Re: [openssl-users] openssl crl fails to parse a CRL file, which seems correct

2016-09-15 Thread Erwann Abalea 
That’s a bug in the Issuer name length check.
Use the 1.1.0 version.

Cordialement,
Erwann Abalea

> Le 14 sept. 2016 à 14:31, Wouter Verhelst  a écrit 
> :
> 
> Hi,
> 
> (this is a resend because my MUA crashed while I tried to send this mail 
> earlier. If you get it twice, my apologies)
> 
> When I try to parse some of the CRLs at , I 
> sometimes get this error:
> 
> wouter@gangtai:~$ openssl version
> OpenSSL 1.0.2h  3 May 2016
> wouter@gangtai:~$ openssl crl -in eidc201203.crl -inform der -noout -text
> unable to load CRL
> 140694432685592:error:0D09E09B:asn1 encoding routines:X509_NAME_EX_D2I:too 
> long:x_name.c:203:
> 140694432685592:error:0D08303A:asn1 encoding 
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
> error:tasn_dec.c:697:Field=issuer, Type=X509_CRL_INFO
> 140694432685592:error:0D08303A:asn1 encoding 
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=crl, 
> Type=X509_CRL
> 
> This isn't the case for all of the CRLs, just for some of them; e.g., 
> everything works fine for eidc201503.crl
> 
> However, if I try the same on another machine nearby, which has a much older 
> version of OpenSSL, then things seem to work fine:
> 
> eidmac:~ buildslave$ openssl version
> OpenSSL 0.9.8zh 14 Jan 2016
> eidmac:~ buildslave$ openssl crl -in eidc201203.crl -inform der -noout -text 
> | head
> Certificate Revocation List (CRL):
> Version 2 (0x1)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: /C=BE/CN=Citizen CA/serialNumber=201203
> Last Update: Sep 14 10:22:50 2016 GMT
> Next Update: Sep 21 10:22:50 2016 GMT
> CRL extensions:
> X509v3 Authority Key Identifier:
> keyid:7A:5F:3A:FF:2D:46:91:90:53:3F:BB:91:2D:29:82:ED:BB:78:6A:E0
> 
> This machine is a mac running OSX 10.11, the OpenSSL is the default as 
> shipped with that OS; the other is my personal laptop, which runs Debian 
> unstable (and the openssl is again the default). I've reproduced the same 
> issue on Debian stable, haven't tried much else yet.
> 
> I've been trying to figure out why my OpenSSL fails to parse the CRL, whereas 
> others do not,. Any hints would be greatly appreciated.
> 
> Thanks,
> 
> -- 
> Wouter Verhelst
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] openssl crl fails to parse a CRL file, which seems correct

2016-09-14 Thread Wouter Verhelst 

Hi,

(this is a resend because my MUA crashed while I tried to send this mail 
earlier. If you get it twice, my apologies)


When I try to parse some of the CRLs at , I 
sometimes get this error:


wouter@gangtai:~$ openssl version
OpenSSL 1.0.2h  3 May 2016
wouter@gangtai:~$ openssl crl -in eidc201203.crl -inform der -noout -text
unable to load CRL
140694432685592:error:0D09E09B:asn1 encoding 
routines:X509_NAME_EX_D2I:too long:x_name.c:203:
140694432685592:error:0D08303A:asn1 encoding 
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:697:Field=issuer, Type=X509_CRL_INFO
140694432685592:error:0D08303A:asn1 encoding 
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:697:Field=crl, Type=X509_CRL


This isn't the case for all of the CRLs, just for some of them; e.g., 
everything works fine for eidc201503.crl


However, if I try the same on another machine nearby, which has a much 
older version of OpenSSL, then things seem to work fine:


eidmac:~ buildslave$ openssl version
OpenSSL 0.9.8zh 14 Jan 2016
eidmac:~ buildslave$ openssl crl -in eidc201203.crl -inform der -noout 
-text | head

Certificate Revocation List (CRL):
 Version 2 (0x1)
 Signature Algorithm: sha1WithRSAEncryption
 Issuer: /C=BE/CN=Citizen CA/serialNumber=201203
 Last Update: Sep 14 10:22:50 2016 GMT
 Next Update: Sep 21 10:22:50 2016 GMT
 CRL extensions:
 X509v3 Authority Key Identifier:
 keyid:7A:5F:3A:FF:2D:46:91:90:53:3F:BB:91:2D:29:82:ED:BB:78:6A:E0

This machine is a mac running OSX 10.11, the OpenSSL is the default as 
shipped with that OS; the other is my personal laptop, which runs Debian 
unstable (and the openssl is again the default). I've reproduced the 
same issue on Debian stable, haven't tried much else yet.


I've been trying to figure out why my OpenSSL fails to parse the CRL, 
whereas others do not,. Any hints would be greatly appreciated.


Thanks,

--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users