Openssl failed to decrypt certificate without \r\n

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Openssl failed to decrypt certificate without \r\n

Zhang, Lily (USD)
Hi,
Would you help me to take a look this certificate issue?
In order to send out the file, I added ".txt" in the file name. Please remove it before test it.

Leaf_no_rn.cer doesn't have \r\n in the BASE64 string, it can't be parsed by openssl.
Leaf_with_rn.cer is the same as Leaf_no_rn.cer, but it has \r\n in BASE64 string.
Both the attached two certificates can be parsed by Windows.

I tried other certificates, then can be parsed by in both formats(with \r\n and  no\r\n).

Do you know why Leaf_no_rn.cer can't be parsed by " openssl x509 -in C:\Temp\Leaf_with_rn.cer -text"?

------------------------------------------------------------------------------------------

C:\OpenSSL\bin>openssl x509 -in C:\Temp\Leaf_with_rn.cer -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            59:00:00:04:30:86:b8:28:2b:df:d1:0b:ae:00:00:00:00:04:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=com, DC=njmgroup, CN=NJMSubEnt-CA
        Validity
            Not Before: Apr 20 08:21:19 2017 GMT
            Not After : Apr 20 08:21:19 2018 GMT
        Subject: CN=DCWT1.njmgroup.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:af:89:3b:a2:20:62:e6:9a:90:fe:2b:bb:81:8d:
                    78:68:0f:43:a5:98:67:29:21:1e:f2:5f:b3:15:7a:
                    86:9f:2c:74:40:8e:82:8c:0e:dd:b1:ea:6b:26:c1:
                    1d:8f:1b:8e:4c:d4:93:2a:b7:3b:1d:12:a9:2d:73:
                    6b:67:85:57:9c:28:5d:71:f2:f8:bd:0a:c9:58:79:
                    d7:c1:78:99:d2:91:81:ed:a6:41:e9:b8:ac:61:d4:
                    78:52:79:bc:af:d4:68:b8:b3:f6:3d:1e:45:db:9b:
                    e3:95:31:01:e2:3a:e3:76:84:ba:70:68:0b:1a:fd:
                    2f:1f:31:86:f3:be:1e:ff:29
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.20.2:
                . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Auth
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            S/MIME Capabilities:
......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+...
..*.H..
            X509v3 Subject Alternative Name:
                othername:<unsupported>, DNS:DCWT1.njmgroup.com
            X509v3 Subject Key Identifier:
                8B:8B:36:E1:61:A2:85:77:28:17:97:C1:49:A0:B2:AE:9D
            X509v3 Authority Key Identifier:
                keyid:B5:B6:D4:63:FE:24:A2:45:68:93:D1:DD:D1:A2:21
E

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:ldap:///CN=NJMSubEnt-CA,CN=SCAPWT1,CN=CDP,CN
20Services,CN=Services,CN=Configuration,DC=njmgroup,DC=com?certifi
List?base?objectClass=cRLDistributionPoint
                  URI:http://pki.njmgroup.com/CertEnroll/NJMSubEnt

            Authority Information Access:
                CA Issuers - URI:ldap:///CN=NJMSubEnt-CA,CN=AIA,CN
20Services,CN=Services,CN=Configuration,DC=njmgroup,DC=com?cACerti
jectClass=certificationAuthority
                CA Issuers - URI:http://pki.njmgroup.com/CertEnrol
roup.com_NJMSubEnt-CA.crt

