Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Not able to load the certificate from a buffer(byte sequence)

See original GitHub issue

Hi I’m trying to load the certificate from the following buffer. b’0\x82\x02\x9a0\x82\x02\x01\xa0\x03\x02\x01\x02\x02\x08(\x81%\xf0s\x1b\xa5\x030\n\x06\x08*\x86H\xce=\x04\x03\x020!1\x1f0\x1d\x06\x03U\x04\x03\x13\x16ct-woodpecker CA51b4a40\x1e\x17\r220101000000Z\x17\r221231000000Z081604\x06\x03U\x04\x03\x13-288125f073.woodpecker.testing.letsencrypt.org0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\x1d\xce\xd7\xc8\x88\xb1Y1\xa6\x18\x81\xcd\xf6_\x97\x01\xc9\xf9\xe5\x7fh\x1f4\xb9\xa7l \xe6\x8d^T.\x97\x05\xe5 \x15\xdc\xfe\xa3\xb0\x087\xa2\x92\x80I\x98)X\x1d\xb3\xeb\x06\xda\xf9a\x8e\x02%\xff\x9b\x13\xab\xa3\x82\x01\n0\x82\x01\x060\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x07\x800\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000L\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04@0>0<\x06\x08+\x06\x01\x05\x05\x070\x02\x860http://issuer.woodpecker.testing.letsencrypt.org08\x06\x03U\x1d\x11\x0410/\x82-288125f073.woodpecker.testing.letsencrypt.org0?\x06\x03U\x1d\x1f\x0480604\xa02\xa00\x86.http://crls.woodpecker.testing.letsencrypt.org0I\x06\x08*\x86H\xce=\x04\x03\x02\x13.This is not the certificate you're looking for\x13\r1588385814322\x03H\x000E\x02!\x00\xd6\xb8H\x0c\xa4Jw?\xd6 \xa6\x92\xd8\xbb\x88fu\xa7\x0fK\xef\xd9\xff\x16M\xa9\xb5\x97\x97\xcah\xa5\x02 m\xfc\xd9K\xb6\xfekZ\xb5\xfdA\xaf\x85\xa4\xafy\xbe\x0c\x0e^[\xe55\xa1B\xcc`*"r\xc9\xa4’

I’m using the following line to load the certificate crypto.load_certificate(crypto.FILETYPE_ASN1,buffer).

Exception: OpenSSL.crypto.Error: [(‘asn1 encoding routines’, ‘asn1_item_embed_d2i’, ‘sequence length mismatch’), (‘asn1 encoding routines’, ‘asn1_template_noexp_d2i’, ‘nested asn1 error’)]

However I’m able to parse the same byte sequence using C# x509 library. Any suggestions?

Issue Analytics

State:
Created 2 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

alexcommented, Apr 5, 2021

I’m guessing the C# library just ignores extra data in that sequence.

On Mon, Apr 5, 2021 at 5:30 PM jayanitw @.***> wrote:

Thanks a lot for investigating this. I’m wondering how the C# library was able to parse the same byte sequence.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/pyca/pyopenssl/issues/1011#issuecomment-813662237, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBFAASUHCA2VBAQOWU3THITXLANCNFSM42M2LOVA .

– All that is necessary for evil to succeed is for good people to do nothing.

1reaction

alexcommented, Apr 5, 2021

This is because this isn’t a valid certificate as far as I can tell. the signatureAlgorithm is supposed to contain a sequence with two elements, an OID and a value defined by that oid. But this blob of bytes has a sequence with three elements

