signature=739026b6147eed7128ef5b8880c9f97c,OpenSSL - User

Dave Thompson-4 wrote

> From: owner-openssl-users@openssl.org On Behalf Of dutchman1

> Sent: Friday, 06 November, 2009 09:11

> thanks for your reply. The cert was located on a hardware

> device and I'm

> trying to write it to file through C code so something might

> be lost in

> translation. I've attached the cert to the Post.

> Dave Thompson-4 wrote:

> > No you couldn't parse it; you got the same error right there.

> > Dump the file (usually easiest in hex) and look at that point

> > (the second part of issuer DN). If you don't understand it,

> > post a readable dump, or the exact file as an attachment.

> >

> > Usual suspect: was this cert generated on the system where you

> > are using it, or copied from somewhere else, and if so how --

> > FTP, SFTP, rcp, scp, NFS, SMB, HTTP, email,

> PKCS7/CMS/SMIME, etc. --

> > and is the original copy usable?

> http://old.nabble.com/file/p26230528/cert1.txt cert1.txt

(and cert1.zip in a subsequent message)

Aside: bizarrely, when I try to access those URLs with IE6,

it claims "site unavailable or not found", but with a debug

proxy (webscarab) in place, I see successful connections

and 200 responses that look entirely reasonable to me, and

webscarab -- which is fairly picky -- doesn't complain.

The first one is marked as text/plain when it isn't, which

would mess up rendering, but shouldn't disclaim any response;

the second one is marked as application/zip with charset=utf-8 added,

which is superfluous for that type but should just be ignored.

Well, I got the response body from webscarab and used that.

0000 30 82 03 90 30 82 02 78 A0 03 02 01 02 02 07 01 0...0..x........

0010 00 23 ED 2E 89 7A 30 0D 06 09 2A 86 48 86 F7 0D .#...z0...*.H...

0020 01 01 05 05 00 30 7B 31 0B 30 09 06 03 55 04 06 .....0{1.0...U..

0030 13 02 55 53 31 17 30 15 06 03 55 04 0D 0A 13 0E ..US1.0...U.....

0040 4D 6F 74 6F 72 6F 6C 61 2C 20 49 6E 63 2E 31 2B Motorola, Inc.1+

0050 30 29 06 03 55 04 0B 13 22 57 69 4D 41 58 20 44 0)..U..."WiMAX D

0060 65 76 69 63 65 20 43 65 72 74 69 66 69 63 61 74 evice Certificat

0070 65 20 41 75 74 68 6F 72 69 74 79 31 26 30 24 06 e Authority1&0$.

0080 03 55 04 03 13 1D 4D 6F 74 6F 72 6F 6C 61 20 57 .U....Motorola W

0090 69 4D 41 58 20 44 65 76 69 63 65 20 52 6F 6F 74 iMAX Device Root

00A0 20 43 41 30 1E 17 0D 30 39 30 34 31 34 31 38 34  CA0...090414184

00B0 31 31 35 5A 17 0D 33 39 30 34 31 34 31 38 34 31 115Z..3904141841

00C0 31 35 5A 30 72 31 0B 30 09 06 03 55 04 06 13 02 15Z0r1.0...U....

00D0 55 53 31 17 30 15 06 03 55 04 0D 0A 13 0E 4D 6F US1.0...U.....Mo

00E0 74 6F 72 6F 6C 61 2C 20 49 6E 63 2E 31 15 30 13 torola, Inc.1.0.

00F0 06 03 55 04 0B 13 0C 57 69 4D 41 58 20 44 65 76 ..U....WiMAX Dev

0100 69 63 65 31 1C 30 1A 06 03 55 04 0B 13 13 4D 6F ice1.0...U....Mo

0110 74 6F 72 6F 6C 61 20 50 4B 49 20 43 65 6E 74 65 torola PKI Cente

0120 72 31 15 30 13 06 03 55 04 03 13 0C 30 30 32 33 r1.0...U....0023

0130 45 44 32 45 38 39 37 41 30 81 9F 30 0D 06 09 2A ED2E897A0..0...*

0140 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 .H............0.

0150 89 02 81 81 00 C1 53 87 1C D0 7F 1A CA EE AE BD ......S.........

0160 78 06 AF EB 19 97 53 99 36 16 CB BC A8 0C 2D CF x.....S.6.....-.

0170 EC 55 2C CF D3 FA 33 AA B3 DE 52 B6 0D 8C 01 A9 .U,...3...R.....

0180 BF CE 5F 5E 9E 84 32 AF DF 6E A1 92 36 65 AC 7A .._^..2..n..6e.z

0190 62 C4 33 97 5C 71 52 68 29 CB 71 BF AF CE 2A E4 b.3.\qRh).q...*.

01A0 03 EF 8E CA CA CE 37 87 BA 7E 55 4A 85 47 12 FE ......7..~UJ.G..

