29:73:09:fd:16:17:5c:50:06:91:20:
25:f9:cb:58:9f:97
G:
4f:e9:fb:0a:80:c7:95:db:79:90:fe:be:f0:24:99:
b5:e8:62:b0:ba:95:47:a2:22:36:84:17:df:5f:8c:
2d:61:c9:dc:45:db:01:63:40:ec:cf:05:55:c4:44:
67:5a:98:d4:98:ee:3c:0b:f3:63:ad:76:bc:b1:6a:
b1:cf:41:b9:ec:3a:10:c3:52:20:7f:46:5b:92:59:
8a:0e:8b:53:65:77:7a:91:f2:96:01:21:bd:bb:89:
ec:47:71:8f:9d:29:05:3f:9b:c2:11:51:d8:3c:62:
af:dd:27:80:ab:e1:1c:9f:0b:58:09:98:89:2e:99:
8f:6a:25:17:75:67:12:18
Signature Algorithm: dsaWithSHA1
30:2d:02:15:00:9a:3f:3d:53:7d:3f:d7:88:54:ed:fd:a0:af:
66:b7:af:ae:f4:91:36:02:14:47:83:20:7b:25:21:ef:66:73:
30:8d:b8:c8:04:48:49:40:ef:b2:c5
//COPY the DSA params and public keys from const char arrays into DSA structure
DSA *dsaParams= DSA_new();
dsaParams->g = BN_new();
dsaParams->p = BN_new();
dsaParams->q = BN_new();
dsaParams->pub_key = BN_new();
BN_bin2bn((const unsigned char *)uLicenseCheckG, sizeof(uLicenseCheckG),
dsaParams->g);
BN_bin2bn((const unsigned char *)uLicenseCheckP, sizeof(uLicenseCheckP),
dsaParams->p);
BN_bin2bn((const unsigned char *)uLicenseCheckQ, sizeof(uLicenseCheckQ),
dsaParams->q);
BN_bin2bn((const unsigned char *)uLicenseCheckY, sizeof(uLicenseCheckY),
dsaParams->pub_key);
//Create a EVP_PKEY to use in creating a certificate
EVP_PKEY *evpTemp = EVP_PKEY_new();
EVP_PKEY_assign_DSA(evpTemp, dsaParams);
//Create a CMS content info structure out of the license key
CMS_ContentInfo *cms = NULL;
BIO *bioBuff = BIO_new_mem_buf((char *)nBytes, nCountOfBytes);
BIO_set_mem_eof_return(bioBuff,0);
cms = d2i_CMS_bio(bioBuff, NULL);// i believe this finds the end of ASN1
data
STACK_OF(CMS_SignerInfo) *sinfos;
CMS_SignerInfo *si;
sinfos = CMS_get0_SignerInfos(cms);
si = sk_CMS_SignerInfo_value(sinfos, 0);
ASN1_OCTET_STRING* keyid;
X509_NAME* issuer;
ASN1_INTEGER* sno;
int rc = CMS_SignerInfo_get0_signer_id(si, &keyid, &issuer, &sno);
//USE THIS KEYID TO SET THE x509Cert->skid VALUE
printf ("si: %d %p %p %p\n", rc, keyid, issuer, sno);
//create a x509 cert with above DSA params and public key and skid
X509 *x509Cert = X509_new();
X509_set_version(x509Cert, 2);
ASN1_INTEGER_set(X509_get_serialNumber(x509Cert), 0);
x509Cert->skid = ASN1_OCTET_STRING_dup(keyid);
X509_gmtime_adj(X509_get_notBefore(x509Cert),0);
X509_gmtime_adj(X509_get_notAfter(x509Cert), (long) 60*60*24*365);
int error = X509_set_pubkey(x509Cert, evpTemp);
if (error) {
printf("set public key error: %s",
ERR_error_st
Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hmm, that could be a problem. This code is going to run on a box which is shipped to the customer. So I don't believe we want to ship these boxes with private keys in them :)__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hi,
Thanks for all the help. I modified the code based on your comments.
Basically, I am trying to verify a CMS data signed by a C# program. So I have
the base 64 decoded CSM data stored as nBytes a BYTE array.
I have to verify the data(nBytes) using the DSA params and public key which is
hard coded in the code as const char arrays(uLicenseCheckG,
uLicenseCheckP, uLicenseCheckQ and uLicenseCheckY).