    Signature Algorithm: sha256WithRSAEncryption
         31:49:55:f2:e5:29:35:c4:8f:7b:7b:22:3f:ed:2f:4a:c5:26:
         b0:88:47:92:39:3e:b6:0f:c7:f3:7b:c9:6d:1b:16:ac:78:9b:
         62:d1:ff:dc:74:40:41:68:ac:11:65:d6:bf:fb:8f:18:66:13:
         83:f6:6e:39:5a:01:2d:01:31:55:a6:1a:61:ac:02:0a:9f:ad:
         ac:c4:5f:b6:1e:5f:b6:18:9f:5b:77:1c:d7:f0:4a:35:bd:37:
         cf:23:ec:90:3d:18:a7:8f:e7:9c:73:ba:9f:1f:55:8c:c4:79:
         28:23:d6:ce:31:f4:5e:c7:e4:8d:93:fb:f6:c7:c2:96:e3:bb:
         0d:fd:af:cc:fb:bf:6c:f9:81:64:3c:c7:38:f7:c4:d1:7c:70:
         f6:e7:9a:71:e7:89:aa:82:19:cd:49:1b:81:3d:1b:37:b3:c9:
         c1:6c:a1:2d:76:46:fe:bd:21:65:50:58:0f:6a:68:90:0e:12:
         be:05:44:49:12:49:87:70:88:79:3d:84:c4:7e:8a:1b:45:cd:
         a4:92:fe:49:0f:84:42:e8:9f:78:97:f3:ca:24:92:03:05:aa:
         a7:7d:5f:99:92:cd:9f:f3:b5:27:06:24:41:81:03:86:0a:c5:
         52:68:7b:67:f4:e0:b9:5c:e5:a9:36:2d:77:f2:96:d0:6f:e1:
         cc:f9:53:51
-----BEGIN CERTIFICATE-----
MIIF6DCCBNCgAwIBAgITWQAABDCGuCgr39ELrgAAAAAEMDANBgkqhkiG9w0BAQsF
ADBGMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIbmptZ3Jv
dXAxFTATBgNVBAMTDE5KTVN1YkVudC1DQTAeFw0xNzA0MjAwODIxMTlaFw0xODA0
MjAwODIxMTlaMB0xGzAZBgNVBAMTEkRDV1QxLm5qbWdyb3VwLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAr4k7oiBi5pqQ/iu7gY14aA9DpZhnKSEe8l+z
FXqGnyx0QI6CjA7dseprJsEdjxuOTNSTKrc7HRKpLXNrZ4VXnChdcfL4vQrJWHnX
wXiZ0pGB7aZB6bisYdR4Unm8r9RouLP2PR5F25vjlTEB4jrjdoS6cGgLGv0vHzGG
874e/ykCAwEAAaOCA3owggN2MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4A
QwBvAG4AdAByAG8AbABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH
AwEwCwYDVR0PBAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCA
MA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCG
SAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwPgYDVR0R
BDcwNaAfBgkrBgEEAYI3GQGgEgQQQfY96mn8bUa6Xjr69o65/4ISRENXVDEubmpt
Z3JvdXAuY29tMB0GA1UdDgQWBBSLizbhYaKFdygXl8FJoLKuncl7eDAfBgNVHSME
GDAWgBS1ttRj/iSiRWiT0d3RoiHngvKnfjCCAQAGA1UdHwSB+DCB9TCB8qCB76CB
7IaBtGxkYXA6Ly8vQ049TkpNU3ViRW50LUNBLENOPVNDQVBXVDEsQ049Q0RQLENO
PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy
YXRpb24sREM9bmptZ3JvdXAsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxp
c3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIYzaHR0cDov
L3BraS5uam1ncm91cC5jb20vQ2VydEVucm9sbC9OSk1TdWJFbnQtQ0EuY3JsMIIB
FwYIKwYBBQUHAQEEggEJMIIBBTCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8vL0NOPU5K
TVN1YkVudC1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049
U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1uam1ncm91cCxEQz1jb20/Y0FD
ZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3Jp
dHkwVAYIKwYBBQUHMAKGSGh0dHA6Ly9wa2kubmptZ3JvdXAuY29tL0NlcnRFbnJv
bGwvU0NBUFdUMS5uam1ncm91cC5jb21fTkpNU3ViRW50LUNBLmNydDANBgkqhkiG
9w0BAQsFAAOCAQEAMUlV8uUpNcSPe3siP+0vSsUmsIhHkjk+tg/H83vJbRsWrHib
YtH/3HRAQWisEWXWv/uPGGYTg/ZuOVoBLQExVaYaYawCCp+trMRfth5fthifW3cc
1/BKNb03zyPskD0Yp4/nnHO6nx9VjMR5KCPWzjH0XsfkjZP79sfCluO7Df2vzPu/
bPmBZDzHOPfE0Xxw9ueaceeJqoIZzUkbgT0bN7PJwWyhLXZG/r0hZVBYD2pokA4S
vgVESRJJh3CIeT2ExH6KG0XNpJL+SQ+EQuifeJfzyiSSAwWqp31fmZLNn/O1JwYk
QYEDhgrFUmh7Z/TguVzlqTYtd/KW0G/hzPlTUQ==
-----END CERTIFICATE-----

C:\OpenSSL\bin>openssl x509 -in C:\Temp\Leaf_no_rn.cer -text
unable to load certificate

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Leaf_no_rn.cer.txt (2K) Download Attachment
Leaf_with_rn.cer.txt (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Openssl failed to decrypt certificate without \r\n

Viktor Dukhovni

> On Sep 17, 2017, at 10:23 PM, Zhang, Lily (USD) <[hidden email]> wrote:
>
> Would you help me to take a look this certificate issue?
> In order to send out the file, I added ".txt" in the file name. Please remove it before test it.
>
> Leaf_no_rn.cer doesn't have \r\n in the BASE64 string, it can't be parsed by openssl.
> Leaf_with_rn.cer is the same as Leaf_no_rn.cer, but it has \r\n in BASE64 string.
> Both the attached two certificates can be parsed by Windows.

This is expected, the OpenSSL PEM file reader does not support
input lines with IIRC more than 64 bytes.  PEM files are not
supposed to have longer lines.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl failed to decrypt certificate without \r\n

Zhang, Lily (USD)
Hi, Viktor
Thanks for your reply.
Why it can decrypt attached root.cer, it also has long lines in root.cer?

Thanks
Lily

-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of Viktor Dukhovni
Sent: Monday, September 18, 2017 2:00 PM
To: [hidden email]
Subject: Re: [openssl-users] Openssl failed to decrypt certificate without \r\n


> On Sep 17, 2017, at 10:23 PM, Zhang, Lily (USD) <[hidden email]> wrote:
>
> Would you help me to take a look this certificate issue?
> In order to send out the file, I added ".txt" in the file name. Please remove it before test it.
>
> Leaf_no_rn.cer doesn't have \r\n in the BASE64 string, it can't be parsed by openssl.
> Leaf_with_rn.cer is the same as Leaf_no_rn.cer, but it has \r\n in BASE64 string.
> Both the attached two certificates can be parsed by Windows.

This is expected, the OpenSSL PEM file reader does not support input lines with IIRC more than 64 bytes.  PEM files are not supposed to have longer lines.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

root.cer.txt (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Openssl failed to decrypt certificate without \r\n

Viktor Dukhovni

> On Sep 18, 2017, at 3:21 AM, Zhang, Lily (USD) <[hidden email]> wrote:
>
> Why it can decrypt attached root.cer, it also has long lines in root.cer?
>
> <root.cer.txt>

The OpenSSL PEM code cannot decode that file.  Its lines are too long:

