PKCS7: decoding failed

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

PKCS7: decoding failed

weber
Hello folks,

i'm sorry but I cannot find the reason for the errors resulting in
calling openssl (Version 0.9.7e or 0.9.8) as follows:

openssl pkcs7  -noout -text -print_certs < decoded.b64
unable to load PKCS7 object
5655:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282:
5655:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509_CINF
5655:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:743:Field=cert_info, Type=X509
5655:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:704:Field=cert, Type=PKCS7_SIGNED
5655:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:743:
5655:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 error:tasn_dec.c:572:Field=d.sign, Type=PKCS7
5655:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

Ca anybody help?

PKCS7 Object follows:
-----BEGIN PKCS7-----
MIIJOwYJKoZIhvcNAQcCoIIJLDCCCSgCAQExADALBgkqhkiG9w0BBwGgggkQMIIC
aDCCAdSgAwIBAgIDMtGNMAoGBiskAwMBAgUAMG8xCzAJBgNVBAYTAkRFMT0wOwYD
VQQKFDRSZWd1bGllcnVuZ3NiZWjIb3JkZSBmyHVyIFRlbGVrb21tdW5pa2F0aW9u
IHVuZCBQb3N0MSEwDAYHAoIGAQoHFBMBMTARBgNVBAMUCjZSLUNhIDE6UE4wIhgP
MjAwMTAyMDEwOTUyMTdaGA8yMDA1MDYwMTA5NTIxN1owbzELMAkGA1UEBhMCREUx
PTA7BgNVBAoUNFJlZ3VsaWVydW5nc2JlaMhvcmRlIGbIdXIgVGVsZWtvbW11bmlr
YXRpb24gdW5kIFBvc3QxITAMBgcCggYBCgcUEwExMBEGA1UEAxQKNlItQ2EgMTpQ
TjCBoTANBgkqhkiG9w0BAQEFAAOBjwAwgYsCgYEAg6KrFSTNXKqe+2GKGeW2wTmb
VeflNkp5H/YxA9K1zmEn5XjKm0S0jH4Wfms6ipPlURVaFwTfnB1s++AnJAWfmaya
E9BP/pdIY6WtZGgW6aZc32VDMCMKPWyBNyagsJVDmzlakIA5cXBVa7Xqqd3Pew8i
2feMnQXcqHfDv02CW88CBQDAAAABoxIwEDAOBgNVHQ8BAf8EBAMCAQYwCgYGKyQD
AwECBQADgYEAOkqkUwdaTCt8wcJLA2zLuOwL5ADHMWLhv6gr5zEF+VckA6qeIVLV
f8e7fYlRmzQd+5OJcGglCQJLGT+ZplI3Mjnrd4plkoTNKV4iOzBcvJD7K4tnXPvs
9wCFcC7QU7PLvc1FDsAlr7e4wyefZRDL+wbqNfI7QZTSF1ubLd9AzeQwggKBBgNV
BCUwggJ4MIIB5KADAgECAgQBzUtJMAoGBiskAwMBAgUAMG8xCzAJBgNVBAYTAkRF
MT0wOwYDVQQKFDRSZWd1bGllcnVuZ3NiZWjIb3JkZSBmyHVyIFRlbGVrb21tdW5p
a2F0aW9uIHVuZCBQb3N0MSEwDAYHAoIGAQoHFBMBMTARBgNVBAMUCjZSLUNhIDE6
UE4wIhgPMjAwMzAyMTQxMjEwMTZaGA8yMDA3MDIxNDEyMTAxNlowfjELMAkGA1UE
BhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcxHzAdBgNVBAsUFlBy
b2R1a3R6ZW50cnVtIFRlbGVTZWMxMDAMBgcCggYBCgcUEwExMCAGA1UEAxQZVGVs
ZVNlYyBQS1MgU2lnRyBDQSAxMzpQTjCBoTANBgkqhkiG9w0BAQEFAAOBjwAwgYsC
gYEAhHMKdb6ayCIPINB8+nSJd3O8/QYSfQb76lg0dkRbnaD8IRk0jjEfttmRu+G8
ITjPMf0fCKckq8OzMdyc2X5DjfhjeSxhLatuJNJr78CdOLNh/t32Z12U4uoZZzz0
+U8AX583EBDe2Voliv0rUHc5dwA8qDNA6EQTm6fsQnmv/KMCBQDAAAABoxIwEDAO
BgNVHQ8BAf8EBAMCAQYwCgYGKyQDAwECBQADgYEATCdnfEanKI0HjJkef4Ht6zmQ
A+WOLeOuE8x4jt79lY5I6hnqbpINc1YEn/AaQUFmMa2QmapOdMdJc9+SmC3N2ILh
bFrQUrRvlcqGbNEVClfhXICfLvCG9tZQOVNZOyYTMDclE603TZSCXQvumAyil3Jw
BTq6gJCYgSdxVPQ/ymUwggQbMIIDhKADAgECAgQvqpqzMA0GCSqGSIb3DQEBBQUA
MH4xCzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMR8w
HQYDVQQLFBZQcm9kdWt0emVudHJ1bSBUZWxlU2VjMTAwDAYHAoIGAQoHFBMBMTAg
BgNVBAMUGVRlbGVTZWMgUEtTIFNpZ0cgQ0EgMTM6UE4wHhcNMDUwODEwMTAzMTQw
WhcNMDcwODEwMTAzMTQwWjBdMQswCQYDVQQGEwJERTEPMA0GA1UECgwGQk1XIEFH
MRswGQYDVQQLDBJBYmZhbGxiZWF1ZnRyYWd0ZXIxFDASBgNVBAMMC0x1dGhlciwg
SmFuMQowCAYDVQQFEwExMIGhMA0GCSqGSIb3DQEBAQUAA4GPADCBiwKBgQCJg5Ur
Uafxq+s3TRnzuuHTxywd4RuIuDmwce/aSBknOleiUg+xCltLizqiUPzMAfvwgLTt
mhQXkRCUkQeb9c3VVcm5ojPfEqf+tRX3Kk4iGl5MLfD2kvpe4giEdihtOszvwug4
jIep9lZMVvn3Moe2eJX+KSzltjENG7Qa8xch6QIFAMAAAAGjggHDMIIBvzAfBgNV
HSMEGDAWgBSE1q6NOppzjbluxBqtx3uqxYSl8zCCAQQGA1UdHwSB/DCB+TCB9qBt
oGuGNWxkYXA6Ly9wa3MtbGRhcC50ZWxlc2VjLmRlL289RGV1dHNjaGUgVGVsZWtv
bSBBRyxjPWRlhjJodHRwOi8vcGtzLnRlbGVzZWMuZGUvdGVsZXNlYy9zZXJ2bGV0
L2Rvd25sb2FkX2NybKKBhKSBgTB/MQswCQYDVQQGEwJERTEcMBoGA1UEChQTRGV1
dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxQWUHJvZHVrdHplbnRydW0gVGVsZVNl
YzExMAwGBwKCBgEKBxQTATEwIQYDVQQDFBpUZWxlU2VjIFBLUyBTaWdHIERJUiAx
MzpQTjAYBggrBgEFBQcBAwQMMAowCAYGBACORgEBMB0GA1UdDgQWBBQVCH4Bv6y8
npyEobJ0keHmGXUWzDAOBgNVHQ8BAf8EBAMCBkAwEgYDVR0gBAswCTAHBgUrJAgB
ATA3BggrBgEFBQcBAQQrMCkwJwYIKwYBBQUHMAGGG2h0dHA6Ly9wa3MudGVsZXNl
Yy5kZS9vY3NwcjANBgkqhkiG9w0BAQUFAAOBgQAGYdA98xGQnZWAh79bEU7bwXer
aXTKIDeam0FXeZcxKuQRy0Pu7ZnRXhmkQ1lQX5xc2ytbm0XRg6Ac20oD5Xs/mESG
5lF+dR4/JioXiYxVdgBLPXDp95xNUXC2etx4gtKDNtgVXA6BlyjvNZ6CrMV+32Uv
C6ozizLMGeQzS+lM6jEA
-----END PKCS7-----

TIA
--
Christian Weber
mailto:[hidden email]    Tel: 02361/91300
For information on InfoTech visit http://www.InfoTech.de/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: PKCS7: decoding failed

Marco Roeland
On Friday September 2nd 2005 Christian Weber wrote:

> i'm sorry but I cannot find the reason for the errors resulting in
> calling openssl (Version 0.9.7e or 0.9.8) as follows:
>
> openssl pkcs7  -noout -text -print_certs < decoded.b64
> unable to load PKCS7 object

I have no idea either, but you might want to run

openssl asn1parse -in decoded.b64

which does work on this input and compare the resulting fields and
identifiers with a PKCS7 file that you _can_ read. Perhaps the file was
created with different parameters than OpenSSL expects.
--
Marco Roeland
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: PKCS7: decoding failed

weber
Sorry again I missed to write that openssl asn1parse does work on the file.

The file has been generated esternally (i.e. by german telesec), so
we need to know what's wrong with the data to openssl.

Marco Roeland wrote:

> On Friday September 2nd 2005 Christian Weber wrote:
>
>
>>i'm sorry but I cannot find the reason for the errors resulting in
>>calling openssl (Version 0.9.7e or 0.9.8) as follows:
>>
>>openssl pkcs7  -noout -text -print_certs < decoded.b64
>>unable to load PKCS7 object
>
>
> I have no idea either, but you might want to run
>
> openssl asn1parse -in decoded.b64
>
> which does work on this input and compare the resulting fields and
> identifiers with a PKCS7 file that you _can_ read. Perhaps the file was
> created with different parameters than OpenSSL expects.

Marco: What parameters are you writing about?