I tried to verify even using the CMS_NO_CONTENT_VERIFY flag. CMS_verify() fails
with error "signer certificate not found".
I digged in to the code and found that CMS_Verify() tries to copy the st(stack
of x509 certs) to cms and fails? I am copying the skid value from the
cms and creating the x509Cert using that so they match. I have notices that the
x509Cert->skid is becoming NULL after the call to CMS_verify().
Is there anything wrong with the above x509 cert created above with the public
key and DSA params and skid. Am I missing something?
What else do I need to verify correctly?
Please find the modified code below.
-Ujwal
//COPY the DSA params and public keys from const char arrays into DSA structure
DSA *dsaParams= DSA_new();
dsaParams->g = BN_new();
dsaParams->p = BN_new();
dsaParams->q = BN_new();
dsaParams->pub_key = BN_new();
BN_bin2bn((const unsigned char *)uLicenseCheckG, sizeof(uLicenseCheckG),
dsaParams->g);
BN_bin2bn((const unsigned char *)uLicenseCheckP, sizeof(uLicenseCheckP),
dsaParams->p);
BN_bin2bn((const unsigned char *)uLicenseCheckQ, sizeof(uLicenseCheckQ),
dsaParams->q);
BN_bin2bn((const unsigned char *)uLicenseCheckY, sizeof(uLicenseCheckY),
dsaParams->pub_key);
//Create a EVP_PKEY to use in creating a certificate
EVP_PKEY *evpTemp = EVP_PKEY_new();
EVP_PKEY_assign_DSA(evpTemp, dsaParams);
//Create a CMS content info structure out of the license key
CMS_ContentInfo *cms = NULL;
BIO *bioBuff = BIO_new_mem_buf((char *)nBytes, nCountOfBytes);
BIO_set_mem_eof_return(bioBuff,0);
cms = d2i_CMS_bio(bioBuff, NULL);// i believe this finds the end of ASN1
data
STACK_OF(CMS_SignerInfo) *sinfos;
CMS_SignerInfo *si;
sinfos = CMS_get0_SignerInfos(cms);
si = sk_CMS_SignerInfo_value(sinfos, 0);
ASN1_OCTET_STRING* keyid;
X509_NAME* issuer;
ASN1_INTEGER* sno;
int rc = CMS_SignerInfo_get0_signer_id(si, &keyid, &issuer, &sno);
//USE THIS KEYID TO SET THE x509Cert->skid VALUE
printf ("si: %d %p %p %p\n", rc, keyid, issuer, sno);
//create a x509 cert with above DSA params and public key and skid
X509 *x509Cert = X509_new();
X509_set_version(x509Cert, 2);
ASN1_INTEGER_set(X509_get_serialNumber(x509Cert), 0);
x509Cert->skid = ASN1_OCTET_STRING_dup(keyid);
X509_gmtime_adj(X509_get_notBefore(x509Cert),0);
X509_gmtime_adj(X509_get_notAfter(x509Cert), (long) 60*60*24*365);
int error = X509_set_pubkey(x509Cert, evpTemp);
if (error) {
printf("set public key error: %s",
ERR_error_string(ERR_get_error(), NULL));
}
X509_print_fp(stdout, x509Cert);
//create a stack of x509 cert to use it in CMS_verify
STACK_OF(X509) *st=sk_X509_new_null();
sk_X509_push(st, x509Cert);
//x509Cert->skid is valid here
printf ("skid: %p\n", x509Cert->skid);
//It fails here with "signer certificate not found" error
//Also tried using the CMS_NO_CONTENT_VERIFY
int cmsVerify = CMS_verify(cms, st, NULL, NULL, NULL,
CMS_NOINTERN|CMS_NO_SIGNER_CERT_VERIFY);
errortemp = ERR_get_error();
ERR_error_string(errortemp, errorbuff);
printf("countofbytes = %d, error num = %d, and error =
%s\n",nCountOfBytes,errortemp, errorbuff);
//x509Cert->skid is in-valid here
printf ("skid: %p\n", x509Cert->skid);
RE: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hi,
Thanks for the all the help.
I see the same error when I am trying to create a x509 certificate using the
DSA parameters g, p, q and public key y.
These parameters are generated by the GetPublicKey API in C#. All the above
parameters are BYTE arrays.
Find the DSA parameters attached.
..
