-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSLv1.1.0e CSR verification error, problem creating object tsa_policy1=1.2.3.4.1 #2795
Comments
please post a CSR (base64 encoding) so we can try to debug this. |
That's a problem with the configuration file openssl.cnf attempting to create an object more than once or maybe loading it more than once though that shouldn't happen. Are you using the default openssl.cnf or has it been modified? If it's the default one try commenting out the line containing tsa_policy1. |
Using the default, openssl.cfg. Commenting out the line tsa_policy1 worked. What is the function of that line of code? Interestingly enough, when I un-comment the line, a CSR verification works for one CSR file. After that one, it goes back to the same error. |
OpenSSL> req -text -noout -verify -in test.csr
verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = US, ST = A, L = B, O = C, OU = D, CN = TEST
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e8:3d:42:36:73:b7:08:9f:b8:88:ec:c9:a2:63:
ab:a9:73:6e:19:6a:d5:ea:4b:77:9a:e7:e8:42:6d:
b2:fa:67:7e:6b:ee:25:2b:7e:a2:20:24:3a:02:2f:
93:66:9a:22:37:be:29:31:5b:f8:60:09:ab:26:ab:
fa:a8:63:48:3d:60:9f:f8:73:ff:25:f3:46:c6:84:
2c:39:c2:74:c9:41:27:07:fd:62:fb:b8:80:c6:81:
e5:70:f1:75:ab:62:b1:bf:99:54:34:27:d2:43:a0:
58:65:7e:a3:2d:fa:dd:68:09:16:50:a7:42:81:cb:
07:9e:59:f3:8b:99:5c:94:dc:c1:2b:b8:81:5e:63:
05:27:98:75:54:f0:f4:6f:71:ec:73:d9:2e:ca:eb:
59:25:81:a3:27:95:fe:ba:b1:53:df:76:33:c5:6f:
1e:5d:01:6c:82:06:e9:31:d9:12:2e:94:b1:71:0e:
8e:22:98:b3:49:2e:5c:69:20:ce:de:45:58:ea:a0:
ca:62:b5:4c:48:2d:64:68:e7:f1:53:25:3a:e4:33:
11:d1:0c:1f:88:63:2a:ca:3b:10:45:55:87:ac:d9:
c8:08:31:9e:ea:7d:04:28:aa:0d:15:51:d1:50:69:
18:e7:2a:c5:a1:88:c3:a2:65:9e:c6:b7:9e:24:91:
74:eb
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
81:68:dc:a6:83:3e:83:be:49:17:39:e6:80:93:00:15:40:d9:
6b:4b:d9:02:73:8f:ee:0b:b3:4b:cf:4f:9d:0b:01:80:6f:87:
d1:d8:6e:18:a8:c7:c7:cb:37:e1:e2:78:9d:14:34:34:52:b9:
4a:81:56:c9:95:95:8f:e0:5d:43:57:ab:1a:5e:bc:0e:37:86:
36:6d:db:de:4f:0c:f6:d8:a2:12:61:76:d9:81:85:3c:c1:38:
df:43:e2:f2:e2:53:fb:a6:c5:71:0f:18:23:68:80:c4:95:e0:
63:77:f9:51:c9:51:ef:49:40:2b:c4:7e:f8:c2:46:66:87:4e:
0c:23:0e:56:24:bd:bb:6f:79:51:ec:08:d3:a6:91:32:ab:12:
9c:0f:2b:f1:6e:f0:ec:a0:9c:c5:31:bd:54:09:c9:22:1f:cb:
c0:45:9c:cd:02:77:0b:9d:a2:a3:d6:a3:dd:8c:35:c0:19:89:
a7:31:73:b9:57:cd:5e:8c:31:bb:67:dd:1f:13:8b:dc:52:77:
e1:11:8d:62:bf:d3:84:f8:67:44:a8:98:56:a1:83:3c:27:45:
a2:d2:1f:a3:39:06:32:be:aa:54:b4:d1:e1:2a:3c:13:44:09:
be:6c:c7:c6:9b:5c:8b:7f:07:a4:2a:35:5d:46:8b:26:55:9b:
12:94:69:9e
OpenSSL> req -text -noout -verify -in test.csr
problem creating object tsa_policy1=1.2.3.4.1
7252:error:08064066:object identifier routines:OBJ_create:oid exists:crypto\obje
cts\obj_dat.c:689:
error in req
OpenSSL> |
same error for me. All the 3 tsa policies are not commented. When I comment them, it worked. |
…r on some platforms, possibly because this fails if the OID is already configured in ```openssl.cnf```, see [here](openssl/openssl#2795).
I think we can either ignore this error for cmdline apps or check whether the object with same OID and SN is already registered. The 2nd variant seems to be more robust. |
The actual issue here is that there's a lack of internal cleanup between commands when using openssl's command prompt. This should really be fixed. |
I'll close this, but only to create a new issue that describes the true problem. |
…r on some platforms, possibly because this fails if the OID is already configured in ```openssl.cnf```, see [here](openssl/openssl#2795).
There seems to be an issue doing a CSR inspection in OpenSSL 1.1.0e. Let it first be known, that any CSR created in this version can be inspected in previous versions of OpenSSL. 1.0.2k was used for my verification purposes.
When the following CSR verification command is run in v1.1.0e:
req -text -noout -verify -in filename.csr
The following error is output:
The text was updated successfully, but these errors were encountered: