Re: [openssl-users] Openssl failed to decrypt certificate without \r\n
I used OpenSSL 1.0.2h OpenSSL> version OpenSSL 1.0.2h 3 May 2016 Thanks Lily From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Benjamin Kaduk via openssl-users Sent: Monday, September 18, 2017 8:24 PM To: openssl-users@openssl.org; Viktor Dukhovni Subject: Re: [openssl-users] Openssl failed to decrypt certificate without \r\n On 09/18/2017 12:59 AM, Viktor Dukhovni wrote: On Sep 17, 2017, at 10:23 PM, Zhang, Lily (USD) <mailto:lily.zh...@dell.com> wrote: Would you help me to take a look this certificate issue? In order to send out the file, I added ".txt" in the file name. Please remove it before test it. Leaf_no_rn.cer doesn't have \r\n in the BASE64 string, it can't be parsed by openssl. Leaf_with_rn.cer is the same as Leaf_no_rn.cer, but it has \r\n in BASE64 string. Both the attached two certificates can be parsed by Windows. This is expected, the OpenSSL PEM file reader does not support input lines with IIRC more than 64 bytes. PEM files are not supposed to have longer lines. The current code in master should not have a particular limit on line lengths for *certificates* -- in test/recipes/04-test_pem_data we have files with 1025 characters on a line, and only use a 256-byte buffer when reading. The PEM format does specify a 64-(base64-)characters-per-line limit when the additional PEM encryption/etc. features are used, but certificates do not use that feature and do not have a line length restriction. Perhaps Lily should specify what version of OpenSSL is in use. -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl failed to decrypt certificate without \r\n
On 09/18/2017 12:59 AM, Viktor Dukhovni wrote: >> On Sep 17, 2017, at 10:23 PM, Zhang, Lily (USD) wrote: >> >> Would you help me to take a look this certificate issue? >> In order to send out the file, I added ".txt" in the file name. Please >> remove it before test it. >> >> Leaf_no_rn.cer doesn't have \r\n in the BASE64 string, it can't be parsed by >> openssl. >> Leaf_with_rn.cer is the same as Leaf_no_rn.cer, but it has \r\n in BASE64 >> string. >> Both the attached two certificates can be parsed by Windows. > This is expected, the OpenSSL PEM file reader does not support > input lines with IIRC more than 64 bytes. PEM files are not > supposed to have longer lines. > The current code in master should not have a particular limit on line lengths for *certificates* -- in test/recipes/04-test_pem_data we have files with 1025 characters on a line, and only use a 256-byte buffer when reading. The PEM format does specify a 64-(base64-)characters-per-line limit when the additional PEM encryption/etc. features are used, but certificates do not use that feature and do not have a line length restriction. Perhaps Lily should specify what version of OpenSSL is in use. -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl failed to decrypt certificate without \r\n
