Windows 2008R2 CA& OpenSSL CSR:解析CSR ASN1错误值时出错 [英] Windows 2008R2 CA & OpenSSL CSR: Error parsing CSR ASN1 bad value met

查看:593
本文介绍了Windows 2008R2 CA& OpenSSL CSR:解析CSR ASN1错误值时出错的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我使用OpenSSL C API来构建CSR。代码如下:

  static void seedPRNG(){

const int openSSLseedsize = 128;

uint8_t * openSSLseed = NULL;
openSSLseed = malloc(openSSLseedsize * sizeof(uint8_t));
// printf(%d\\\
\\\
,openSSLseedsize);


//随机数生成器
SecRandomCopyBytes(kSecRandomDefault,openSSLseedsize,openSSLseed);

for(unsigned i = 0; i< openSSLseedsize; i ++){
printf(%d,openSSLseed [i]);
}
printf(\\\
\\\
\\\
\\\
);
// seed openSSL random
RAND_seed(openSSLseed,128);


}

//此证书的参数设置
//
#define RSA_KEY_SIZE(2048)
#define ENTRIES 3

//分配给cert的条目数组
struct entry {
char * key;
char * value;
};

struct entry entries [ENTRIES] =
{
{emailAddress,tomgrant@example.com},
{commonName example.com},
{countryName,GB},
};

//生成CSR

int generateCSR(){

int i;
RSA * rsakey;
X509_REQ * req;
X509_NAME * subj;
EVP_PKEY * pkey;
EVP_MD * digest;
FILE * fp;

//设置OpenSSl
OpenSSL_add_all_algorithms();
ERR_load_CRYPTO_strings();

// seed oppenssl的prng
seedPRNG();

//生成RSA密钥(没有回调进度 - 足够快)
// RSA_F4是指数的0x10001(或65537)。
// RSA docs说指数应该是3,5,17,257或65537,即素数。请参阅这里了解更多信息:
// http://security.stackexchange.com/questions/2335/should-rsa-public-exponent-be-only-in-3-5-17-257-or- 65537-due-to-security-c

rsakey = RSA_generate_key(RSA_KEY_SIZE,RSA_F4,NULL,NULL);



if(rsakey == NULL){
fatal(无法创建RSA密钥)​​;
}

//创建EVP(Envelope Encryption显然...)对象保存我们的rsakey
//生成私钥
if(! = EVP_PKEY_new()))
fatal(无法创建EVP对象);
//为EVP对象分配rsa密钥
if(!(EVP_PKEY_set1_RSA(pkey,rsakey)))
fatal(无法为EVP对象分配RSA密钥)​​;

//创建请求对象
if(!(req = X509_REQ_new()))
fatal(无法创建X509_REQ对象);

//设置公钥
X509_REQ_set_pubkey(req,pkey);


//创建并填写主题对象
if(!(subj = X509_NAME_new()))
fatal(无法创建X509_NAME对象);


for(i = 0; i {
//为每个条目创建nid
int nid; // ASN.1 numeric ID - ASN.1 =抽象语法记法一。用于描述通过电信协议传输的数据的正式符号。
// NID是分配给每个对象的唯一内部ID。

X509_NAME_ENTRY * ent;

if((nid = OBJ_txt2nid(entries [i] .key))== NID_undef)
{
fprintf(stderr,Error found NID for%s\\\
,entries [i] .key);
fatal(Error on lookup);
}
if(!(ent = X509_NAME_ENTRY_create_by_NID(NULL,nid,MBSTRING_ASC,(unsigned char *)entries [i] .value,-1)))
fatal来自NID的条目);

if(X509_NAME_add_entry(subj,ent,-1,0)!= 1)
fatal(Error added entry to Name);

}


if(X509_REQ_set_subject_name(req,subj)!= 1)
fatal

//请求被填充并包含我们生成的公钥
//现在签名
digest =(EVP_MD *)EVP_sha1();

if(!(X509_REQ_sign(req,pkey,digest)))
fatal(Error signing request);

