ERROR: test_extension_count (__main__.X509Tests) / ERROR: test_get_extension (__main__.X509Tests)

[sandrotosi]

When building pyopenssl 0.14 on Debian (with python-cryptography 0.5.2) I got this error when running tests in a clean chroot:

ERROR: test_extension_count (__main__.X509Tests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "OpenSSL/test/test_crypto.py", line 1483, in test_extension_count
    c = self._extcert(pkey, [])
  File "OpenSSL/test/test_crypto.py", line 1468, in _extcert
    FILETYPE_PEM, dump_certificate(FILETYPE_PEM, cert))
  File "/tmp/buildd/pyopenssl-0.14/build/lib/OpenSSL/crypto.py", line 1219, in load_certificate
    _raise_current_error()
  File "/tmp/buildd/pyopenssl-0.14/build/lib/OpenSSL/_util.py", line 22, in exception_from_error_queue
    raise exceptionType(errors)
OpenSSL.crypto.Error: [('asn1 encoding routines', 'c2i_ASN1_OBJECT', 'invalid object encoding'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')]

======================================================================
ERROR: test_get_extension (__main__.X509Tests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "OpenSSL/test/test_crypto.py", line 1506, in test_get_extension
    cert = self._extcert(pkey, [ca, key, subjectAltName])
  File "OpenSSL/test/test_crypto.py", line 1468, in _extcert
    FILETYPE_PEM, dump_certificate(FILETYPE_PEM, cert))
  File "/tmp/buildd/pyopenssl-0.14/build/lib/OpenSSL/crypto.py", line 1219, in load_certificate
    _raise_current_error()
  File "/tmp/buildd/pyopenssl-0.14/build/lib/OpenSSL/_util.py", line 22, in exception_from_error_queue
    raise exceptionType(errors)
OpenSSL.crypto.Error: [('asn1 encoding routines', 'c2i_ASN1_OBJECT', 'invalid object encoding'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')]

[sandrotosi]

it's happening both on py2.7 and py3.4

[peterpramb]

Not sure if the original reporter also uses OpenSSL >= 1.0.1i, but I get the same error using 1.0.1l now. It seems there was a bug fix in OpenSSL 1.0.1i which causes errors on certificates without a proper signature algorithm OID. This basically means that certificates without signatures are no longer valid, which is exactly what _extcert() produces.

See http://openssl.6102.n7.nabble.com/Behavior-change-in-1-0-1i-crypto-tp53321p53356.html for reference.

A small test running on CentOS 5 with OpenSSL 1.0.1l and CentOS 6 with the default system OpenSSL (1.0.1e) shows the difference between the versions.

Shortened test case from test_crypto.py:

from datetime import datetime
from OpenSSL.crypto import X509, FILETYPE_PEM, load_privatekey, dump_certificate
from OpenSSL.test.util import b

client_key_pem = b("""-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDAZh/SRtNm5ntMT4qb6YzEpTroMlq2rn+GrRHRiZ+xkCw/CGNh
btPir7/QxaUj26BSmQrHw1bGKEbPsWiW7bdXSespl+xKiku4G/KvnnmWdeJHqsiX
eUZtqurMELcPQAw9xPHEuhqqUJvvEoMTsnCEqGM+7DtboCRajYyHfluARQIDAQAB
AoGATkZ+NceY5Glqyl4mD06SdcKfV65814vg2EL7V9t8+/mi9rYL8KztSXGlQWPX
zuHgtRoMl78yQ4ZJYOBVo+nsx8KZNRCEBlE19bamSbQLCeQMenWnpeYyQUZ908gF
h6L9qsFVJepgA9RDgAjyDoS5CaWCdCCPCH2lDkdcqC54SVUCQQDseuduc4wi8h4t
V8AahUn9fn9gYfhoNuM0gdguTA0nPLVWz4hy1yJiWYQe0H7NLNNTmCKiLQaJpAbb
TC6vE8C7AkEA0Ee8CMJUc20BnGEmxwgWcVuqFWaKCo8jTH1X38FlATUsyR3krjW2
dL3yDD9NwHxsYP7nTKp/U8MV7U9IBn4y/wJBAJl7H0/BcLeRmuJk7IqJ7b635iYB
D/9beFUw3MUXmQXZUfyYz39xf6CDZsu1GEdEC5haykeln3Of4M9d/4Kj+FcCQQCY
si6xwT7GzMDkk/ko684AV3KPc/h6G0yGtFIrMg7J3uExpR/VdH2KgwMkZXisSMvw
JJEQjOMCVsEJlRk54WWjAkEAzoZNH6UhDdBK5F38rVt/y4SEHgbSfJHIAmPS32Kq
f6GGcfNpip0Uk7q7udTKuX7Q/buZi/C4YW7u3VKAquv9NA==
-----END RSA PRIVATE KEY-----""")