~/projects ❯❯❯ python -c "import sys; sys.stdout.write(b'0\x82\x02\x9a0\x82\x02\x01\xa0\x03\x02\x01\x02\x02\x08(\x81%\xf0s\x1b\xa5\x030\n\x06\x08*\x86H\xce=\x04\x03\x020!1\x1f0\x1d\x06\x03U\x04\x03\x13\x16ct-woodpecker CA51b4a40\x1e\x17\r220101000000Z\x17\r221231000000Z081604\x06\x03U\x04\x03\x13-288125f073.woodpecker.testing.letsencrypt.org0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\x1d\xce\xd7\xc8\x88\xb1Y1\xa6\x18\x81\xcd\xf6_\x97\x01\xc9\xf9\xe5\x7fh\x1f4\xb9\xa7l \xe6\x8d^T.\x97\x05\xe5 \x15\xdc\xfe\xa3\xb0\x087\xa2\x92\x80I\x98)X\x1d\xb3\xeb\x06\xda\xf9a\x8e\x02%\xff\x9b\x13\xab\xa3\x82\x01\n0\x82\x01\x060\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x07\x800\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000L\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04@0>0<\x06\x08+\x06\x01\x05\x05\x070\x02\x860http://issuer.woodpecker.testing.letsencrypt.org08\x06\x03U\x1d\x11\x0410/\x82-288125f073.woodpecker.testing.letsencrypt.org0?\x06\x03U\x1d\x1f\x0480604\xa02\xa00\x86.http://crls.woodpecker.testing.letsencrypt.org0I\x06\x08*\x86H\xce=\x04\x03\x02\x13.This is not the certificate you\'re looking for\x13\r1588385814322\x03H\x000E\x02!\x00\xd6\xb8H\x0c\xa4Jw?\xd6 \xa6\x92\xd8\xbb\x88fu\xa7\x0fK\xef\xd9\xff\x16M\xa9\xb5\x97\x97\xcah\xa5\x02 m\xfc\xd9K\xb6\xfekZ\xb5\xfdA\xaf\x85\xa4\xafy\xbe\x0c\x0e^[\xe55\xa1B\xcc`*\"r\xc9\xa4')" | openssl asn1parse -inform der -i
    0:d=0  hl=4 l= 666 cons: SEQUENCE          
    4:d=1  hl=4 l= 513 cons:  SEQUENCE          
    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim:    INTEGER           :02
   13:d=2  hl=2 l=   8 prim:   INTEGER           :288125F0731BA503
   23:d=2  hl=2 l=  10 cons:   SEQUENCE          
   25:d=3  hl=2 l=   8 prim:    OBJECT            :ecdsa-with-SHA256
   35:d=2  hl=2 l=  33 cons:   SEQUENCE          
   37:d=3  hl=2 l=  31 cons:    SET               
   39:d=4  hl=2 l=  29 cons:     SEQUENCE          
   41:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
   46:d=5  hl=2 l=  22 prim:      PRINTABLESTRING   :ct-woodpecker CA51b4a4
   70:d=2  hl=2 l=  30 cons:   SEQUENCE          
   72:d=3  hl=2 l=  13 prim:    UTCTIME           :220101000000Z
   87:d=3  hl=2 l=  13 prim:    UTCTIME           :221231000000Z
  102:d=2  hl=2 l=  56 cons:   SEQUENCE          
  104:d=3  hl=2 l=  54 cons:    SET               
  106:d=4  hl=2 l=  52 cons:     SEQUENCE          
  108:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
  113:d=5  hl=2 l=  45 prim:      PRINTABLESTRING   :288125f073.woodpecker.testing.letsencrypt.org
  160:d=2  hl=2 l=  89 cons:   SEQUENCE          
  162:d=3  hl=2 l=  19 cons:    SEQUENCE          
  164:d=4  hl=2 l=   7 prim:     OBJECT            :id-ecPublicKey
  173:d=4  hl=2 l=   8 prim:     OBJECT            :prime256v1
  183:d=3  hl=2 l=  66 prim:    BIT STRING        
  251:d=2  hl=4 l= 266 cons:   cont [ 3 ]        
  255:d=3  hl=4 l= 262 cons:    SEQUENCE          
  259:d=4  hl=2 l=  14 cons:     SEQUENCE          
  261:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Key Usage
  266:d=5  hl=2 l=   1 prim:      BOOLEAN           :255
  269:d=5  hl=2 l=   4 prim:      OCTET STRING      [HEX DUMP]:03020780
  275:d=4  hl=2 l=  29 cons:     SEQUENCE          
  277:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Extended Key Usage
  282:d=5  hl=2 l=  22 prim:      OCTET STRING      [HEX DUMP]:301406082B0601050507030106082B06010505070302
  306:d=4  hl=2 l=  12 cons:     SEQUENCE          
  308:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Basic Constraints
  313:d=5  hl=2 l=   1 prim:      BOOLEAN           :255
  316:d=5  hl=2 l=   2 prim:      OCTET STRING      [HEX DUMP]:3000
  320:d=4  hl=2 l=  76 cons:     SEQUENCE          
  322:d=5  hl=2 l=   8 prim:      OBJECT            :Authority Information Access
  332:d=5  hl=2 l=  64 prim:      OCTET STRING      [HEX DUMP]:303E303C06082B060105050730028630687474703A2F2F6973737565722E776F6F647065636B65722E74657374696E672E6C657473656E63727970742E6F7267
  398:d=4  hl=2 l=  56 cons:     SEQUENCE          
  400:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Subject Alternative Name
  405:d=5  hl=2 l=  49 prim:      OCTET STRING      [HEX DUMP]:302F822D323838313235663037332E776F6F647065636B65722E74657374696E672E6C657473656E63727970742E6F7267
  456:d=4  hl=2 l=  63 cons:     SEQUENCE          
  458:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 CRL Distribution Points
  463:d=5  hl=2 l=  56 prim:      OCTET STRING      [HEX DUMP]:30363034A032A030862E687474703A2F2F63726C732E776F6F647065636B65722E74657374696E672E6C657473656E63727970742E6F7267
  521:d=1  hl=2 l=  73 cons:  SEQUENCE          
  523:d=2  hl=2 l=   8 prim:   OBJECT            :ecdsa-with-SHA256
  533:d=2  hl=2 l=  46 prim:   PRINTABLESTRING   :This is not the certificate you're looking for
  581:d=2  hl=2 l=  13 prim:   PRINTABLESTRING   :1588385814322
  596:d=1  hl=2 l=  72 prim:  BIT STRING

vs.

   Certificate  ::=  SEQUENCE  {
        tbsCertificate       TBSCertificate,
        signatureAlgorithm   AlgorithmIdentifier,
        signatureValue       BIT STRING  }

   AlgorithmIdentifier  ::=  SEQUENCE  {
        algorithm               OBJECT IDENTIFIER,
        parameters              ANY DEFINED BY algorithm OPTIONAL  }

Top Results From Across the Web

Convert certificate string to byte array - java - Stack Overflow

So you can just use that to get the Certificate object as detailed at How to load public certificate from pem file.

Sign Buffer (QYDOSGNB, QydoSignBuffer) - IBM

The Sign Buffer (OPM, QYDOSGNB; ILE, QydoSignBuffer) API allows the local system to certify that the series of bytes being signed is trustworthy....

mod_ssl - Apache HTTP Server Version 2.4

This directive sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA) whose clients you deal with. These are...

The Transport Layer Security (TLS) Protocol Version 1.2

Multiple byte data items are concatenations of bytes, from left to right, from top to bottom. From the byte stream, a multi-byte item...

ByteBuffer (Java Platform SE 8 ) - Oracle Help Center

This method transfers bytes from this buffer into the given destination array. If there are fewer bytes remaining in the buffer than are...