//
BN_bin2bn((const unsigned char *)uLicenseCheckG, sizeof(uLicenseCheckG),
dsaParams->g);
BN_bin2bn((const unsigned char *)uLicenseCheckP, sizeof(uLicenseCheckP),
dsaParams->p);
BN_bin2bn((const unsigned char *)uLicenseCheckQ, sizeof(uLicenseCheckQ),
dsaParams->q);
BN_bin2bn((const unsigned char *)uLicenseCheckY, sizeof(uLicenseCheckY),
dsaParams->pub_key);
unsigned char *buff;
int nLength;
nLength = i2d_DSA_PUBKEY(dsaParams, &buff);
X509 *x509Cert = X509_new();
const unsigned char *p;
p = buff;
x509Cert = d2i_X509(NULL, &p, nLength); // Problem occurs here, x509Cert
is NULL and the error is the same as before <--
STACK_OF(X509) *st=sk_X509_new_null(); // I want to use this stack of
x509 in CMS_verify
sk_X509_push(st, x509Cert);
-Ujwal
From: Ujwal Chinthala
Sent: Wednesday, January 20, 2010 1:39 PM
To: 'st...@openssl.org'
Cc: 'openssl-users@openssl.org'
Subject: Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hi Dr,
I already tried using :
openssl pkcs7 -inform DER -in pkcs7.p7
It gives me the same error, which are as follows
net\chint...@symdev1:~/Symphony/Dev/system/dl/sym-licensemanager$ openssl pkcs7
-inform DER -in pkcs7.p7
unable to load PKCS7 object
11381:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1306:
11381:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:380:Type=PKCS7_ISSUER_AND_SERIAL
11381:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:749:Field=issuer_and_serial, Type=PKCS7_SIGNER_INFO
11381:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:710:Field=signer_info, Type=PKCS7_SIGNED
11381:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:749:
11381:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1
error:tasn_dec.c:578:Field=d.sign, Type=PKCS7
Please find the binary file you requested attached.
Thanks,
-Ujwal
From: Ujwal Chinthala
Sent: Tuesday, January 19, 2010 4:41 PM
To: 'openssl-users@openssl.org'
Subject: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hi,
I am new to OpenSSL.
I am trying to verify the compressed XML data, signed using PKCS#7. Then a four
byte crc is appended to it and the whole data is now base64 encoded.
All the above is done using windows libraries. The verification works fine in
windows.
Now I am trying to verify the above data(signed using windows libs) using
OpenSSL.
The data is decoded from base64 to bytes, crc is verified. Then I try to use
the command d2i_pkcs7 to create the PKCS7 structure which results in
the following error , error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag.
The code I am using to do this is as follows:
const unsigned char *q;
q = (const unsigned char*)nBytes;
PKCS7 *p7 = NULL; // I want to use this p7 structure in PKCS7_verify
p7 = d2i_PKCS7(NULL, &q, nCountOfBytes);// error occurs here
where nBytes is a BYTE array storing the data. I don't have a clue what this
error means, am I missing something here?
-Ujwal
const BYTE uLicenseCheckG[] = {0x18, 0x12, 0x67, 0x75, 0x17, 0x25, 0x6A, 0x8F,
0x99, 0x2E, 0x89, 0x98, 0x09, 0x58, 0x0B, 0x9F, 0x1C, 0xE1, 0xAB, 0x80, 0x27,
0xDD, 0xAF, 0x62, 0x3C, 0xD8, 0x51, 0x11, 0xC2, 0x9B, 0x3F, 0x05, 0x29, 0x9D,
0x8F, 0x71, 0x47, 0xEC, 0x89, 0xBB, 0xBD, 0x21, 0x01, 0x96, 0xF2, 0x91, 0x7A,
0x77, 0x65, 0x53, 0x8B, 0x0E, 0x8A, 0x59, 0x92, 0x5B, 0x46, 0x7F, 0x20, 0x52,
0xC3, 0x10, 0x3A, 0xEC, 0xB9, 0x41, 0xCF, 0xB1, 0x6A, 0xB1, 0xBC, 0x76, 0xAD,
0x63, 0xF3, 0x0B, 0x3C, 0xEE, 0x98, 0xD4, 0x98, 0x5A, 0x67, 0x44, 0xC4, 0x55,
0x05, 0xCF, 0xEC, 0x40, 0x63, 0x01, 0xDB, 0x45, 0xDC, 0xC9, 0x61, 0x2D, 0x8C,
0x5F, 0xDF, 0x17, 0x84, 0x36, 0x22, 0xA2, 0x47, 0x95, 0xBA, 0xB0, 0x62, 0xE8,
0xB5, 0x99, 0x24, 0xF0, 0xBE, 0xFE, 0x90, 0x79, 0xDB, 0x95, 0xC7, 0x80, 0x0A,
0xFB, 0xE9, 0x4F};
const BYTE uLicenseCheckP[] = {0xC5, 0xC4, 0xDA, 0x46, 0xBC, 0x50, 0x03, 0xAD,
0x38, 0xFF, 0xE2, 0xB6, 0x29, 0x10, 0x00, 0x4F, 0x1D, 0x54, 0x51, 0xD9, 0xDA,
0x21, 0x2D, 0x10, 0xCB, 0x09, 0x8B, 0xEE, 0x75, 0x18, 0xDA, 0x2B, 0x03, 0xEF,
0x43, 0x73, 0x40, 0x17, 0x80, 0x8E, 0x33, 0x25, 0x27, 0xA0, 0x7D, 0xC5, 0x64,
0x43, 0x78, 0xEA, 0x18, 0xD3, 0x1D, 0x41, 0x39, 0x15, 0x3F, 0xCE, 0xF6, 0x3A,
0x39, 0x72, 0x69, 0x57, 0x15, 0x24, 0x43, 0x3A, 0x0C, 0x24, 0xF8, 0x0B, 0xE0,
0xDD, 0x87, 0x22, 0x57, 0x64, 0xA5, 0x40, 0x8B, 0x44, 0x23, 0x64, 0x8A, 0xAB,
0xA0, 0x88, 0xE6, 0x77, 0xA2, 0x9
Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hi Dr, I already tried using : openssl pkcs7 -inform DER -in pkcs7.p7 It gives me the same error, which are as follows net\chint...@symdev1:~/Symphony/Dev/system/dl/sym-licensemanager$ openssl pkcs7 -inform DER -in pkcs7.p7 unable to load PKCS7 object 11381:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 11381:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=PKCS7_ISSUER_AND_SERIAL 11381:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=issuer_and_serial, Type=PKCS7_SIGNER_INFO 11381:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:710:Field=signer_info, Type=PKCS7_SIGNED 11381:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749: 11381:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 error:tasn_dec.c:578:Field=d.sign, Type=PKCS7 Please find the binary file you requested attached. Thanks, -Ujwal From: Ujwal Chinthala Sent: Tuesday, January 19, 2010 4:41 PM To: 'openssl-users@openssl.org' Subject: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag Hi, I am new to OpenSSL. I am trying to verify the compressed XML data, signed using PKCS#7. Then a four byte crc is appended to it and the whole data is now base64 encoded. All the above is done using windows libraries. The verification works fine in windows. Now I am trying to verify the above data(signed using windows libs) using OpenSSL. The data is decoded from base64 to bytes, crc is verified. Then I try to use the command d2i_pkcs7 to create the PKCS7 structure which results in the following error , error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag. The code I am using to do this is as follows: const unsigned char *q; q = (const unsigned char*)nBytes; PKCS7 *p7 = NULL; // I want to use this p7 structure in PKCS7_verify p7 = d2i_PKCS7(NULL, &q, nCountOfBytes);// error occurs here where nBytes is a BYTE array storing the data. I don't have a clue what this error means, am I missing something here? -Ujwal pkcs7.p7 Description: pkcs7.p7
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hi, I am new to OpenSSL. I am trying to verify the compressed XML data, signed using PKCS#7. Then a four byte crc is appended to it and the whole data is now base64 encoded. All the above is done using windows libraries. The verification works fine in windows. Now I am trying to verify the above data(signed using windows libs) using OpenSSL. The data is decoded from base64 to bytes, crc is verified. Then I try to use the command d2i_pkcs7 to create the PKCS7 structure which results in the following error , error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag. The code I am using to do this is as follows: const unsigned char *q; q = (const unsigned char*)nBytes; PKCS7 *p7 = NULL; // I want to use this p7 structure in PKCS7_verify p7 = d2i_PKCS7(NULL, &q, nCountOfBytes);// error occurs here where nBytes is a BYTE array storing the data. I don't have a clue what this error means, am I missing something here? -Ujwal