I can decrypt the root.cer successfully. And my error of leaf_no_rn.cer is different from you. OpenSSL> x509 -in C:\Temp\leaf_no_rn.cer -text unable to load certificate error in x509 OpenSSL> version OpenSSL 1.0.2h 3 May 2016 OpenSSL> x509 -in C:\Temp\root.cer -text Certificate: Data: Version: 3 (0x2) Serial Number: 44:11:16:87:de:09:6e:ac:42:50:b5:d9:13:35:f9:16 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=NJMRoot-CA Validity Not Before: Jun 22 14:54:53 2015 GMT Not After : Jun 22 15:04:53 2025 GMT Subject: CN=NJMRoot-CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ca:38:ac:14:ba:7c:b2:1c:f2:14:70:08:10:b0: 0b:be:45:51:d9:50:6e:72:ba:10:97:7f:49:1b:b9: a9:61:ca:54:7b:55:d6:41:7d:82:20:ff:a5:02:9a: fa:61:ed:af:bb:47:d4:95:e8:d1:51:d3:05:1d:43: 4a:3a:3e:63:af:58:7f:3b:bc:3e:d3:19:9b:ba:31: d6:78:f0:09:33:97:ac:bd:27:49:15:23:f3:fa:04: 17:d4:e6:d3:fd:20:ef:87:f9:b4:38:14:2c:45:9e: ee:39:03:80:7d:e2:14:bc:2b:b3:e4:0c:f0:d5:b8: 06:66:27:71:0d:7a:42:5e:86:8f:fb:d8:73:91:52: c8:fe:ba:56:c5:07:37:18:f4:61:47:1f:1b:b0:46: 74:3d:56:96:9d:90:8d:83:0c:64:04:de:44:e8:c7: e1:c0:4c:4a:c7:76:ff:ed:08:6e:4c:10:1c:48:f5: 0f:e3:ce:10:d3:54:15:84:a1:dd:5f:da:61:88:8a: 6d:82:2e:c7:08:7a:35:62:91:92:37:49:b6:be:ac: 50:61:f5:e3:46:79:7b:ff:9b:64:ca:cb:75:ba:01: c2:de:c4:1a:80:d1:4a:bb:6f:b0:5a:a5:f3:96:a6: 17:2e:63:0a:8b:eb:1d:72:b8:84:a7:2d:08:e7:db: d3:9d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: B9:17:D1:69:23:34:17:B5:52:68:E9:FF:F8:57:14:5E:89:5C:34:C5 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha256WithRSAEncryption 91:1b:79:d1:86:ab:91:a3:5e:71:30:10:26:c2:8c:13:2e:a5: c7:f2:2a:d9:00:af:01:3f:48:94:cb:f2:0c:a7:21:ea:a3:dd: aa:e5:bb:27:5f:eb:e1:76:20:f7:c3:d6:8e:ba:a2:8d:2b:67: ed:fc:1e:5b:bc:e5:ab:20:c1:24:9f:a7:ab:1b:61:35:5c:2a: 94:96:89:0d:69:77:74:94:1b:66:1e:85:39:b5:08:3f:48:4a: 98:5a:6f:fd:1b:86:42:b9:cc:4e:a7:95:56:19:a8:ad:cd:c9: 57:ba:0c:55:0c:6e:8e:87:10:3f:4c:eb:b3:e8:0e:f6:64:c4: 76:e8:dc:2d:16:aa:18:ec:c2:51:4f:df:71:3a:61:4f:b9:e8: a4:63:f8:fc:e7:5f:f1:79:fa:0e:7c:de:fe:7b:3b:62:f2:43: 2d:aa:6c:b1:72:40:37:29:c3:59:fd:6e:11:8b:82:6a:0d:6f: 46:79:51:d2:b0:41:84:68:42:c2:e1:7a:e9:db:63:c6:a7:0f: 28:92:ca:e1:9e:d9:1e:4a:08:a5:89:da:2d:0c:6e:6d:c5:a5: c6:2c:54:7e:41:1d:fa:77:2b:62:08:47:b4:15:f6:7b:67:b5: 09:fb:ce:6f:9e:07:95:f5:3a:f6:6b:a2:64:52:20:de:0a:9c: 47:29:1e:a5 -BEGIN CERTIFICATE- MIIDBTCCAe2gAwIBAgIQRBEWh94JbqxCULXZEzX5FjANBgkqhkiG9w0BAQsFADAV MRMwEQYDVQQDEwpOSk1Sb290LUNBMB4XDTE1MDYyMjE0NTQ1M1oXDTI1MDYyMjE1 MDQ1M1owFTETMBEGA1UEAxMKTkpNUm9vdC1DQTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAMo4rBS6fLIc8hRwCBCwC75FUdlQbnK6EJd/SRu5qWHKVHtV 1kF9giD/pQKa+mHtr7tH1JXo0VHTBR1DSjo+Y69Yfzu8PtMZm7ox1njwCTOXrL0n SRUj8/oEF9Tm0/0g74f5tDgULEWe7jkDgH3iFLwrs+QM8NW4BmYncQ16Ql6Gj/vY