openssl crl fails to parse a CRL file, which seems correct

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl crl fails to parse a CRL file, which seems correct

Wouter Verhelst
Hi,

(this is a resend because my MUA crashed while I tried to send this mail
earlier. If you get it twice, my apologies)

When I try to parse some of the CRLs at <http://crl.eid.belgium.be/>, I
sometimes get this error:

wouter@gangtai:~$ openssl version
OpenSSL 1.0.2h  3 May 2016
wouter@gangtai:~$ openssl crl -in eidc201203.crl -inform der -noout -text
unable to load CRL
140694432685592:error:0D09E09B:asn1 encoding
routines:X509_NAME_EX_D2I:too long:x_name.c:203:
140694432685592:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:697:Field=issuer, Type=X509_CRL_INFO
140694432685592:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:697:Field=crl, Type=X509_CRL

This isn't the case for all of the CRLs, just for some of them; e.g.,
everything works fine for eidc201503.crl

However, if I try the same on another machine nearby, which has a much
older version of OpenSSL, then things seem to work fine:

eidmac:~ buildslave$ openssl version
OpenSSL 0.9.8zh 14 Jan 2016
eidmac:~ buildslave$ openssl crl -in eidc201203.crl -inform der -noout
-text | head
Certificate Revocation List (CRL):
          Version 2 (0x1)
          Signature Algorithm: sha1WithRSAEncryption
          Issuer: /C=BE/CN=Citizen CA/serialNumber=201203
          Last Update: Sep 14 10:22:50 2016 GMT
          Next Update: Sep 21 10:22:50 2016 GMT
          CRL extensions:
              X509v3 Authority Key Identifier:
  keyid:7A:5F:3A:FF:2D:46:91:90:53:3F:BB:91:2D:29:82:ED:BB:78:6A:E0

This machine is a mac running OSX 10.11, the OpenSSL is the default as
shipped with that OS; the other is my personal laptop, which runs Debian
unstable (and the openssl is again the default). I've reproduced the
same issue on Debian stable, haven't tried much else yet.

I've been trying to figure out why my OpenSSL fails to parse the CRL,
whereas others do not,. Any hints would be greatly appreciated.

Thanks,

--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl crl fails to parse a CRL file, which seems correct

Erwann Abalea-4
That’s a bug in the Issuer name length check.
Use the 1.1.0 version.

Cordialement,
Erwann Abalea

> Le 14 sept. 2016 à 14:31, Wouter Verhelst <[hidden email]> a écrit :
>
> Hi,
>
> (this is a resend because my MUA crashed while I tried to send this mail earlier. If you get it twice, my apologies)
>
> When I try to parse some of the CRLs at <http://crl.eid.belgium.be/>, I sometimes get this error:
>
> wouter@gangtai:~$ openssl version
> OpenSSL 1.0.2h  3 May 2016
> wouter@gangtai:~$ openssl crl -in eidc201203.crl -inform der -noout -text
> unable to load CRL
> 140694432685592:error:0D09E09B:asn1 encoding routines:X509_NAME_EX_D2I:too long:x_name.c:203:
> 140694432685592:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=issuer, Type=X509_CRL_INFO
> 140694432685592:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=crl, Type=X509_CRL
>
> This isn't the case for all of the CRLs, just for some of them; e.g., everything works fine for eidc201503.crl
>
> However, if I try the same on another machine nearby, which has a much older version of OpenSSL, then things seem to work fine:
>
> eidmac:~ buildslave$ openssl version
> OpenSSL 0.9.8zh 14 Jan 2016
> eidmac:~ buildslave$ openssl crl -in eidc201203.crl -inform der -noout -text | head
> Certificate Revocation List (CRL):
>         Version 2 (0x1)
>         Signature Algorithm: sha1WithRSAEncryption
>         Issuer: /C=BE/CN=Citizen CA/serialNumber=201203
>         Last Update: Sep 14 10:22:50 2016 GMT
>         Next Update: Sep 21 10:22:50 2016 GMT
>         CRL extensions:
>             X509v3 Authority Key Identifier:
> keyid:7A:5F:3A:FF:2D:46:91:90:53:3F:BB:91:2D:29:82:ED:BB:78:6A:E0
>
> This machine is a mac running OSX 10.11, the OpenSSL is the default as shipped with that OS; the other is my personal laptop, which runs Debian unstable (and the openssl is again the default). I've reproduced the same issue on Debian stable, haven't tried much else yet.
>
> I've been trying to figure out why my OpenSSL fails to parse the CRL, whereas others do not,. Any hints would be greatly appreciated.
>
> Thanks,
>
> --
> Wouter Verhelst
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users