cert = X509()
cert.set_pubkey(load_privatekey(FILETYPE_PEM, client_key_pem))
cert.get_subject().commonName = "Unit Tests"
cert.get_issuer().commonName = "Unit Tests"
when = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
cert.set_notBefore(when)
cert.set_notAfter(when)
cert.add_extensions([])
dump_certificate(FILETYPE_PEM, cert)

OpenSSL 1.0.1e produces:

  0:d=0  hl=4 l= 262 cons: SEQUENCE          
  4:d=1  hl=3 l= 251 cons:  SEQUENCE          
  7:d=2  hl=2 l=   0 prim:   INTEGER           :00
  9:d=2  hl=2 l=   3 cons:   SEQUENCE          
 11:d=3  hl=2 l=   1 prim:    OBJECT            :itu-t
 14:d=2  hl=2 l=  21 cons:   SEQUENCE          
 16:d=3  hl=2 l=  19 cons:    SET               
 18:d=4  hl=2 l=  17 cons:     SEQUENCE          
 20:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
 25:d=5  hl=2 l=  10 prim:      PRINTABLESTRING   :Unit Tests
 37:d=2  hl=2 l=  34 cons:   SEQUENCE          
 39:d=3  hl=2 l=  15 prim:    GENERALIZEDTIME   :20150216223804Z
 56:d=3  hl=2 l=  15 prim:    GENERALIZEDTIME   :20150216223804Z
 73:d=2  hl=2 l=  21 cons:   SEQUENCE          
 75:d=3  hl=2 l=  19 cons:    SET               
 77:d=4  hl=2 l=  17 cons:     SEQUENCE          
 79:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
 84:d=5  hl=2 l=  10 prim:      PRINTABLESTRING   :Unit Tests
 96:d=2  hl=3 l= 159 cons:   SEQUENCE          
 99:d=3  hl=2 l=  13 cons:    SEQUENCE          
101:d=4  hl=2 l=   9 prim:     OBJECT            :rsaEncryption
112:d=4  hl=2 l=   0 prim:     NULL              
114:d=3  hl=3 l= 141 prim:    BIT STRING        
258:d=1  hl=2 l=   3 cons:  SEQUENCE          
260:d=2  hl=2 l=   1 prim:   OBJECT            :itu-t
263:d=1  hl=2 l=   1 prim:  BIT STRING        

And OpenSSL 1.0.1l:

  0:d=0  hl=4 l= 261 cons: SEQUENCE          
  4:d=1  hl=3 l= 251 cons:  SEQUENCE          
  7:d=2  hl=2 l=   1 prim:   INTEGER           :00
 10:d=2  hl=2 l=   2 cons:   SEQUENCE          
 12:d=3  hl=2 l=   0 prim:    OBJECT            :BAD OBJECT
 14:d=2  hl=2 l=  21 cons:   SEQUENCE          
 16:d=3  hl=2 l=  19 cons:    SET               
 18:d=4  hl=2 l=  17 cons:     SEQUENCE          
 20:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
 25:d=5  hl=2 l=  10 prim:      UTF8STRING        :Unit Tests
 37:d=2  hl=2 l=  34 cons:   SEQUENCE          
 39:d=3  hl=2 l=  15 prim:    GENERALIZEDTIME   :20150216223956Z
 56:d=3  hl=2 l=  15 prim:    GENERALIZEDTIME   :20150216223956Z
 73:d=2  hl=2 l=  21 cons:   SEQUENCE          
 75:d=3  hl=2 l=  19 cons:    SET               
 77:d=4  hl=2 l=  17 cons:     SEQUENCE          
 79:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
 84:d=5  hl=2 l=  10 prim:      UTF8STRING        :Unit Tests
 96:d=2  hl=3 l= 159 cons:   SEQUENCE          
 99:d=3  hl=2 l=  13 cons:    SEQUENCE          
101:d=4  hl=2 l=   9 prim:     OBJECT            :rsaEncryption
112:d=4  hl=2 l=   0 prim:     NULL              
114:d=3  hl=3 l= 141 prim:    BIT STRING        
258:d=1  hl=2 l=   2 cons:  SEQUENCE          
260:d=2  hl=2 l=   0 prim:   OBJECT            :BAD OBJECT
262:d=1  hl=2 l=   1 prim:  BIT STRING        