//写输出文件
//
NSString * docDirectory = [NSSearchPathForDirectoriesInDomains(NSDocumentDirectory,NSUserDomainMask,YES)objectAtIndex:0];
//附加文件名
NSString * crtPath = [docDirectory stringByAppendingString:@/ example.crt];
NSLog(@crtPath =%@,crtPath);

if(!(fp = fopen([crtPath UTF8String],w)))
fatal(写入请求文件时出错);
if(PEM_write_X509_REQ(fp,req)!= 1)
fatal(Error writing request);
fclose(fp);

NSString * keyPath = [docDirectory stringByAppendingString:@/ example.key];
NSLog(@keyPath =%@,keyPath);
if(!(fp = fopen([keyPath UTF8String],w)))
fatal(写入私钥文件时出错);
if(PEM_write_PrivateKey(fp,pkey,NULL,NULL,0,0,NULL)!= 1)
fatal
fclose(fp);

X509_REQ_print_fp(stdout,req);


EVP_PKEY_free(pkey);
X509_REQ_free(req);



return 0;

}

这将创建CSR并输出私钥。我可以使用在线CSR检查程序验证CSR,它出来的所有轮的说是正确的。我使用Windows 2008R2 CA粘贴在base64 CSR。但是,当我提交请求时,Windows框会抛出以下错误:



您的请求标识为0.处理消息是错误解析请求ASN1 Bad tag value met。0x8009310b(ASN:267)。



这也发生在使用mkreq.c示例代码时,一个企业社会责任。



有没有人遇到这个?我的在线研究只是想出了一些人从CA(GoDaddy等)发出的有趣的证书得到这个错误。



任何帮助将是最感激的!

解决方案

(由OP在编辑中回答,请参阅问题没有答案,但问题在评论中解决了



OP写道:


好 - 我的同事和我最终找到了解决方案。



看看ASN.1表示(使用openssl asn1parse),我们注意到BAD CSR有这种表示:




  8:d = 2 hl = 2 l = 0 prim:INTEGER:00 



< blockquote>

注意l = 0(我想这意味着长度)。那么一个GOOD CSR:




  8:d = 2 hl = 2 l = INTEGER:00 




注意l = 1



这是通过设置CSR的版本号来固定的(RFP说它应该设置为0)。



所以 - 使用X509_REQ_set_version (req,0);有固定的东西和服务器2008R2给我我亲爱的身份!



I am using the OpenSSL C API to build a CSR. The code is as follows:

static void seedPRNG() {

const int openSSLseedsize = 128;

uint8_t *openSSLseed = NULL;
openSSLseed = malloc(openSSLseedsize * sizeof(uint8_t));
//printf("%d\n\n", openSSLseedsize);


// random number generator
SecRandomCopyBytes(kSecRandomDefault, openSSLseedsize, openSSLseed);

for (unsigned i = 0; i < openSSLseedsize; i++) {
    printf("%d", openSSLseed[i]);
}
printf("\n\n\n\n");
//seed openSSL random
RAND_seed(openSSLseed, 128);


}

// Parameter settings for this cert
//
#define RSA_KEY_SIZE (2048)
#define ENTRIES 3

// array of entries to assign to cert
struct entry {
char *key;
char *value;
};

struct entry entries[ENTRIES] =
{
{"emailAddress", "tomgrant@example.com"},
{"commonName", "internal.example.com"},
{"countryName", "GB"},
};

// Generate CSR

int generateCSR() {

int i;
RSA *rsakey;
X509_REQ *req;
X509_NAME *subj;
EVP_PKEY *pkey;
EVP_MD *digest;
FILE *fp;

// set up OpenSSl
OpenSSL_add_all_algorithms();
ERR_load_CRYPTO_strings();

// seed oppenssl's prng
seedPRNG();

// generate RSA key (no callback for progress - it's quick enough)
// RSA_F4 is 0x10001 (or 65537) for the exponent.
// RSA docs say exponent should be either 3, 5, 17, 257 or 65537 i.e. prime numbers. See here for further info:
// http://security.stackexchange.com/questions/2335/should-rsa-public-exponent-be-only-in-3-5-17-257-or-65537-due-to-security-c

rsakey = RSA_generate_key(RSA_KEY_SIZE, RSA_F4, NULL, NULL);



if (rsakey == NULL) {
    fatal("Could not create RSA key");
}

// Create EVP ("Envelope Encryption" apparently...) object to hold our rsakey
// generate private key
if (!(pkey = EVP_PKEY_new()))
   fatal("Could not create EVP object");
// assign the rsa key to EVP object
if (!(EVP_PKEY_set1_RSA(pkey, rsakey)))
    fatal("Could not assign RSA key to EVP object");

