Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hi, I used X509_add1_ext_i2d(x509Cert, NID_subject_key_identifier, keyid, 0, 0); to set the SKID value and it works now!! Thanks for all the help!! -Ujwal
RE: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hi, I modified the code as you mentioned, I am just trying to verify if signing the certificate using private key works. I signed the certificate using private key. But I still get the same error from CMS_verify. It complains about signer certificate not found. Is this the right way to create the self-signed dummy certificate? It seems to behave exactly the same way as before. Please find the modified code below (just added a block of code for signing the cert). Also I printed the certificate for reference. -Ujwal Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: dsaWithSHA1 Issuer: Validity Not Before: Feb 3 20:02:06 2010 GMT Not After : Feb 3 20:02:06 2011 GMT Subject: Subject Public Key Info: Public Key Algorithm: dsaEncryption DSA Public Key: pub: 63:c5:5b:b8:c2:e0:75:94:c1:5e:8c:bb:49:a5:67: ef:38:c7:2c:0b:02:3f:2c:6c:ec:ae:9d:c3:10:51: f7:6e:33:eb:8e:1b:9c:6c:2f:ae:48:f5:bb:4d:26: ae:5a:16:dd:c8:26:78:96:28:e8:37:21:86:dc:a4: a9:2c:96:46:57:a9:05:ef:61:c6:42:04:8c:1b:a9: fe:7e:f1:70:e2:74:c7:dd:c9:0f:80:0f:30:83:12: 93:47:5a:4e:b9:9e:8f:4c:da:2c:ee:3a:a7:3a:9e: 95:38:11:77:f7:44:64:c5:5c:09:26:03:26:2f:fd: 43:5d:0d:5e:e4:60:31:08 P: 00:f5:fc:96:4d:f4:79:a2:f5:47:92:32:15:7f:23: a2:63:a1:c5:c8:42:8b:93:a0:70:e0:5b:5a:3a:79: 43:3f:f5:b5:03:85:25:96:a2:77:e6:88:a0:ab:8a: 64:23:44:8b:40:a5:64:57:22:87:dd:e0:0b:f8:24: 0c:3a:43:24:15:57:69:72:39:3a:f6:ce:3f:15:39: 41:1d:d3:18:ea:78:43:64:c5:7d:a0:27:25:33:8e: 80:17:40:73:43:ef:03:2b:da:18:75:ee:8b:09:cb: 10:2d:21:da:d9:51:54:1d:4f:00:10:29:b6:e2:ff: 38:ad:03:50:bc:46:da:c4:c5 Q: 00:ef:66:e9:29:73:09:fd:16:17:5c:50:06:91:20: 25:f9:cb:58:9f:97 G: 4f:e9:fb:0a:80:c7:95:db:79:90:fe:be:f0:24:99: b5:e8:62:b0:ba:95:47:a2:22:36:84:17:df:5f:8c: 2d:61:c9:dc:45:db:01:63:40:ec:cf:05:55:c4:44: 67:5a:98:d4:98:ee:3c:0b:f3:63:ad:76:bc:b1:6a: b1:cf:41:b9:ec:3a:10:c3:52:20:7f:46:5b:92:59: 8a:0e:8b:53:65:77:7a:91:f2:96:01:21:bd:bb:89: ec:47:71:8f:9d:29:05:3f:9b:c2:11:51:d8:3c:62: af:dd:27:80:ab:e1:1c:9f:0b:58:09:98:89:2e:99: 8f:6a:25:17:75:67:12:18 Signature Algorithm: dsaWithSHA1 30:2d:02:15:00:9a:3f:3d:53:7d:3f:d7:88:54:ed:fd:a0:af: 66:b7:af:ae:f4:91:36:02:14:47:83:20:7b:25:21:ef:66:73: 30:8d:b8:c8:04:48:49:40:ef:b2:c5 //COPY the DSA params and public keys from const char arrays into DSA structure DSA *dsaParams= DSA_new(); dsaParams-g = BN_new(); dsaParams-p = BN_new(); dsaParams-q = BN_new(); dsaParams-pub_key = BN_new(); BN_bin2bn((const unsigned char *)uLicenseCheckG, sizeof(uLicenseCheckG), dsaParams-g); BN_bin2bn((const unsigned char *)uLicenseCheckP, sizeof(uLicenseCheckP), dsaParams-p); BN_bin2bn((const unsigned char *)uLicenseCheckQ, sizeof(uLicenseCheckQ), dsaParams-q); BN_bin2bn((const unsigned char *)uLicenseCheckY, sizeof(uLicenseCheckY), dsaParams-pub_key); //Create a EVP_PKEY to use in creating a certificate EVP_PKEY *evpTemp = EVP_PKEY_new(); EVP_PKEY_assign_DSA(evpTemp, dsaParams); //Create a CMS content info structure out of the license key CMS_ContentInfo *cms = NULL; BIO *bioBuff = BIO_new_mem_buf((char *)nBytes, nCountOfBytes); BIO_set_mem_eof_return(bioBuff,0); cms = d2i_CMS_bio(bioBuff, NULL);// i believe this finds the end of ASN1 data STACK_OF(CMS_SignerInfo) *sinfos; CMS_SignerInfo *si; sinfos = CMS_get0_SignerInfos(cms); si = sk_CMS_SignerInfo_value(sinfos, 0); ASN1_OCTET_STRING* keyid; X509_NAME* issuer; ASN1_INTEGER* sno; int rc = CMS_SignerInfo_get0_signer_id(si, keyid, issuer, sno); //USE THIS KEYID TO SET THE x509Cert-skid VALUE printf (si: %d %p %p %p\n, rc, keyid, issuer, sno); //create a x509 cert with above DSA params and public key and skid X509 *x509Cert = X509_new(); X509_set_version(x509Cert, 2); ASN1_INTEGER_set(X509_get_serialNumber(x509Cert), 0); x509Cert-skid = ASN1_OCTET_STRING_dup(keyid); X509_gmtime_adj(X509_get_notBefore(x509Cert),0); X509_gmtime_adj(X509_get_notAfter(x509Cert), (long) 60*60*24*365); int error = X509_set_pubkey(x509Cert, evpTemp); if (error) { printf(set public key error: %s,
Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
On Wed, Feb 03, 2010, Ujwal Chinthala wrote: Hi, I modified the code as you mentioned, I am just trying to verify if signing the certificate using private key works. I signed the certificate using private key. But I still get the same error from CMS_verify. It complains about signer certificate not found. Is this the right way to create the self-signed dummy certificate? It seems to behave exactly the same way as before. Please find the modified code below (just added a block of code for signing the cert). Also I printed the certificate for reference. //COPY the DSA params and public keys from const char arrays into DSA structure DSA *dsaParams= DSA_new(); dsaParams-g = BN_new(); dsaParams-p = BN_new(); dsaParams-q = BN_new(); dsaParams-pub_key = BN_new(); BN_bin2bn((const unsigned char *)uLicenseCheckG, sizeof(uLicenseCheckG), dsaParams-g); BN_bin2bn((const unsigned char *)uLicenseCheckP, sizeof(uLicenseCheckP), dsaParams-p); BN_bin2bn((const unsigned char *)uLicenseCheckQ, sizeof(uLicenseCheckQ), dsaParams-q); BN_bin2bn((const unsigned char *)uLicenseCheckY, sizeof(uLicenseCheckY), dsaParams-pub_key); //Create a EVP_PKEY to use in creating a certificate EVP_PKEY *evpTemp = EVP_PKEY_new(); EVP_PKEY_assign_DSA(evpTemp, dsaParams); //Create a CMS content info structure out of the license key CMS_ContentInfo *cms = NULL; BIO *bioBuff = BIO_new_mem_buf((char *)nBytes, nCountOfBytes); BIO_set_mem_eof_return(bioBuff,0); cms = d2i_CMS_bio(bioBuff, NULL);// i believe this finds the end of ASN1 data STACK_OF(CMS_SignerInfo) *sinfos; CMS_SignerInfo *si; sinfos = CMS_get0_SignerInfos(cms); si = sk_CMS_SignerInfo_value(sinfos, 0); ASN1_OCTET_STRING* keyid; X509_NAME* issuer; ASN1_INTEGER* sno; int rc = CMS_SignerInfo_get0_signer_id(si, keyid, issuer, sno); //USE THIS KEYID TO SET THE x509Cert-skid VALUE printf (si: %d %p %p %p\n, rc, keyid, issuer, sno); //create a x509 cert with above DSA params and public key and skid X509 *x509Cert = X509_new(); X509_set_version(x509Cert, 2); ASN1_INTEGER_set(X509_get_serialNumber(x509Cert), 0); x509Cert-skid = ASN1_OCTET_STRING_dup(keyid); The above line is incorrect. You are just setting a cache SKID value and not including it in the certificate. Try X509_add1_ext_i2d(x509Cert, NID_subject_key_identifier, keyid, 0, 0); Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
On Wed, Feb 3, 2010 at 12:06 PM, Ujwal Chinthala ujwal_chinth...@net.com wrote: -Ujwal Data: Version: 3 (0x2) Serial Number: 0 (0x0) Dr Henson already addressed the error in your code, but this is most likely also an error. The Internet PKI (PKIX) requires that the serial number be a positive integer and never repeated in the life of the issuer. This is why most self-signed certs have 1 as their serial, not 0. -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hmm, that could be a problem. This code is going to run on a box which is shipped to the customer. So I don't believe we want to ship these boxes with private keys in them :)__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Ujwal Chinthala wrote: Hmm, that could be a problem. This code is going to run on a box which is shipped to the customer. So I don't believe we want to ship these boxes with private keys in them :) any PKI fully secured session requires each host to have its own private key, and the other host to have the corresponding public key. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
On Mon, Feb 01, 2010, Ujwal Chinthala wrote: Hmm, that could be a problem. This code is going to run on a box which is shipped to the customer. So I don't believe we want to ship these boxes with private keys in them :). I didn't mean that. I mean that if you create a certificate containing the public key using the private key then you should have no problems. You just ship the certificate to the customer. Does Openssl have any API which can extract the PKCS7 data from the CMS structure, which in turn can be used with PKCS7 API's? The feature you've used with CMS (signing using a key identifier) is a CMS only feature and not compatible with PKCS#7. That's why you got the error in the first place. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Man page of CMS_verify says the following CMS_get0_signers() retrieves the signing certificate(s) from *cms*, it must be called after a successful CMS_verify() operation. So, CMS_get0_signers should be called after CMS_verify but you seem to do it the other way round. Secondly, why do you need to build the X509 cert from the DSA parameters? When your C# application creates the CMS signed message, does it not use a Certificate and its Private Key? Your stack of certs should include this certificate. I also presume that the signing certificate isn't included in the contentInfo message as you have set the CMS_NOINTERN flag for CMS_verify. Thanks, Sandeep On Wed, Jan 27, 2010 at 5:36 AM, Ujwal Chinthala ujwal_chinth...@net.comwrote: Hi, Thanks for all the help. I modified the code based on your comments. Basically, I am trying to verify a CMS data signed by a C# program. So I have the base 64 decoded CSM data stored as nBytes a BYTE array. I have to verify the data(nBytes) using the DSA params and public key which is hard coded in the code as const char arrays(uLicenseCheckG, uLicenseCheckP, uLicenseCheckQ and uLicenseCheckY). I tried to verify even using the *CMS_NO_CONTENT_VERIFY* flag. CMS_verify() fails with error “*signer certificate not found*”. I digged in to the code and found that CMS_Verify() tries to copy the st(stack of x509 certs) to cms and fails? I am copying the skid value from the cms and creating the x509Cert using that so they match. I have notices that the x509Cert-skid is becoming NULL after the call to CMS_verify(). Is there anything wrong with the above x509 cert created above with the public key and DSA params and skid. Am I missing something? What else do I need to verify correctly? Please find the modified code below. -Ujwal //COPY the DSA params and public keys from const char arrays into DSA structure DSA *dsaParams= DSA_new(); dsaParams-g = BN_new(); dsaParams-p = BN_new(); dsaParams-q = BN_new(); dsaParams-pub_key = BN_new(); BN_bin2bn((const unsigned char *)uLicenseCheckG, sizeof( uLicenseCheckG), dsaParams-g); BN_bin2bn((const unsigned char *)uLicenseCheckP, sizeof( uLicenseCheckP), dsaParams-p); BN_bin2bn((const unsigned char *)uLicenseCheckQ, sizeof( uLicenseCheckQ), dsaParams-q); BN_bin2bn((const unsigned char *)uLicenseCheckY, sizeof( uLicenseCheckY), dsaParams-pub_key); //Create a EVP_PKEY to use in creating a certificate EVP_PKEY *evpTemp = EVP_PKEY_new(); EVP_PKEY_assign_DSA(evpTemp, dsaParams); //Create a CMS content info structure out of the license key CMS_ContentInfo *cms = NULL; BIO *bioBuff = BIO_new_mem_buf((char *)nBytes, nCountOfBytes); BIO_set_mem_eof_return(bioBuff,0); cms = d2i_CMS_bio(bioBuff, NULL);// i believe this finds the end of ASN1 data STACK_OF(CMS_SignerInfo) *sinfos; CMS_SignerInfo *si; sinfos = CMS_get0_SignerInfos(cms); si = sk_CMS_SignerInfo_value(sinfos, 0); ASN1_OCTET_STRING* keyid; X509_NAME* issuer; ASN1_INTEGER* sno; int rc = CMS_SignerInfo_get0_signer_id(si, keyid, issuer, sno); //USE THIS KEYID TO SET THE x509Cert-skid VALUE printf (si: %d %p %p %p\n, rc, keyid, issuer, sno); //create a x509 cert with above DSA params and public key and skid X509 *x509Cert = X509_new(); X509_set_version(x509Cert, 2); ASN1_INTEGER_set(X509_get_serialNumber(x509Cert), 0); x509Cert-skid = ASN1_OCTET_STRING_dup(keyid); X509_gmtime_adj(X509_get_notBefore(x509Cert),0); X509_gmtime_adj(X509_get_notAfter(x509Cert), (long) 60*60*24*365); int error = X509_set_pubkey(x509Cert, evpTemp); if (error) { printf(set public key error: %s, ERR_error_string( ERR_get_error(), NULL)); } X509_print_fp(stdout, x509Cert); //create a stack of x509 cert to use it in CMS_verify STACK_OF(X509) *st=sk_X509_new_null(); sk_X509_push(st, x509Cert); //x509Cert-skid is valid here printf (skid: %p\n, x509Cert-skid); //It fails here with “signer certificate not found” error //Also tried using the CMS_NO_CONTENT_VERIFY int cmsVerify = CMS_verify(cms, st, NULL, NULL, NULL, CMS_NOINTERN| CMS_NO_SIGNER_CERT_VERIFY); errortemp = ERR_get_error(); ERR_error_string(errortemp, errorbuff); printf(countofbytes = %d, error num = %d, and error = %s\n, nCountOfBytes,errortemp, errorbuff); //x509Cert-skid is in-valid here printf (skid: %p\n, x509Cert-skid);
Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
On Tue, Jan 26, 2010, Ujwal Chinthala wrote: Hi, Thanks for all the help. I modified the code based on your comments. Basically, I am trying to verify a CMS data signed by a C# program. So I have the base 64 decoded CSM data stored as nBytes a BYTE array. I have to verify the data(nBytes) using the DSA params and public key which is hard coded in the code as const char arrays(uLicenseCheckG, uLicenseCheckP, uLicenseCheckQ and uLicenseCheckY). I tried to verify even using the CMS_NO_CONTENT_VERIFY flag. CMS_verify() fails with error signer certificate not found. I digged in to the code and found that CMS_Verify() tries to copy the st(stack of x509 certs) to cms and fails? I am copying the skid value from the cms and creating the x509Cert using that so they match. I have notices that the x509Cert-skid is becoming NULL after the call to CMS_verify(). Is there anything wrong with the above x509 cert created above with the public key and DSA params and skid. Am I missing something? What else do I need to verify correctly? It looks like you're trying to verify the CMS structure with a public key only and no actual certificate. I'd have to check but I'm not totally sure you can do that at present with the OpenSSL CMS implementation. Do you have access to the private key? Is so creating a dummy self-signed certificate containing that key and the SKID extension (which would hopefully match the one you have in the CMS message) would solve this problem then instead of hard coding the public key in your program you could hard code the certificate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hi, Thanks for all the help. I modified the code based on your comments. Basically, I am trying to verify a CMS data signed by a C# program. So I have the base 64 decoded CSM data stored as nBytes a BYTE array. I have to verify the data(nBytes) using the DSA params and public key which is hard coded in the code as const char arrays(uLicenseCheckG, uLicenseCheckP, uLicenseCheckQ and uLicenseCheckY). I tried to verify even using the CMS_NO_CONTENT_VERIFY flag. CMS_verify() fails with error signer certificate not found. I digged in to the code and found that CMS_Verify() tries to copy the st(stack of x509 certs) to cms and fails? I am copying the skid value from the cms and creating the x509Cert using that so they match. I have notices that the x509Cert-skid is becoming NULL after the call to CMS_verify(). Is there anything wrong with the above x509 cert created above with the public key and DSA params and skid. Am I missing something? What else do I need to verify correctly? Please find the modified code below. -Ujwal //COPY the DSA params and public keys from const char arrays into DSA structure DSA *dsaParams= DSA_new(); dsaParams-g = BN_new(); dsaParams-p = BN_new(); dsaParams-q = BN_new(); dsaParams-pub_key = BN_new(); BN_bin2bn((const unsigned char *)uLicenseCheckG, sizeof(uLicenseCheckG), dsaParams-g); BN_bin2bn((const unsigned char *)uLicenseCheckP, sizeof(uLicenseCheckP), dsaParams-p); BN_bin2bn((const unsigned char *)uLicenseCheckQ, sizeof(uLicenseCheckQ), dsaParams-q); BN_bin2bn((const unsigned char *)uLicenseCheckY, sizeof(uLicenseCheckY), dsaParams-pub_key); //Create a EVP_PKEY to use in creating a certificate EVP_PKEY *evpTemp = EVP_PKEY_new(); EVP_PKEY_assign_DSA(evpTemp, dsaParams); //Create a CMS content info structure out of the license key CMS_ContentInfo *cms = NULL; BIO *bioBuff = BIO_new_mem_buf((char *)nBytes, nCountOfBytes); BIO_set_mem_eof_return(bioBuff,0); cms = d2i_CMS_bio(bioBuff, NULL);// i believe this finds the end of ASN1 data STACK_OF(CMS_SignerInfo) *sinfos; CMS_SignerInfo *si; sinfos = CMS_get0_SignerInfos(cms); si = sk_CMS_SignerInfo_value(sinfos, 0); ASN1_OCTET_STRING* keyid; X509_NAME* issuer; ASN1_INTEGER* sno; int rc = CMS_SignerInfo_get0_signer_id(si, keyid, issuer, sno); //USE THIS KEYID TO SET THE x509Cert-skid VALUE printf (si: %d %p %p %p\n, rc, keyid, issuer, sno); //create a x509 cert with above DSA params and public key and skid X509 *x509Cert = X509_new(); X509_set_version(x509Cert, 2); ASN1_INTEGER_set(X509_get_serialNumber(x509Cert), 0); x509Cert-skid = ASN1_OCTET_STRING_dup(keyid); X509_gmtime_adj(X509_get_notBefore(x509Cert),0); X509_gmtime_adj(X509_get_notAfter(x509Cert), (long) 60*60*24*365); int error = X509_set_pubkey(x509Cert, evpTemp); if (error) { printf(set public key error: %s, ERR_error_string(ERR_get_error(), NULL)); } X509_print_fp(stdout, x509Cert); //create a stack of x509 cert to use it in CMS_verify STACK_OF(X509) *st=sk_X509_new_null(); sk_X509_push(st, x509Cert); //x509Cert-skid is valid here printf (skid: %p\n, x509Cert-skid); //It fails here with signer certificate not found error //Also tried using the CMS_NO_CONTENT_VERIFY int cmsVerify = CMS_verify(cms, st, NULL, NULL, NULL, CMS_NOINTERN|CMS_NO_SIGNER_CERT_VERIFY); errortemp = ERR_get_error(); ERR_error_string(errortemp, errorbuff); printf(countofbytes = %d, error num = %d, and error = %s\n,nCountOfBytes,errortemp, errorbuff); //x509Cert-skid is in-valid here printf (skid: %p\n, x509Cert-skid);
RE: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hi, Thanks for the all the help. I see the same error when I am trying to create a x509 certificate using the DSA parameters g, p, q and public key y. These parameters are generated by the GetPublicKey API in C#. All the above parameters are BYTE arrays. Find the DSA parameters attached. .. // BN_bin2bn((const unsigned char *)uLicenseCheckG, sizeof(uLicenseCheckG), dsaParams-g); BN_bin2bn((const unsigned char *)uLicenseCheckP, sizeof(uLicenseCheckP), dsaParams-p); BN_bin2bn((const unsigned char *)uLicenseCheckQ, sizeof(uLicenseCheckQ), dsaParams-q); BN_bin2bn((const unsigned char *)uLicenseCheckY, sizeof(uLicenseCheckY), dsaParams-pub_key); unsigned char *buff; int nLength; nLength = i2d_DSA_PUBKEY(dsaParams, buff); X509 *x509Cert = X509_new(); const unsigned char *p; p = buff; x509Cert = d2i_X509(NULL, p, nLength); // Problem occurs here, x509Cert is NULL and the error is the same as before -- STACK_OF(X509) *st=sk_X509_new_null(); // I want to use this stack of x509 in CMS_verify sk_X509_push(st, x509Cert); -Ujwal From: Ujwal Chinthala Sent: Wednesday, January 20, 2010 1:39 PM To: 'st...@openssl.org' Cc: 'openssl-users@openssl.org' Subject: Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag Hi Dr, I already tried using : openssl pkcs7 -inform DER -in pkcs7.p7 It gives me the same error, which are as follows net\chint...@symdev1:~/Symphony/Dev/system/dl/sym-licensemanager$ openssl pkcs7 -inform DER -in pkcs7.p7 unable to load PKCS7 object 11381:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 11381:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=PKCS7_ISSUER_AND_SERIAL 11381:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=issuer_and_serial, Type=PKCS7_SIGNER_INFO 11381:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:710:Field=signer_info, Type=PKCS7_SIGNED 11381:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749: 11381:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 error:tasn_dec.c:578:Field=d.sign, Type=PKCS7 Please find the binary file you requested attached. Thanks, -Ujwal From: Ujwal Chinthala Sent: Tuesday, January 19, 2010 4:41 PM To: 'openssl-users@openssl.org' Subject: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag Hi, I am new to OpenSSL. I am trying to verify the compressed XML data, signed using PKCS#7. Then a four byte crc is appended to it and the whole data is now base64 encoded. All the above is done using windows libraries. The verification works fine in windows. Now I am trying to verify the above data(signed using windows libs) using OpenSSL. The data is decoded from base64 to bytes, crc is verified. Then I try to use the command d2i_pkcs7 to create the PKCS7 structure which results in the following error , error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag. The code I am using to do this is as follows: const unsigned char *q; q = (const unsigned char*)nBytes; PKCS7 *p7 = NULL; // I want to use this p7 structure in PKCS7_verify p7 = d2i_PKCS7(NULL, q, nCountOfBytes);// error occurs here where nBytes is a BYTE array storing the data. I don't have a clue what this error means, am I missing something here? -Ujwal const BYTE uLicenseCheckG[] = {0x18, 0x12, 0x67, 0x75, 0x17, 0x25, 0x6A, 0x8F, 0x99, 0x2E, 0x89, 0x98, 0x09, 0x58, 0x0B, 0x9F, 0x1C, 0xE1, 0xAB, 0x80, 0x27, 0xDD, 0xAF, 0x62, 0x3C, 0xD8, 0x51, 0x11, 0xC2, 0x9B, 0x3F, 0x05, 0x29, 0x9D, 0x8F, 0x71, 0x47, 0xEC, 0x89, 0xBB, 0xBD, 0x21, 0x01, 0x96, 0xF2, 0x91, 0x7A, 0x77, 0x65, 0x53, 0x8B, 0x0E, 0x8A, 0x59, 0x92, 0x5B, 0x46, 0x7F, 0x20, 0x52, 0xC3, 0x10, 0x3A, 0xEC, 0xB9, 0x41, 0xCF, 0xB1, 0x6A, 0xB1, 0xBC, 0x76, 0xAD, 0x63, 0xF3, 0x0B, 0x3C, 0xEE, 0x98, 0xD4, 0x98, 0x5A, 0x67, 0x44, 0xC4, 0x55, 0x05, 0xCF, 0xEC, 0x40, 0x63, 0x01, 0xDB, 0x45, 0xDC, 0xC9, 0x61, 0x2D, 0x8C, 0x5F, 0xDF, 0x17, 0x84, 0x36, 0x22, 0xA2, 0x47, 0x95, 0xBA, 0xB0, 0x62, 0xE8, 0xB5, 0x99, 0x24, 0xF0, 0xBE, 0xFE, 0x90, 0x79, 0xDB, 0x95, 0xC7, 0x80, 0x0A, 0xFB, 0xE9, 0x4F}; const BYTE uLicenseCheckP[] = {0xC5, 0xC4, 0xDA, 0x46, 0xBC, 0x50, 0x03, 0xAD, 0x38, 0xFF, 0xE2, 0xB6, 0x29, 0x10, 0x00, 0x4F, 0x1D, 0x54, 0x51, 0xD9, 0xDA, 0x21, 0x2D, 0x10, 0xCB, 0x09, 0x8B, 0xEE, 0x75, 0x18, 0xDA, 0x2B, 0x03, 0xEF, 0x43, 0x73, 0x40, 0x17, 0x80, 0x8E, 0x33, 0x25, 0x27, 0xA0, 0x7D, 0xC5, 0x64, 0x43, 0x78, 0xEA, 0x18, 0xD3, 0x1D, 0x41, 0x39, 0x15, 0x3F, 0xCE, 0xF6, 0x3A, 0x39, 0x72, 0x69, 0x57, 0x15, 0x24, 0x43, 0x3A, 0x0C, 0x24, 0xF8, 0x0B, 0xE0, 0xDD, 0x87, 0x22, 0x57, 0x64, 0xA5, 0x40, 0x8B, 0x44, 0x23, 0x64, 0x8A, 0xAB, 0xA0, 0x88, 0xE6, 0x77, 0xA2, 0x96, 0x25, 0x85, 0x03, 0xB5, 0xF5, 0x3F, 0x43, 0x79, 0x3A, 0x5A, 0x5B, 0xE0
Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
On Thu, Jan 21, 2010, Ujwal Chinthala wrote: Hi, Thanks for the all the help. I see the same error when I am trying to create a x509 certificate using the DSA parameters g, p, q and public key y. These parameters are generated by the GetPublicKey API in C#. All the above parameters are BYTE arrays. Find the DSA parameters attached. .. // BN_bin2bn((const unsigned char *)uLicenseCheckG, sizeof(uLicenseCheckG), dsaParams-g); BN_bin2bn((const unsigned char *)uLicenseCheckP, sizeof(uLicenseCheckP), dsaParams-p); BN_bin2bn((const unsigned char *)uLicenseCheckQ, sizeof(uLicenseCheckQ), dsaParams-q); BN_bin2bn((const unsigned char *)uLicenseCheckY, sizeof(uLicenseCheckY), dsaParams-pub_key); unsigned char *buff; int nLength; nLength = i2d_DSA_PUBKEY(dsaParams, buff); X509 *x509Cert = X509_new(); const unsigned char *p; p = buff; x509Cert = d2i_X509(NULL, p, nLength); // Problem occurs here, x509Cert is NULL and the error is the same as before -- STACK_OF(X509) *st=sk_X509_new_null(); // I want to use this stack of x509 in CMS_verify sk_X509_push(st, x509Cert); Well you've encoded (incorrectly, buff should be set to NULL) a SubjectPublicKeyInfo structure and then attempted to decode it as a certificate. It's not surprising it failed: the two are different structures. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hi Dr, I already tried using : openssl pkcs7 -inform DER -in pkcs7.p7 It gives me the same error, which are as follows net\chint...@symdev1:~/Symphony/Dev/system/dl/sym-licensemanager$ openssl pkcs7 -inform DER -in pkcs7.p7 unable to load PKCS7 object 11381:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 11381:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=PKCS7_ISSUER_AND_SERIAL 11381:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=issuer_and_serial, Type=PKCS7_SIGNER_INFO 11381:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:710:Field=signer_info, Type=PKCS7_SIGNED 11381:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749: 11381:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 error:tasn_dec.c:578:Field=d.sign, Type=PKCS7 Please find the binary file you requested attached. Thanks, -Ujwal From: Ujwal Chinthala Sent: Tuesday, January 19, 2010 4:41 PM To: 'openssl-users@openssl.org' Subject: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag Hi, I am new to OpenSSL. I am trying to verify the compressed XML data, signed using PKCS#7. Then a four byte crc is appended to it and the whole data is now base64 encoded. All the above is done using windows libraries. The verification works fine in windows. Now I am trying to verify the above data(signed using windows libs) using OpenSSL. The data is decoded from base64 to bytes, crc is verified. Then I try to use the command d2i_pkcs7 to create the PKCS7 structure which results in the following error , error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag. The code I am using to do this is as follows: const unsigned char *q; q = (const unsigned char*)nBytes; PKCS7 *p7 = NULL; // I want to use this p7 structure in PKCS7_verify p7 = d2i_PKCS7(NULL, q, nCountOfBytes);// error occurs here where nBytes is a BYTE array storing the data. I don't have a clue what this error means, am I missing something here? -Ujwal pkcs7.p7 Description: pkcs7.p7