$ PS2=""; openssl x509 -subject -noout <<EOF
-----BEGIN CERTIFICATE-----
MIIDBTCCAe2gAwIBAgIQRBEWh94JbqxCULXZEzX5FjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwpOSk1Sb290LUNBMB4XDTE1MDYyMjE0NTQ1M1oXDTI1MDYyMjE1MDQ1M1owFTETMBEGA1UEAxMKTkpNUm9vdC1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMo4rBS6fLIc8hRwCBCwC75FUdlQbnK6EJd/SRu5qWHKVHtV1kF9giD/pQKa+mHtr7tH1JXo0VHTBR1DSjo+Y69Yfzu8PtMZm7ox1njwCTOXrL0nSRUj8/oEF9Tm0/0g74f5tDgULEWe7jkDgH3iFLwrs+QM8NW4BmYncQ16Ql6Gj/vYc5FSyP66VsUHNxj0YUcfG7BGdD1Wlp2QjYMMZATeROjH4cBMSsd2/+0IbkwQHEj1D+POENNUFYSh3V/aYYiKbYIuxwh6NWKRkjdJtr6sUGH140Z5e/+bZMrLdboBwt7EGoDRSrtvsFql85amFy5jCovrHXK4hKctCOfb050CAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLkX0WkjNBe1Umjp//hXFF6JXDTFMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQCRG3nRhquRo15xMBAmwowTLqXH8irZAK8BP0iUy/IMpyHqo92q5bsnX+vhdiD3w9aOuqKNK2ft/B5bvOWrIMEkn6erG2E1XCqUlokNaXd0lBtmHoU5tQg/SEqYWm/9G4ZCucxOp5VWGaitzclXugxVDG6OhxA/TOuz6A72ZMR26NwtFqoY7MJRT99xOmFPueikY/j851/xefoOfN7+ezti8kMtqmyxckA3KcNZ/W4Ri4JqDW9GeVHSsEGEaELC4Xrp22PGpw8oksrhntkeSgilidotDG5txaXGLFR+QR36dytiCE
 e0FfZ7Z7UJ+85vngeV9Tr2a6JkUiDeCpxHKR6l
-----END CERTIFICATE-----
EOF
unable to load certificate
88869:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/crypto/pem/pem_lib.c:757:

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl failed to decrypt certificate without \r\n

Zhang, Lily (USD)
In reply to this post by Viktor Dukhovni
I can decrypt the root.cer successfully. And my error of leaf_no_rn.cer is different from you.

OpenSSL>  x509 -in C:\Temp\leaf_no_rn.cer -text
unable to load certificate
error in x509

OpenSSL> version
OpenSSL 1.0.2h  3 May 2016

OpenSSL> x509 -in C:\Temp\root.cer -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            44:11:16:87:de:09:6e:ac:42:50:b5:d9:13:35:f9:16
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=NJMRoot-CA
        Validity
            Not Before: Jun 22 14:54:53 2015 GMT
            Not After : Jun 22 15:04:53 2025 GMT
        Subject: CN=NJMRoot-CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ca:38:ac:14:ba:7c:b2:1c:f2:14:70:08:10:b0:
                    0b:be:45:51:d9:50:6e:72:ba:10:97:7f:49:1b:b9:
                    a9:61:ca:54:7b:55:d6:41:7d:82:20:ff:a5:02:9a:
                    fa:61:ed:af:bb:47:d4:95:e8:d1:51:d3:05:1d:43:
                    4a:3a:3e:63:af:58:7f:3b:bc:3e:d3:19:9b:ba:31:
                    d6:78:f0:09:33:97:ac:bd:27:49:15:23:f3:fa:04:
                    17:d4:e6:d3:fd:20:ef:87:f9:b4:38:14:2c:45:9e:
                    ee:39:03:80:7d:e2:14:bc:2b:b3:e4:0c:f0:d5:b8:
                    06:66:27:71:0d:7a:42:5e:86:8f:fb:d8:73:91:52:
                    c8:fe:ba:56:c5:07:37:18:f4:61:47:1f:1b:b0:46:
                    74:3d:56:96:9d:90:8d:83:0c:64:04:de:44:e8:c7:
                    e1:c0:4c:4a:c7:76:ff:ed:08:6e:4c:10:1c:48:f5:
                    0f:e3:ce:10:d3:54:15:84:a1:dd:5f:da:61:88:8a:
                    6d:82:2e:c7:08:7a:35:62:91:92:37:49:b6:be:ac:
                    50:61:f5:e3:46:79:7b:ff:9b:64:ca:cb:75:ba:01:
                    c2:de:c4:1a:80:d1:4a:bb:6f:b0:5a:a5:f3:96:a6:
                    17:2e:63:0a:8b:eb:1d:72:b8:84:a7:2d:08:e7:db:
                    d3:9d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                B9:17:D1:69:23:34:17:B5:52:68:E9:FF:F8:57:14:5E:89:5C:34:C5
            1.3.6.1.4.1.311.21.1:
                ...
    Signature Algorithm: sha256WithRSAEncryption
         91:1b:79:d1:86:ab:91:a3:5e:71:30:10:26:c2:8c:13:2e:a5:
         c7:f2:2a:d9:00:af:01:3f:48:94:cb:f2:0c:a7:21:ea:a3:dd:
         aa:e5:bb:27:5f:eb:e1:76:20:f7:c3:d6:8e:ba:a2:8d:2b:67:
         ed:fc:1e:5b:bc:e5:ab:20:c1:24:9f:a7:ab:1b:61:35:5c:2a:
         94:96:89:0d:69:77:74:94:1b:66:1e:85:39:b5:08:3f:48:4a:
         98:5a:6f:fd:1b:86:42:b9:cc:4e:a7:95:56:19:a8:ad:cd:c9:
         57:ba:0c:55:0c:6e:8e:87:10:3f:4c:eb:b3:e8:0e:f6:64:c4:
         76:e8:dc:2d:16:aa:18:ec:c2:51:4f:df:71:3a:61:4f:b9:e8:
         a4:63:f8:fc:e7:5f:f1:79:fa:0e:7c:de:fe:7b:3b:62:f2:43:
         2d:aa:6c:b1:72:40:37:29:c3:59:fd:6e:11:8b:82:6a:0d:6f:
         46:79:51:d2:b0:41:84:68:42:c2:e1:7a:e9:db:63:c6:a7:0f:
         28:92:ca:e1:9e:d9:1e:4a:08:a5:89:da:2d:0c:6e:6d:c5:a5:
         c6:2c:54:7e:41:1d:fa:77:2b:62:08:47:b4:15:f6:7b:67:b5:
         09:fb:ce:6f:9e:07:95:f5:3a:f6:6b:a2:64:52:20:de:0a:9c:
         47:29:1e:a5
-----BEGIN CERTIFICATE-----
MIIDBTCCAe2gAwIBAgIQRBEWh94JbqxCULXZEzX5FjANBgkqhkiG9w0BAQsFADAV
MRMwEQYDVQQDEwpOSk1Sb290LUNBMB4XDTE1MDYyMjE0NTQ1M1oXDTI1MDYyMjE1
MDQ1M1owFTETMBEGA1UEAxMKTkpNUm9vdC1DQTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMo4rBS6fLIc8hRwCBCwC75FUdlQbnK6EJd/SRu5qWHKVHtV
1kF9giD/pQKa+mHtr7tH1JXo0VHTBR1DSjo+Y69Yfzu8PtMZm7ox1njwCTOXrL0n
SRUj8/oEF9Tm0/0g74f5tDgULEWe7jkDgH3iFLwrs+QM8NW4BmYncQ16Ql6Gj/vY
c5FSyP66VsUHNxj0YUcfG7BGdD1Wlp2QjYMMZATeROjH4cBMSsd2/+0IbkwQHEj1
D+POENNUFYSh3V/aYYiKbYIuxwh6NWKRkjdJtr6sUGH140Z5e/+bZMrLdboBwt7E
GoDRSrtvsFql85amFy5jCovrHXK4hKctCOfb050CAwEAAaNRME8wCwYDVR0PBAQD
AgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLkX0WkjNBe1Umjp//hXFF6J
XDTFMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQCRG3nRhquR
o15xMBAmwowTLqXH8irZAK8BP0iUy/IMpyHqo92q5bsnX+vhdiD3w9aOuqKNK2ft
/B5bvOWrIMEkn6erG2E1XCqUlokNaXd0lBtmHoU5tQg/SEqYWm/9G4ZCucxOp5VW
GaitzclXugxVDG6OhxA/TOuz6A72ZMR26NwtFqoY7MJRT99xOmFPueikY/j851/x
efoOfN7+ezti8kMtqmyxckA3KcNZ/W4Ri4JqDW9GeVHSsEGEaELC4Xrp22PGpw8o
ksrhntkeSgilidotDG5txaXGLFR+QR36dytiCEe0FfZ7Z7UJ+85vngeV9Tr2a6Jk
UiDeCpxHKR6l
-----END CERTIFICATE-----
OpenSSL>

Thank
Lily

-----Original Message-----
From: Zhang, Lily (USD)
Sent: Monday, September 18, 2017 3:21 PM
To: '[hidden email]'
Subject: RE: [openssl-users] Openssl failed to decrypt certificate without \r\n

Hi, Viktor
Thanks for your reply.
Why it can decrypt attached root.cer, it also has long lines in root.cer?