// create request object
if (!(req = X509_REQ_new()))
    fatal("Failed to create X509_REQ object");

// set the public key
X509_REQ_set_pubkey(req, pkey);


// create and fill in subject object
if (!(subj = X509_NAME_new()))
    fatal("Failed to create X509_NAME object");


for (i = 0; i < ENTRIES; i++)
{
    // create nid for every entry
    int nid; // ASN.1 numeric ID - ASN.1 = Abstract Syntax Notation One. Formal notation used to describe data transmitted by telecommunications protocols.
             // The NID is a unique internal ID assigned to every object. 

    X509_NAME_ENTRY *ent;

    if ((nid = OBJ_txt2nid(entries[i].key)) == NID_undef)
    {
        fprintf(stderr, "Error finding NID for %s\n", entries[i].key);
        fatal("Error on lookup");
    }
    if (!(ent = X509_NAME_ENTRY_create_by_NID(NULL, nid, MBSTRING_ASC, (unsigned char*)entries[i].value, -1)))
        fatal("Error creating Name entry from NID");

    if (X509_NAME_add_entry(subj, ent, -1, 0) != 1)
        fatal("Error adding entry to Name");

}


if (X509_REQ_set_subject_name(req, subj) != 1)
    fatal("Error adding subject to request");

// request is filled in and contains our generated public key
// now sign it
digest = (EVP_MD *)EVP_sha1();

if (!(X509_REQ_sign(req, pkey, digest)))
    fatal("Error signing request");

// write output files
//
NSString *docDirectory = [NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES) objectAtIndex:0];
// append file name
NSString *crtPath = [docDirectory stringByAppendingString:@"/example.crt"];
NSLog(@"crtPath = %@", crtPath);

if (!(fp = fopen([crtPath UTF8String], "w")))
    fatal("Error writing to request file");
if (PEM_write_X509_REQ(fp, req) != 1)
    fatal("Error writing request");
fclose(fp);

NSString *keyPath = [docDirectory stringByAppendingString:@"/example.key"];
NSLog(@"keyPath = %@", keyPath);
if (!(fp = fopen([keyPath UTF8String], "w")))
    fatal("Error writing to private key file");
if (PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, 0, NULL) != 1)
    fatal("Error while writing private key");
fclose(fp);

 X509_REQ_print_fp(stdout, req);


EVP_PKEY_free(pkey);
X509_REQ_free(req);



return 0;

}

This creates a CSR and also outputs the private key. I can verify the CSR using an online CSR checker and it comes out with ticks all round saying it is correct. I am using a Windows 2008R2 CA to paste in the base64 CSR. However, when I submit the request, the Windows box throws back the following error:

Your Request Id is 0. The disposition message is "Error Parsing Request ASN1 bad tag value met. 0x8009310b (ASN: 267)".

This also occurs when using the mkreq.c example code that comes with open SSL to generate a CSR.

Has anyone come across this before? My research online has only come up with folks getting this error from funky certs issued from CA's (GoDaddy etc).

Any help would be most appreciated!

解决方案

(Answered by the OP in an edit. See Question with no answers, but issue solved in the comments )

The OP wrote:

Well - my colleague and I FINALLY found a solution.

Looking at the ASN.1 representation (using openssl asn1parse), we noticed the BAD CSR had this representation:

8:d=2  hl=2 l=   0 prim: INTEGER           :00

Notice the l = 0 (I guess this means length). Then a GOOD CSR:

8:d=2  hl=2 l=   1 prim: INTEGER           :00

Notice l = 1

This is fixed by setting the version number of the CSR (the RFP says it should be set to 0).

So - using X509_REQ_set_version(req, 0); has fixed things and server 2008R2 gives me my beloved identity!

这篇关于Windows 2008R2 CA&amp; OpenSSL CSR:解析CSR ASN1错误值时出错的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