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hi, I am new to OpenSSL. I am trying to verify the compressed XML data, signed using PKCS#7. Then a four byte crc is appended to it and the whole data is now base64 encoded. All the above is done using windows libraries. The verification works fine in windows. Now I am trying to verify the above data(signed using windows libs) using OpenSSL. The data is decoded from base64 to bytes, crc is verified. Then I try to use the command d2i_pkcs7 to create the PKCS7 structure which results in the following error , error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag. The code I am using to do this is as follows: const unsigned char *q; q = (const unsigned char*)nBytes; PKCS7 *p7 = NULL; // I want to use this p7 structure in PKCS7_verify p7 = d2i_PKCS7(NULL, q, nCountOfBytes);// error occurs here where nBytes is a BYTE array storing the data. I don't have a clue what this error means, am I missing something here? -Ujwal
Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
On Tue, Jan 19, 2010, Ujwal Chinthala wrote: Hi, I am new to OpenSSL. I am trying to verify the compressed XML data, signed using PKCS#7. Then a four byte crc is appended to it and the whole data is now base64 encoded. All the above is done using windows libraries. The verification works fine in windows. Now I am trying to verify the above data(signed using windows libs) using OpenSSL. The data is decoded from base64 to bytes, crc is verified. Then I try to use the command d2i_pkcs7 to create the PKCS7 structure which results in the following error , error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag. The code I am using to do this is as follows: const unsigned char *q; q = (const unsigned char*)nBytes; PKCS7 *p7 = NULL; // I want to use this p7 structure in PKCS7_verify p7 = d2i_PKCS7(NULL, q, nCountOfBytes);// error occurs here where nBytes is a BYTE array storing the data. I don't have a clue what this error means, am I missing something here? I suspect that is caused by the binary data being corrupted somehow. For example the base64 data not being decoded correctly or it not being in DER format. What does the data look like? Is it ASCII text or are the first two characters 0x30, 0x82? Suggest you dump the binary data to a file and try: openssl pkcs7 -inform DER -in file.p7 If you get a similar error and the above doesn't help you could send it to me and I'll take a look. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
On Tue, Jan 19, 2010, Ujwal Chinthala wrote: Hi, I am new to OpenSSL. I am trying to verify the compressed XML data, signed using PKCS#7. Then a four byte crc is appended to it and the whole data is now base64 encoded. All the above is done using windows libraries. The verification works fine in windows. Now I am trying to verify the above data(signed using windows libs) using OpenSSL. The data is decoded from base64 to bytes, crc is verified. Then I try to use the command d2i_pkcs7 to create the PKCS7 structure which results in the following error , error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag. The code I am using to do this is as follows: const unsigned char *q; q = (const unsigned char*)nBytes; PKCS7 *p7 = NULL; // I want to use this p7 structure in PKCS7_verify p7 = d2i_PKCS7(NULL, q, nCountOfBytes);// error occurs here where nBytes is a BYTE array storing the data. I don't have a clue what this error means, am I missing something here? That isn't actually a PKCS#7 structure. It is a CMS ContentInfo structure which is a superset of PKCS#7. You need to use the CMS routines instead. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org