OpenSSL无法加载证书(asn1编码例程:CRYPTO_internal:错误标签)

时间:2019-07-29 03:19:19

标签: ssl openssl x509 pem

在加载一些x509证书时出现问题,我找不到根本原因。

我的OpenSSL版本:

$openssl version
LibreSSL 2.6.5

从我的目录加载.pem文件的命令:

openssl x509 -in cert/cs_cannotload.pem -text -noout

错误消息:

unable to load certificate
4534023788:error:0DFFF0A8:asn1 encoding routines:CRYPTO_internal:wrong tag:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/asn1/tasn_dec.c:1125:
4534023788:error:0DFFF03A:asn1 encoding routines:CRYPTO_internal:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/asn1/tasn_dec.c:698:
4534023788:error:0DFFF03A:asn1 encoding routines:CRYPTO_internal:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/asn1/tasn_dec.c:599:Field=trust, Type=X509_CERT_AUX
4534023788:error:09FFF00D:PEM routines:CRYPTO_internal:ASN1 lib:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/pem/pem_oth.c:84:

文件cert / cs_cannotload.pem:

-----BEGIN CERTIFICATE-----
MIIDYjCCAkqgAwIBAgICBOMwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCU0cx
EjAQBgNVBAgMCVNpbmdhcG9yZTESMBAGA1UEBwwJU2luZ2Fwb3JlMRAwDgYDVQQK
DAdHb3ZUZWNoMQ0wCwYDVQQLDARBUEVYMRwwGgYDVQQDDBNBUEVYIEdXMCBMMiBS
b290IENBMB4XDTE5MDMyODEwMDI0MFoXDTIwMDYzMDA4MDAwMFowdDELMAkGA1UE
BhMCU0cxCzAJBgNVBAgMAlNHMQswCQYDVQQHDAJTRzELMAkGA1UECgwCQ1MxCzAJ
BgNVBAsMAkNTMQswCQYDVQQDDAJDUzEkMCIGCSqGSIb3DQEJARYVY2hlZXNpYW5n
Y3NAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CRB
UAyqpxMaVgTzjyeWhGGi29cYxl9UDqk9OSFfQeEthuUL6PEWcmg6kG2h7UooLEbJ
Nd8g0D8TsuJApx+Qb4uLOZHDFIzDkn35TwriLpO0WOwzCdXWDHhks/2pD2xaNng9
y4p83q0xDxg29h9lJoP7jkUzHHxYE9xb5LQZ9IO8oSC4Vh+b4F4z5jh91MrBWOJS
88TCW2mEQHsLBvP2qXikdwlnVfx/27FioviMK+T56sOPpGTVp2+D65GLNRbTV0Nq
wfqMjanTjZ1ZDMamr+B6e751rD1oUtml8H4DIz+r3eraQS+MEYtDs/lz2GQqaGV/
HLlKjjpqa72RR9sAZQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBBcc91RAuL4zpZ
ZjIa69qKM0VRK+WDzQnLPL2XtzyhHdAaSckYW9H2iyk3nLPz6Vx2FAKjsV153bcu
iGqVugvAZBvVj4LhNakwuy4orXqK1w+HBrLvUPziMEGJJk26zuv6D0tdyCjveHO8
IiNPwO0wHZan6iClY0Ys2ejka3AqYbYxAvv2Z2tGZG5xCSLXKaudxKbf9Q//jVAh
wLTZF7uZTUVghJ9Zdj57ebTlVoIYj7r2isdRb4lfjjoBU6JDoZBKJPpmd6ThJRYQ
88w3UQ+AZkbZxuWiQlOKsWH9w623uxxxZf87INRluVlDXMnzJYFnH1kga2nkndGH
BAwBTXxSMIIDYjCCAkqgAwIBAgICA9gwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UE
BhMCU0cxEjAQBgNVBAgMCVNpbmdhcG9yZTESMBAGA1UEBwwJU2luZ2Fwb3JlMRAw
DgYDVQQKDAdHb3ZUZWNoMQ0wCwYDVQQLDARBUEVYMRwwGgYDVQQDDBNBUEVYIEdX
MCBMMiBSb290IENBMB4XDTE5MDMxMzAyMzIwNFoXDTIwMDYzMDA4MDAwMFowdDEL
MAkGA1UEBhMCU0cxEjAQBgNVBAgMCVNpbmdhcG9yZTESMBAGA1UEBwwJU2luZ2Fw
b3JlMRAwDgYDVQQKDAdHb3ZUZWNoMQ0wCwYDVQQLDARBUEVYMRwwGgYDVQQDDBNB
UEVYIEdXMCBMMiBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAlLgxfUkGYIpw+Xz6wiVprMNlSeJQrODq17T4xzc+IekQcmo+3L6lqmk26/7A
BhDsYc0DfdnchweTxMJacvMH7vp+fB1qiWE9ZfKGC0FedEDdysJIYwDRE94x1dRH
JzOKkhjAIBW/6CFeTSp+oUTfSbstLS7c5ZkPnCAX2uPaZIcbzdv8yj07WzzGuyYz
7R1BpWMkfMyOIM4JKphuHoiAs/jsoubXBzOBC67ihv+vrxe+nQqDvxIyx2rCh4Zv
d5bi9hL/I9H0+u5nrnoDOhD0o3rUZDK9ESwQd8st2QDXXxiEla5wescM6/lGy89R
J7uNCrMcxa6OLRuMmnkydUYhawIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAhIZ22
eZaKJeM+4NwjtFfyMaNtZF6a+2GMeHWdBj0JMUMaTh9YqR03PFWiKDmFvKy/mo8q
Hwhy37Eq6wGZHzCaGn/O/jNMgEiT2Rv94d3nkooGxxsKIfii3/o/zq1a/rDArG04
esrb/fg0sx9hT77/24VuTn49wu9nbbWyzskqJOtMmnqiYThWJZy1gVBs4VNlKpqz
nsYg829B7cXprAhqHk4Lu58b1DIi5rM7dgGBCVYwVZa0NhkJjKLghzX9QZei1WsC
om0DEt4O2tckYBcoFoTHDXdWGSgSqP1iJCIiL1H3+wEtDYUB9U7a0BrCJHBczqN5
la/1mAvGyEOhsUwD
-----END CERTIFICATE-----