c5FSyP66VsUHNxj0YUcfG7BGdD1Wlp2QjYMMZATeROjH4cBMSsd2/+0IbkwQHEj1 D+POENNUFYSh3V/aYYiKbYIuxwh6NWKRkjdJtr6sUGH140Z5e/+bZMrLdboBwt7E GoDRSrtvsFql85amFy5jCovrHXK4hKctCOfb050CAwEAAaNRME8wCwYDVR0PBAQD AgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLkX0WkjNBe1Umjp//hXFF6J XDTFMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQCRG3nRhquR o15xMBAmwowTLqXH8irZAK8BP0iUy/IMpyHqo92q5bsnX+vhdiD3w9aOuqKNK2ft /B5bvOWrIMEkn6erG2E1XCqUlokNaXd0lBtmHoU5tQg/SEqYWm/9G4ZCucxOp5VW GaitzclXugxVDG6OhxA/TOuz6A72ZMR26NwtFqoY7MJRT99xOmFPueikY/j851/x efoOfN7+ezti8kMtqmyxckA3KcNZ/W4Ri4JqDW9GeVHSsEGEaELC4Xrp22PGpw8o ksrhntkeSgilidotDG5txaXGLFR+QR36dytiCEe0FfZ7Z7UJ+85vngeV9Tr2a6Jk UiDeCpxHKR6l -END CERTIFICATE- OpenSSL> Thank Lily -Original Message- From: Zhang, Lily (USD) Sent: Monday, September 18, 2017 3:21 PM To: 'openssl-users@openssl.org' Subject: RE: [openssl-users] Openssl failed to decrypt certificate without \r\n Hi, Viktor Thanks for your reply. Why it can decrypt attached root.cer, it also has long lines in root.cer? Thanks Lily -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: Monday, September 18, 2017 2:00 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] Ope
Re: [openssl-users] Openssl failed to decrypt certificate without \r\n
> On Sep 18, 2017, at 3:21 AM, Zhang, Lily (USD) wrote: > > Why it can decrypt attached root.cer, it also has long lines in root.cer? > > The OpenSSL PEM code cannot decode that file. Its lines are too long: $ PS2=""; openssl x509 -subject -noout
Re: [openssl-users] Openssl failed to decrypt certificate without \r\n
Hi, Viktor Thanks for your reply. Why it can decrypt attached root.cer, it also has long lines in root.cer? Thanks Lily -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: Monday, September 18, 2017 2:00 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] Openssl failed to decrypt certificate without \r\n > On Sep 17, 2017, at 10:23 PM, Zhang, Lily (USD) wrote: > > Would you help me to take a look this certificate issue? > In order to send out the file, I added ".txt" in the file name. Please remove > it before test it. > > Leaf_no_rn.cer doesn't have \r\n in the BASE64 string, it can't be parsed by > openssl. > Leaf_with_rn.cer is the same as Leaf_no_rn.cer, but it has \r\n in BASE64 > string. > Both the attached two certificates can be parsed by Windows. This is expected, the OpenSSL PEM file reader does not support input lines with IIRC more than 64 bytes. PEM files are not supposed to have longer lines. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -BEGIN CERTIFICATE- MIIDBTCCAe2gAwIBAgIQRBEWh94JbqxCULXZEzX5FjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwpOSk1Sb290LUNBMB4XDTE1MDYyMjE0NTQ1M1oXDTI1MDYyMjE1MDQ1M1owFTETMBEGA1UEAxMKTkpNUm9vdC1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMo4rBS6fLIc8hRwCBCwC75FUdlQbnK6EJd/SRu5qWHKVHtV1kF9giD/pQKa+mHtr7tH1JXo0VHTBR1DSjo+Y69Yfzu8PtMZm7ox1njwCTOXrL0nSRUj8/oEF9Tm0/0g74f5tDgULEWe7jkDgH3iFLwrs+QM8NW4BmYncQ16Ql6Gj/vYc5FSyP66VsUHNxj0YUcfG7BGdD1Wlp2QjYMMZATeROjH4cBMSsd2/+0IbkwQHEj1D+POENNUFYSh3V/aYYiKbYIuxwh6NWKRkjdJtr6sUGH140Z5e/+bZMrLdboBwt7EGoDRSrtvsFql85amFy5jCovrHXK4hKctCOfb050CAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLkX0WkjNBe1Umjp//hXFF6JXDTFMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQCRG3nRhquRo15xMBAmwowTLqXH8irZAK8BP0iUy/IMpyHqo92q5bsnX+vhdiD3w9aOuqKNK2ft/B5bvOWrIMEkn6erG2E1XCqUlokNaXd0lBtmHoU5tQg/SEqYWm/9G4ZCucxOp5VWGaitzclXugxVDG6OhxA/TOuz6A72ZMR26NwtFqoY7MJRT99xOmFPueikY/j851/xefoOfN7+ezti8kMtqmyxckA3KcNZ/W4Ri4JqDW9GeVHSsEGEaELC4Xrp22PGpw8oksrhntkeSgilidotDG5txaXGLFR+QR36dytiCEe0FfZ7Z7UJ+85vngeV9Tr2a6JkUiDeCpxHKR6l -END CERTIFICATE--- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl failed to decrypt certificate without \r\n
> On Sep 17, 2017, at 10:23 PM, Zhang, Lily (USD) wrote: > > Would you help me to take a look this certificate issue? > In order to send out the file, I added ".txt" in the file name. Please remove > it before test it. > > Leaf_no_rn.cer doesn't have \r\n in the BASE64 string, it can't be parsed by > openssl. > Leaf_with_rn.cer is the same as Leaf_no_rn.cer, but it has \r\n in BASE64 > string. > Both the attached two certificates can be parsed by Windows. This is expected, the OpenSSL PEM file reader does not support input lines with IIRC more than 64 bytes. PEM files are not supposed to have longer lines. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Openssl failed to decrypt certificate without \r\n
Hi, Would you help me to take a look this certificate issue? In order to send out the file, I added ".txt" in the file name. Please remove it before test it. Leaf_no_rn.cer doesn't have \r\n in the BASE64 string, it can't be parsed by openssl. Leaf_with_rn.cer is the same as Leaf_no_rn.cer, but it has \r\n in BASE64 string. Both the attached two certificates can be parsed by Windows. I tried other certificates, then can be parsed by in both formats(with \r\n and no\r\n). Do you know why Leaf_no_rn.cer can't be parsed by " openssl x509 -in C:\Temp\Leaf_with_rn.cer -text"? -- C:\OpenSSL\bin>openssl x509 -in C:\Temp\Leaf_with_rn.cer -text Certificate: Data: Version: 3 (0x2) Serial Number: 59:00:00:04:30:86:b8:28:2b:df:d1:0b:ae:00:00:00:00:04: Signature Algorithm: sha256WithRSAEncryption Issuer: DC=com, DC=njmgroup, CN=NJMSubEnt-CA Validity Not Before: Apr 20 08:21:19 2017 GMT Not After : Apr 20 08:21:19 2018 GMT Subject: CN=DCWT1.njmgroup.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:af:89:3b:a2:20:62:e6:9a:90:fe:2b:bb:81:8d: 78:68:0f:43:a5:98:67:29:21:1e:f2:5f:b3:15:7a: 86:9f:2c:74:40:8e:82:8c:0e:dd:b1:ea:6b:26:c1: 1d:8f:1b:8e:4c:d4:93:2a:b7:3b:1d:12:a9:2d:73: 6b:67:85:57:9c:28:5d:71:f2:f8:bd:0a:c9:58:79: d7:c1:78:99:d2:91:81:ed:a6:41:e9:b8:ac:61:d4: 78:52:79:bc:af:d4:68:b8:b3:f6:3d:1e:45:db:9b: e3:95:31:01:e2:3a:e3:76:84:ba:70:68:0b:1a:fd: 2f:1f:31:86:f3:be:1e:ff:29 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.20.2: . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Auth X509v3 Key Usage: Digital Signature, Key Encipherment S/MIME Capabilities: ..0...`.H.e...*0...`.H.e...-0...`.H.e0...`.H.e0...+... ..*.H.. X509v3 Subject Alternative Name: othername:, DNS:DCWT1.njmgroup.com X509v3 Subject Key Identifier: 8B:8B:36:E1:61:A2:85:77:28:17:97:C1:49:A0:B2:AE:9D X509v3 Authority Key Identifier: keyid:B5:B6:D4:63:FE:24:A2:45:68:93:D1:DD:D1:A2:21 E X509v3 CRL Distribution Points: Full Name: URI:ldap:///CN=NJMSubEnt-CA,CN=SCAPWT1,CN=CDP,CN 20Services,CN=Services,CN=Configuration,DC=njmgroup,DC=com?certifi List?base?objectClass=cRLDistributionPoint URI:http://pki.njmgroup.com/CertEnroll/NJMSubEnt Authority Information Access: CA Issuers - URI:ldap:///CN=NJMSubEnt-CA,CN=AIA,CN 20Services,CN=Services,CN=Configuration,DC=njmgroup,DC=com?cACerti jectClass=certificationAuthority CA Issuers - URI:http://pki.njmgroup.com/CertEnrol roup.com_NJMSubEnt-CA.crt Signature Algorithm: sha256WithRSAEncryption 31:49:55:f2:e5:29:35:c4:8f:7b:7b:22:3f:ed:2f:4a:c5:26: b0:88:47:92:39:3e:b6:0f:c7:f3:7b:c9:6d:1b:16:ac:78:9b: 62:d1:ff:dc:74:40:41:68:ac:11:65:d6:bf:fb:8f:18:66:13: 83:f6:6e:39:5a:01:2d:01:31:55:a6:1a:61:ac:02:0a:9f:ad: ac:c4:5f:b6:1e:5f:b6:18:9f:5b:77:1c:d7:f0:4a:35:bd:37: cf:23:ec:90:3d:18:a7:8f:e7:9c:73:ba:9f:1f:55:8c:c4:79: 28:23:d6:ce:31:f4:5e:c7:e4:8d:93:fb:f6:c7:c2:96:e3:bb: 0d:fd:af:cc:fb:bf:6c:f9:81:64:3c:c7:38:f7:c4:d1:7c:70: f6:e7:9a:71:e7:89:aa:82:19:cd:49:1b:81:3d:1b:37:b3:c9: c1:6c:a1:2d:76:46:fe:bd:21:65:50:58:0f:6a:68:90:0e:12: be:05:44:49:12:49:87:70:88:79:3d:84:c4:7e:8a:1b:45:cd: a4:92:fe:49:0f:84:42:e8:9f:78:97:f3:ca:24:92:03:05:aa: a7:7d:5f:99:92:cd:9f:f3:b5:27:06:24:41:81:03:86:0a:c5: 52:68:7b:67:f4:e0:b9:5c:e5:a9:36:2d:77:f2:96:d0:6f:e1: cc:f9:53:51 -BEGIN CERTIFICATE- MIIF6DCCBNCgAwIBAgITWQAABDCGuCgr39ELrgAEMDANBgkqhkiG9w0BAQsF ADBGMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIbmptZ3Jv dXAxFTATBgNVBAMTDE5KTVN1YkVudC1DQTAeFw0xNzA0MjAwODIxMTlaFw0xODA0 MjAwODIxMTlaMB0xGzAZBgNVBAMTEkRDV1QxLm5qbWdyb3VwLmNvbTCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEAr4k7oiBi5pqQ/iu7gY14aA9DpZhnKSEe8l+z FXqGnyx0QI6CjA7dseprJsEdjxuOTNSTKrc7HRKpLXNrZ4VXnChdcfL4vQrJWHnX wXiZ0pGB7aZB6bisYdR4Unm8r9RouLP2PR5F25vjlTEB4jrjdoS6cGgLGv0vHzGG 874e/ykCAwEAAaOCA3owggN2MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4A QwBvAG4AdAByAG8AbABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH AwEwCwYDVR0PBAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCA MA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCG SAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgc