5

I recently updated openssl from 1.0.2n to 1.1.0g in linux system.

Earlier I was using

ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, long len) function. As this function is removed in openssl 1.1.0, now i replaced this with

ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp, long length) .

Now when i run my application then i get warning as

Warning:0:-- SSL Error queue report -- Warning:0: - asn1 encoding routines|d2i_ASN1_UINTEGER|expecting an integer:218718323

What is the solution for this problem?

Improve this question

2 Answers 2

Reset to default
7

ASN.1 encoding of an INTEGER (as BER or DER) consists of 1 or more "identifier" octets (usually 1), followed by 1 or more "length" octets, followed by "content" octets (the length of which is determined by the previous "length" octets).

The function c2i_ASN1_INTEGER assumes you have already parsed the "identifier" and "length" octets and coverts the "content" bytes into an integer. This was removed from OpenSSL 1.1.0 because this is considered a very low level parsing operation that applications should not be calling directly.

The function d2i_ASN1_UINTEGER is not a direct drop in replacement for c2i_ASN1_INTEGER. It parses the whole integer (including the "identifier" and "length" octets). If you pass it just the content octets then it will interpret the first byte as an "identifier" octet. This will likely have the wrong value for an integer and so this is probably why you are seeing the "expecting an integer" error.

You will need to rewrite your code to pass the whole integer to d2i_ASN1_UINTEGER.

Improve this answer
7
  • Hi @Matt Thanks for your answer. As i was going though some of the links, i thought that i can directly replace c2i by d2i function. Can you suggest me the code how to parse ientifier and length from whole integer.
    – Karma Yogi
    Commented May 31, 2019 at 8:50
  • That's a very difficult question to answer. Basically in order to replace c2i_ASN_INTEGER with d2i_ASN1_UINTEGER you have to remove whatever code you had for parsing the identifier and and length. Since I don't know what your code looks like, I can't really advise on how to remove that parsing.
    – Matt Caswell
    Commented May 31, 2019 at 10:25
  • Ok Thanks for the reply. I thought there may be a new API for parsing. Anyway I will try it out. Thanks again
    – Karma Yogi
    Commented May 31, 2019 at 10:39
  • @Matt According to this article objc.io/issues/17-security/receipt-validation How to get d2i_ASN1_UINTEGER to work with openssl above 1.1.0? thanks
    – webmastx
    Commented Jul 10, 2019 at 15:29
  • That's really a separate question which probably doesn't belong in the comments section of this answer.
    – Matt Caswell
    Commented Jul 12, 2019 at 8:07
7

Here's an example of some code that uses c2i_ASN1_INTEGER().

ASN1_get_object(&ptr, &length, &type, &xclass, end - ptr);
if (type == V_ASN1_INTEGER) {
    integer = c2i_ASN1_INTEGER(NULL, &ptr, length);
    value = ASN1_INTEGER_get(integer);
    ASN1_INTEGER_free(integer);

    // do something with value
} else
    ptr += length;

Here's how I modified the code to use d2i_ASN1_UINTEGER() instead.

save_ptr = ptr;
ASN1_get_object(&ptr, &length, &type, &xclass, end - ptr);
if (type == V_ASN1_INTEGER) {
    ptr = save_ptr;
    integer = d2i_ASN1_UINTEGER(NULL, &ptr, end - ptr);
    value = ASN1_INTEGER_get(integer);
    ASN1_INTEGER_free(integer);

    // do something with value
} else
    ptr += length;

First I saved ptr in save_ptr. ASN1_get_object() takes ptr pointing to the beginning of the BER/DER. ASN1_get_object() updates ptr to point to the content. c2i_ASN1_INTEGER() takes ptr pointing to the content, advances ptr beyond the content to point to the beginning of the next BER/DER, and returns an ASN1_INTEGER.

Now d2i_ASN1_UINTEGER() returns an ASN1_INTEGER too but it needs to take ptr pointing to the beginning of the BER/DER. So I simply set ptr back to its value before ASN1_get_object() was called. d2i_ASN1_UINTEGER() takes ptr pointing the beginning of the BER/DER, advances ptr to the beginning of the next BER/DER, and returns an ASN1_INTEGER.

Improve this answer
1
  • Excellent explanation. Worked great for me. Thank you, KGBird.
    – pdq
    Commented May 26, 2021 at 21:55

Not the answer you're looking for? Browse other questions tagged or ask your own question.