TIA
--
Christian Weber
mailto:[hidden email]    Tel: 02361/91300
For information on InfoTech visit http://www.InfoTech.de/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: PKCS7: decoding failed

Marco Roeland
On Friday September 2nd 2005 Christian Weber:

> Sorry again I missed to write that openssl asn1parse does work on the file.
>
> The file has been generated esternally (i.e. by german telesec), so
> we need to know what's wrong with the data to openssl.
>
> Marco: What parameters are you writing about?

As said earlier I'm no expert. In PKCS7 there can be encoded a great
many extensions and fields through the general ASN.1 encoding.

All I know is that the parse routines from OpenSSL are sometimes
somewhat brittle when confronted with all these exotic extensions.
You might argue whether this is a bug or a feature as ignoring errors
skipping unknown features might cryptographically not be a good idea.

As found in the "RESTRICTIONS" section of the 'pkcs7' manpage:

        There is no option to print out all the fields of a PKCS#7 file.

        This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in
        RFC2315 they cannot currently parse, for example, the new CMS as
        described in RFC2630.

The original error message specified "5655:error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282:", so that might
mean for example getting confused by a "T61STRING" instead of a
"PRINTABLESTRING" or a "IA5STRING". Building OpenSSL with debug
information and running it through the debugger with this input file
would perhaps pinpoint the exact (first) problem that OpenSSL sees. And
perhaps it can be fixed than.
--
Marco Roeland
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: PKCS7: decoding failed

Dr. Stephen Henson
In reply to this post by weber
On Fri, Sep 02, 2005, Christian Weber wrote:

> Hello folks,
>
> i'm sorry but I cannot find the reason for the errors resulting in
> calling openssl (Version 0.9.7e or 0.9.8) as follows:
>
> openssl pkcs7  -noout -text -print_certs < decoded.b64
> unable to load PKCS7 object
> 5655:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282:
> 5655:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509_CINF
> 5655:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:743:Field=cert_info, Type=X509
> 5655:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:704:Field=cert, Type=PKCS7_SIGNED
> 5655:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:743:
> 5655:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 error:tasn_dec.c:572:Field=d.sign, Type=PKCS7
> 5655:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
>
> Ca anybody help?
>

The error messsage is giving some help in that it is choking on an X509_CINF
structure within an X509 structure. That hints there's something in a
certificate it doesn't like or what should be a certifcate.

Unfortunately it doesn't currently tell you *where* it is choking in terms of a
file offset. Manually analysing the file using asn1parse...

    0:d=0  hl=4 l=2363 cons: SEQUENCE          
    4:d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
   15:d=1  hl=4 l=2348 cons: cont [ 0 ]        
   19:d=2  hl=4 l=2344 cons: SEQUENCE          
   23:d=3  hl=2 l=   1 prim: INTEGER           :01
   26:d=3  hl=2 l=   0 cons: SET              
   28:d=3  hl=2 l=  11 cons: SEQUENCE          
   30:d=4  hl=2 l=   9 prim: OBJECT            :pkcs7-data
   41:d=3  hl=4 l=2320 cons: cont [ 0 ]        

That part starting at offset 41 is the certifcate set. By using -strparse 41
that part is output only:

    0:d=0  hl=4 l=2320 cons: cont [ 0 ]        
    4:d=1  hl=4 l= 616 cons: SEQUENCE          
    8:d=2  hl=4 l= 468 cons: SEQUENCE          
   12:d=3  hl=2 l=   3 cons: cont [ 0 ]        
   14:d=4  hl=2 l=   1 prim: INTEGER           :02
   17:d=3  hl=2 l=   3 prim: INTEGER           :32D18D


OK, that bit at offset 4 the first certificate. By adding -strparse 4
and -out cert.der it can be save to a file. Then shoving the result through
the 'x509' utility shows OpenSSL likes it.

The next certificate is at offset 624 (looking for d=1 is the clue here).

  624:d=1  hl=4 l= 641 cons: SEQUENCE          
  628:d=2  hl=2 l=   3 prim: OBJECT            :2.5.4.37
  633:d=2  hl=4 l= 632 cons: SEQUENCE          
  637:d=3  hl=4 l= 484 cons: SEQUENCE          
  641:d=4  hl=2 l=   3 cons: cont [ 0 ]        
  643:d=5  hl=2 l=   1 prim: INTEGER           :02
  646:d=4  hl=2 l=   4 prim: INTEGER           :01CD4B49
  652:d=4  hl=2 l=  10 cons: SEQUENCE        

This looks different straight away. Whereas the first has SEQUENCE, SEQUENCE
this starts with that SEQUENCE, OBJECT. That's actually what the problem is.
For some reason whoever generated it has inserted that extra garbage
surrounding the certificate. If that is stripped off and the output starting
at 633 is analysed it is a valid certificate.

That is a violation of PKCS#7 and CMS.

There is also a third certificate in there but it is OK.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]