Thanks
Lily

-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of Viktor Dukhovni
Sent: Monday, September 18, 2017 2:00 PM
To: [hidden email]
Subject: Re: [openssl-users] Openssl failed to decrypt certificate without \r\n


> On Sep 17, 2017, at 10:23 PM, Zhang, Lily (USD) <[hidden email]> wrote:
>
> Would you help me to take a look this certificate issue?
> In order to send out the file, I added ".txt" in the file name. Please remove it before test it.
>
> Leaf_no_rn.cer doesn't have \r\n in the BASE64 string, it can't be parsed by openssl.
> Leaf_with_rn.cer is the same as Leaf_no_rn.cer, but it has \r\n in BASE64 string.
> Both the attached two certificates can be parsed by Windows.

This is expected, the OpenSSL PEM file reader does not support input lines with IIRC more than 64 bytes.  PEM files are not supposed to have longer lines.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl failed to decrypt certificate without \r\n

OpenSSL - User mailing list
In reply to this post by Viktor Dukhovni
On 09/18/2017 12:59 AM, Viktor Dukhovni wrote:

      
On Sep 17, 2017, at 10:23 PM, Zhang, Lily (USD) [hidden email] wrote:

Would you help me to take a look this certificate issue?
In order to send out the file, I added ".txt" in the file name. Please remove it before test it.

Leaf_no_rn.cer doesn't have \r\n in the BASE64 string, it can't be parsed by openssl.
Leaf_with_rn.cer is the same as Leaf_no_rn.cer, but it has \r\n in BASE64 string. 
Both the attached two certificates can be parsed by Windows.
This is expected, the OpenSSL PEM file reader does not support
input lines with IIRC more than 64 bytes.  PEM files are not
supposed to have longer lines.


The current code in master should not have a particular limit on line lengths for *certificates* -- in test/recipes/04-test_pem_data we have files with 1025 characters on a line, and only use a 256-byte buffer when reading.  The PEM format does specify a 64-(base64-)characters-per-line limit when the additional PEM encryption/etc. features are used, but certificates do not use that feature and do not have a line length restriction.  Perhaps Lily should specify what version of OpenSSL is in use.

-Ben



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl failed to decrypt certificate without \r\n

Zhang, Lily (USD)

I used OpenSSL 1.0.2h 

OpenSSL> version

OpenSSL 1.0.2h  3 May 2016

 

Thanks

Lily

 

From: openssl-users [mailto:[hidden email]] On Behalf Of Benjamin Kaduk via openssl-users
Sent: Monday, September 18, 2017 8:24 PM
To: [hidden email]; Viktor Dukhovni
Subject: Re: [openssl-users] Openssl failed to decrypt certificate without \r\n

 

On 09/18/2017 12:59 AM, Viktor Dukhovni wrote:

 
On Sep 17, 2017, at 10:23 PM, Zhang, Lily (USD) [hidden email] wrote:
 
Would you help me to take a look this certificate issue?
In order to send out the file, I added ".txt" in the file name. Please remove it before test it.
 
Leaf_no_rn.cer doesn't have \r\n in the BASE64 string, it can't be parsed by openssl.
Leaf_with_rn.cer is the same as Leaf_no_rn.cer, but it has \r\n in BASE64 string. 
Both the attached two certificates can be parsed by Windows.
 
This is expected, the OpenSSL PEM file reader does not support
input lines with IIRC more than 64 bytes.  PEM files are not
supposed to have longer lines.
 


The current code in master should not have a particular limit on line lengths for *certificates* -- in test/recipes/04-test_pem_data we have files with 1025 characters on a line, and only use a 256-byte buffer when reading.  The PEM format does specify a 64-(base64-)characters-per-line limit when the additional PEM encryption/etc. features are used, but certificates do not use that feature and do not have a line length restriction.  Perhaps Lily should specify what version of OpenSSL is in use.

-Ben


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users