Note the BAD OBJECT in the ASN1 dump.

The proper fix would probably be to self-sign the certificate first before calling load_certificate(), but maybe there is a simpler approach as well.

[peterpramb]

Just for reference - the OpenSSL X509 dump.

OpenSSL 1.0.1e:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 0 (0x0)
    Signature Algorithm: itu-t
        Issuer: CN=Unit Tests
        Validity
            Not Before: Feb 16 22:38:04 2015 GMT
            Not After : Feb 16 22:38:04 2015 GMT
        Subject: CN=Unit Tests
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c0:66:1f:d2:46:d3:66:e6:7b:4c:4f:8a:9b:e9:
                    8c:c4:a5:3a:e8:32:5a:b6:ae:7f:86:ad:11:d1:89:
                    9f:b1:90:2c:3f:08:63:61:6e:d3:e2:af:bf:d0:c5:
                    a5:23:db:a0:52:99:0a:c7:c3:56:c6:28:46:cf:b1:
                    68:96:ed:b7:57:49:eb:29:97:ec:4a:8a:4b:b8:1b:
                    f2:af:9e:79:96:75:e2:47:aa:c8:97:79:46:6d:aa:
                    ea:cc:10:b7:0f:40:0c:3d:c4:f1:c4:ba:1a:aa:50:
                    9b:ef:12:83:13:b2:70:84:a8:63:3e:ec:3b:5b:a0:
                    24:5a:8d:8c:87:7e:5b:80:45
                Exponent: 65537 (0x10001)
    Signature Algorithm: itu-t
-----BEGIN CERTIFICATE-----
MIIBBjCB+wIAMAMGAQAwFTETMBEGA1UEAxMKVW5pdCBUZXN0czAiGA8yMDE1MDIx
NjIyMzgwNFoYDzIwMTUwMjE2MjIzODA0WjAVMRMwEQYDVQQDEwpVbml0IFRlc3Rz
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAZh/SRtNm5ntMT4qb6YzEpTro
Mlq2rn+GrRHRiZ+xkCw/CGNhbtPir7/QxaUj26BSmQrHw1bGKEbPsWiW7bdXSesp
l+xKiku4G/KvnnmWdeJHqsiXeUZtqurMELcPQAw9xPHEuhqqUJvvEoMTsnCEqGM+
7DtboCRajYyHfluARQIDAQABMAMGAQADAQA=
-----END CERTIFICATE-----

OpenSSL 1.0.1l:

unable to load certificate
140564298999624:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:303:
140564298999624:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=algorithm, Type=X509_ALGOR
140564298999624:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=signature, Type=X509_CINF
140564298999624:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=cert_info, Type=X509
140564298999624:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

[mrjefftang]

I'm seeing the same errors on OpenSSL 1.0.2 now.

https://travis-ci.org/pyca/pyopenssl/jobs/51081537

I'm starting to incorporate all of these fixes in my PR #193 as it's all cropped up with the latest OpenSSL 1.0.2.

[peterpramb]

Thanks, I can confirm that the test suite runs now cleanly with the fixes in #193 for both OpenSSL >= and < 1.0.1i.

[sandrotosi]

the test in the original message are still failing in the same way with 0.15 and cryptography 0.8.2-1

[hynek]

I understand this issue has been fixed in #193. Please reopen if it’s still present.