From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020826 Description of problem: When openssl is used to sign certs (openssl x509 ...) with certain extensions, it pukes with an error such as: Error Loading extension section ext 30767:error:0D06B089:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:130: 30767:error:0D081065:asn1 encoding routines:d2i_ASN1_OBJECT:bad object header:a_object.c:217: 30767:error:2206706E:X509 V3 routines:V2I_EXT_KU:invalid object identifier:v3_extku.c:143:section:,name:1.3.6.1.5.5.7.3.2,value: 30767:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:91:name=extendedKeyUsage, value=1.3.6.1.5.5.7.3.2 In this case, it was complaining about: extendedKeyUsage = 1.3.6.1.5.5.7.3.2 This is a major problem, because certain Microsoft applications require you to be able to insert OIDs when signing certs. This is a recent problem. It was introduced somewhere between <openssl-devel-0.9.6b-8> and <openssl-0.9.6b-28>. It appears there are some snapshot versions of 0.9.6b that had a problem. Possibly you built with a bogus snapshot. See: http://www.mail-archive.com/openssl-users@openssl.org/msg28171.html Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Download tarball from http://www.unicom.com/tmp/signfail-test.tar.gz 2. sh cmd 3. Actual Results: openssl puked Expected Results: Running with <openssl-0.9.6b-8> produces: Signature ok subject=/C=US/ST=Massachusetts/L=Bolton/O=Amaranth Networks, Inc./CN=Chip Rosenthal/Email=chip Getting CA Private Key and outputs a valid cert to "catool-cert.pem". Additional info: Until this problem is fixed, openssl is not useful for signing anything but the simplest of SSL certs.
Created attachment 88967 [details] test case that demonstrates the bug This attachment contains the testcase I referred to in the bug report. (http://www.unicom.com/tmp/signfail-test.tar.gz)
This bug is causing serious problems. Would be nice if someone could look at it. An opportunity to address this was missed when the last errata was produced.
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still running Red Hat Linux, you are strongly advised to upgrade to a current Fedora Core release or Red Hat Enterprise Linux or comparable. Some information on which option may be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/. Red Hat apologizes that these issues have not been resolved yet. We do want to make sure that no important bugs slip through the cracks. Please check if this issue is still present in a current Fedora Core release. If so, please change the product and version to match, and check the box indicating that the requested information has been provided. Note that any bug still open against Red Hat Linux on will be closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still running Red Hat Linux, you are strongly advised to upgrade to a current Fedora Core release or Red Hat Enterprise Linux or comparable. Some information on which option may be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/. Closing as CANTFIX.
hi, I am also facing same issue on windows 10. IS any solution kindly share with us. OpenSSL> req -new -x509 -config cert_config.txt -extensions my_exts -nodes -days 365 -key ecdsasigner.key -out ecdsasigner.crt Error Loading extension section my_exts 2860:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:crypto\asn1\a_object.c:73: 2860:error:2206706E:X509 V3 routines:v2i_EXTENDED_KEY_USAGE:invalid object identifier:crypto\x509v3\v3_extku.c:96:section:<NULL>,name:codesigning,value:<NULL> 2860:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto\x509v3\v3_conf.c:47:name=extendedKeyUsage, value=codesigning error in req thanks,