该证书能够加载到某些在线证书解码器中,例如

https://www.sslshopper.com/certificate-decoder.html

enter image description here

我在其他OpenSSL版本(OpenSSL 1.0.2k-fips,2017年1月26日)中尝试过,遇到了相同的错误msg

1 个答案:

答案 0 :(得分:0)

您的PEM块中的数据经过de-base64处理,实际上是两个证书,而不是一个证书,显然是子证书,其父证书是(CA)根证书:

$ openssl base64 -d <57246816.pem >57246816.bin; ll 57246816.bin
[redacted] 1740 [redacted] 57246816.bin
$ xxd <57246816.bin -l 16
0000000: 3082 0362 3082 024a a003 0201 0202 0204  0..b0..J........
$ echo $((4+0x362))
870
$ xxd <57246816.bin -s 870 -l 16
0000366: 3082 0362 3082 024a a003 0201 0202 0203  0..b0..J........
$ echo $((870+4+0x362))
1740

$ dd 2>/dev/null if=57246816.bin bs=870 count=1 |openssl x509 -inform d -noout -serial -issuer -subject -dates
serial=04E3
issuer= /C=SG/ST=Singapore/L=Singapore/O=GovTech/OU=APEX/CN=APEX GW0 L2 Root CA
subject= /C=SG/ST=SG/L=SG/O=CS/OU=CS/CN=CS/emailAddress=cheesiangcs@gmail.com
notBefore=Mar 28 10:02:40 2019 GMT
notAfter=Jun 30 08:00:00 2020 GMT
]$ dd 2>/dev/null if=57246816.bin bs=870 count=1 skip=1 |openssl x509 -inform d -noout -serial -issuer -subject -dates
serial=03D8
issuer= /C=SG/ST=Singapore/L=Singapore/O=GovTech/OU=APEX/CN=APEX GW0 L2 Root CA
subject= /C=SG/ST=Singapore/L=Singapore/O=GovTech/OU=APEX/CN=APEX GW0 L2 Root CA
notBefore=Mar 13 02:32:04 2019 GMT
notAfter=Jun 30 08:00:00 2020 GMT

OpenSSL(和LibreSSL)显然正在尝试将“证书DER后面加上其他一些(DER)数据”的情况解析为OpenSSL的“证书DER加信任DER”结构,请注意错误堆栈中的Field=trust, Type=X509_CERT_AUX,而且该结构与您所拥有的不符。尽管我不确定在PEM类型可用于另外指定时,应该执行此操作;我待会再调查。

相关问题
最新问题