01B0 D1 76 43 F8 21 56 7B 5B C7 F8 8D C8 A7 87 E8 16 .vC.!V{[........

01C0 EF A1 AA F8 5C 7E 78 F9 93 C4 82 61 8A C8 69 AF ....\~x....a..i.

01D0 6B 1B 36 9D 75 02 03 01 00 01 A3 81 A5 30 81 A2 k.6.u........0..

01E0 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 05 A0 0...U...........

01F0 30 20 06 03 55 1D 25 01 01 FF 04 16 30 14 06 08 0 ..U.%.....0...

0200 2B 06 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 +.........+.....

0210 03 01 30 1F 06 03 55 1D 23 04 18 30 16 80 14 74 ..0...U.#..0...t

0220 9F F6 2C 2B 60 80 53 17 79 A0 39 6D 77 84 FD BA ..,+`.S.y.9mw...

0230 D8 88 65 30 4D 06 03 55 1D 1F 04 46 30 44 30 42 ..e0M..U...F0D0B

0240 A0 40 A0 3E 86 3C 68 74 74 70 3A 2F 2F 77 77 77 .@.>.

0250 2E 61 74 73 65 63 65 6E 67 2E 63 6F 6D 2F 43 52 .atseceng.com/CR

0260 4C 2F 4D 6F 74 6F 57 69 4D 41 58 44 65 76 69 63 L/MotoWiMAXDevic

0270 65 52 6F 6F 74 43 41 2F 64 65 76 69 63 65 2E 63 eRootCA/device.c

0280 72 6C 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 rl0...*.H.......

0290 00 03 82 01 01 00 06 CB E8 3F 5B F0 1E A1 9C 04 .........?[.....

02A0 73 67 88 C2 6B D0 3A BF F7 E8 30 C3 DE FE 29 6D sg..k.:...0...)m

02B0 B9 E5 45 C2 FE 92 2D 29 7B 7E 34 E8 8B 38 08 A2 ..E...-){~4..8..

02C0 3E 17 84 41 17 1B 40 62 86 A6 26 77 F4 5A BF BC >..A..@b..&w.Z..

02D0 DA 90 0B AE 41 5C D7 BB 3E E5 5D E8 2B B8 44 36 ....A\..>.].+.D6

02E0 5F 43 E9 CF A5 47 07 6B 2C 27 B2 A2 D1 E0 D2 C3 _C...G.k,'......

02F0 D8 AE C9 CA F5 50 A4 BF 26 D9 CA EE CE 5F A1 83 .....P..&...._..

0300 53 EC 84 55 A8 7C 73 16 92 EC DD F8 E6 0F 08 4E S..U.|s........N

0310 A8 ED 52 CB 64 35 ED 97 21 2C C0 AC 84 FB 0D 0A ..R.d5..!,......

0320 E2 DE 0D 0A F3 EF A0 87 DF 7C 6F 57 99 B4 F3 0B .........|oW....

0330 1D CC 22 D0 00 9C 48 F8 B8 25 E9 6E 58 4F 4E A9 .."...H..%.nXON.

0340 52 79 D3 96 E2 E3 CA 31 B1 53 0B 7C 84 14 39 27 Ry.....1.S.|..9'

0350 30 C4 7C DD EE C0 29 E2 24 C4 2E 06 88 61 FE E0 0.|...).$....a..

0360 50 E7 27 84 BB EE D2 F2 2A D8 7A 89 1A 22 CA 13 P.'.....*.z.."..

0370 65 28 F1 1D 43 36 3D 25 F6 7B 57 1F 1C 88 B3 DE e(..C6=%.{W.....

0380 94 3E 54 D8 61 2A E9 B1 9E 9B FB 45 87 BD 18 00 .>T.a*.....E....

0390 E8 95 F5 30 49 0E 84 14                         ...0I...

Right off, this cert is 4 bytes longer than its outermost TLV claims,

so we know it's corrupted. Looking at 52=0x36 (in Issuer) we see

31 17 30 15 06 03 55 04 0D 0A 13 0E

4D 6F 74 6F 72 6F 6C 61 2C 20 49 6E 63 (2E)

This is one byte longer than the TLV indicates, and an OID

of 55 04 0A = Org makes more sense than 55 04 0D = description

for "Motorola, Inc.".

Similarly at 0xD2 in Subject, after a reasonable validity.

Following that are valid pubkey and extensions, and sigalg,

but the sigval is 2 bytes longer than TLV claims and it

contains (exactly) two 0A bytes each preceded by 0D.

This is exactly the symptom of a file being treated as text

when it isn't, in particular by transfer protocols like (S)FTP

and maybe HTTP, or other tools like ZIP. A Unix-style "newline"

(0A) gets converted to a DOS/Win/Inet style CR LF (0D 0A).

Similarly C internally uses one byte '\n' newline, but *ON

DOS/Win* textfiles use CRLF, so fopen/fwrite/etc. *in text mode*

converts 0A to 0D0A on output, and 0D0A to 0A on input.

If you are running your C program on DOS/Win, you need

to open the file in binary mode i.e. fopen (foo, "wb").

(But if you're running *on cygwin on Win*, it's more

complicated; cygwin tries to bridge the gap between Unix-format

and Win-format, AFAIK mostly by 'mount' options.)

Even on other platforms it is good to specify this for

clarity/documentation/robustness even if not strictly needed.

As a check it should be 916=0x394 bytes.

Alternatively, if you *want* a text file, which is usually

more portable and human recognizable: get the cert data,

base64 it and add the -----BEGIN/END lines to make it

PEM format, and write (and read) that as text.

Removing the 4 spurious 0D's gives a cert (file) that

successfully parses/decodes as:

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

01:00:23:ed:2e:89:7a

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=US, O=Motorola, Inc., OU=WiMAX Device Certificate

Authority, CN=Motorola WiMAX Device Root CA

Validity

Not Before: Apr 14 18:41:15 2009 GMT

Not After : Apr 14 18:41:15 2039 GMT

Subject: C=US, O=Motorola, Inc., OU=WiMAX Device, OU=Motorola PKI

Center, CN=0023ED2E897A

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

00:c1:53:87:1c:d0:7f:1a:ca:ee:ae:bd:78:06:af:

eb:19:97:53:99:36:16:cb:bc:a8:0c:2d:cf:ec:55:

2c:cf:d3:fa:33:aa:b3:de:52:b6:0d:8c:01:a9:bf:

ce:5f:5e:9e:84:32:af:df:6e:a1:92:36:65:ac:7a:

62:c4:33:97:5c:71:52:68:29:cb:71:bf:af:ce:2a:

e4:03:ef:8e:ca:ca:ce:37:87:ba:7e:55:4a:85:47:

12:fe:d1:76:43:f8:21:56:7b:5b:c7:f8:8d:c8:a7:

87:e8:16:ef:a1:aa:f8:5c:7e:78:f9:93:c4:82:61:

8a:c8:69:af:6b:1b:36:9d:75

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Key Usage: critical

Digital Signature, Key Encipherment

X509v3 Extended Key Usage: critical

TLS Web Client Authentication, TLS Web Server Authentication

X509v3 Authority Key Identifier:

keyid:74:9F:F6:2C:2B:60:80:53:17:79:A0:39:6D:77:84:FD:BA:D8:88:65

X509v3 CRL Distribution Points:

URI:http://www.atseceng.com/CRL/MotoWiMAXDeviceRootCA/device.crl

Signature Algorithm: sha1WithRSAEncryption

06:cb:e8:3f:5b:f0:1e:a1:9c:04:73:67:88:c2:6b:d0:3a:bf:

f7:e8:30:c3:de:fe:29:6d:b9:e5:45:c2:fe:92:2d:29:7b:7e:

34:e8:8b:38:08:a2:3e:17:84:41:17:1b:40:62:86:a6:26:77:

f4:5a:bf:bc:da:90:0b:ae:41:5c:d7:bb:3e:e5:5d:e8:2b:b8:

44:36:5f:43:e9:cf:a5:47:07:6b:2c:27:b2:a2:d1:e0:d2:c3:

d8:ae:c9:ca:f5:50:a4:bf:26:d9:ca:ee:ce:5f:a1:83:53:ec:

84:55:a8:7c:73:16:92:ec:dd:f8:e6:0f:08:4e:a8:ed:52:cb:

64:35:ed:97:21:2c:c0:ac:84:fb:0a:e2:de:0a:f3:ef:a0:87:

df:7c:6f:57:99:b4:f3:0b:1d:cc:22:d0:00:9c:48:f8:b8:25:

e9:6e:58:4f:4e:a9:52:79:d3:96:e2:e3:ca:31:b1:53:0b:7c:

84:14:39:27:30:c4:7c:dd:ee:c0:29:e2:24:c4:2e:06:88:61:

fe:e0:50:e7:27:84:bb:ee:d2:f2:2a:d8:7a:89:1a:22:ca:13:

65:28:f1:1d:43:36:3d:25:f6:7b:57:1f:1c:88:b3:de:94:3e:

54:d8:61:2a:e9:b1:9e:9b:fb:45:87:bd:18:00:e8:95:f5:30:

49:0e:84:14

(although I can't verify it without the parent cert).

(On the good side, the CA is apparently fixed for y2.038k!)

______________________________________________________________________

OpenSSL Project                                 http://www.openssl.org

User Support Mailing List                    openssl-users@openssl.org

Automated List Manager                           majordomo@openssl.org