PEM Certificate ASN.1 Issue: exception error: no match of right hand side value

Questions / Help
,
1

Good afternoon,

I hope someone can assist me. I have a certificate in PEM format that can be validated by various online decoders as well as OpenSSL. (The cert I am testing with is added below)

I have seen a similar error saying that the initial 24 bytes is an issue but even after removing it, still does not seem to resolve. If anyone can assist or has any suggestions it would be welcome.

The Pem decode works perfectly

[PemEntry] = public_key:pem_decode(PEM).
[{'PrivateKeyInfo',<<48,130,4,75,48,130,3,51,160,3,2,1,2,
                     2,9,0,218,186,14,186,109,241,32,121,
                     48,13,...>>,
                   not_encrypted}]

but in the following the following error occurs

public_key:pem_entry_decode(PEMEntry).

** exception error: no match of right hand side value {error,{asn1,{{wrong_tag,{{expected,2},
{got,16,
{16,
[{131072,[{2,<<2>>}]},
{2,<<0,218,186,14,186,109,241,32,121>>},
{16,[{6,<<42,134,72,134,247,13,1,...>>},{5,<<>>}]},
{16,
[{17,[{16,[{6,<<...>>},{19,...}]}]},
{17,[{16,[{6,...},{...}]}]},
{17,[{16,[{...}|...]}]},
{17,[{16,[...]}]},
{17,[{16,...}]},
{17,[{...}]}]},
{16,[{23,<<"171116140507Z">>},{23,<<"310726140507Z">>}]},
{16,
[{17,[{16,[{...}|...]}]},
{17,[{16,[...]}]},
{17,[{16,...}]},
{17,[{...}]},
{17,[...]},
{17,...}]},
{16,[{16,[{6,<<...>>},{5,...}]},{3,<<0,48,...>>}]},
{131075,[{16,[{16,...},{...}|...]}]}]}}}},
[{'PKCS-FRAME',match_tags,2,
[{file,"../src/PKCS-FRAME.erl"},{line,3223}]},
{'PKCS-FRAME',decode_integer,2,
[{file,"../src/PKCS-FRAME.erl"},{line,3042}]},
{'PKCS-FRAME',dec_OneAsymmetricKey,2,
[{file,"../src/PKCS-FRAME.erl"},{line,1790}]},
{'PKCS-FRAME',decode,2, 

-----BEGIN PRIVATE KEY-----

MIIESzCCAzOgAwIBAgIJANq6Drpt8SB5MA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNVBAYTAkVFMRE

wDwYDVQQIEwhIYXJqdW1hYTEQMA4GA1UEBxMHVGFsbGlubjEQMA4GA1UEChMHTW9kaXJ1bTE

UMBIGA1UECxMLRGV2ZWxvcG1lbnQxGjAYBgNVBAMTEWludGVyZmFjZTRTaWdua2V5MB4XDTE3

MTExNjE0MDUwN1oXDTMxMDcyNjE0MDUwN1owdjELMAkGA1UEBhMCRUUxETAPBgNVBAgTCE

hhcmp1bWFhMRAwDgYDVQQHEwdUYWxsaW5uMRAwDgYDVQQKEwdNb2RpcnVtMRQwEgYDVQ

QLEwtEZXZlbG9wbWVudDEaMBgGA1UEAxMRaW50ZXJmYWNlNFNpZ25rZXkwggEiMA0GCSqGSIb

3DQEBAQUAA4IBDwAwggEKAoIBAQD17fW0urJzMwcly0Ij6jrkyltgREpxvRp1W7eFbe4iCUP0G3YbV

D7T3qlDXa4j8up57t1KhhDVwfssBwGzSnZeZDVfzuF2Cdu9bDe7R8/obVLMUoShe4kr3qqUkzEF2/8y

Gnf+L2kE/qPgS1cWLg+1SHKuAXjlq2TWnduF+hO71jbGItbuI9EqWsym9/+ChUzm6KSeF/zVzQuunYP

pTXDOIAZoDvh22IDrWEeBbgVhhN+Z4jn8T/dOcyxGGY+wn6bC087nWLRJvxNyYBqUt1cI3fYIXO3Ag

PgktFOHgqNw5q4mXVJRynu31SN7T0GBJxBrhVhDZEBJknglia2zpssXAgMBAAGjgdswgdgwHQYDVR

0OBBYEFImadY2XUUEADcnAi2qwi433Npp+MIGoBgNVHSMEgaAwgZ2AFImadY2XUUEADcnAi2qwi

433Npp+oXqkeDB2MQswCQYDVQQGEwJFRTERMA8GA1UECBMISGFyanVtYWExEDAOBgNVBAcTB

1RhbGxpbm4xEDAOBgNVBAoTB01vZGlydW0xFDASBgNVBAsTC0RldmVsb3BtZW50MRowGAYDVQ

QDExFpbnRlcmZhY2U0U2lnbmtleYIJANq6Drpt8SB5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNA

QELBQADggEBAL0bSHmsVF/Pys1vLmehFIvkjopF2plRVklCalMiy+IJx8N9A91PsCbc2veykvIlFtEwVoV

ZGPtSlNDUl9HsSH/AzcatBRWe/Iz1W/4rMa1UWZsk2DDw6bjvo1KPYIvHBufUB4IXm/qyFL7IohYcWF

/sw0y+XMrvcd3c7ClZ1mq43GKnlHkXwaPWHoMnuviguIbgKAHKVT9pgqCZQSoIjN08oejCa7qVlYuU

Y5EGwzuHNErntmcgicP7sLWd4Pu1fAx+51tgDSGjh2m0SSDz2rv7CrJ44RXIUOWAMWbC4myssyea3

t+GrSvWrDGHRLXZUNmvy+zFSB+QFWEW2nlfYI8=

-----END PRIVATE KEY-----
2

Maybe it’s how you pasted your key (which I hope is not a key utilized for anything and just for testing! :smile: ), but openssl chokes with the same error trying to decode.

7991824384:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
3

Let me attach it in a file, and definitely for testing.

openssl x509 -in cert.crt -text -noout

WIth this I could view the certificate without any issues.

and could even do the transform to try and make sense of the tags with this:

openssl x509 -in cert.crt -outform der | openssl asn1parse -inform der

(Attachment cert.crt is missing)

4

What you pasted is not a private key, it is a certificate :slight_smile:

5

Attaching the key in an attachment (extension just changed so mailing list can accept it). It is a PEM cert

(Attachment cert.jpg is missing)

6

Apologies yes - have tried a few things to see if it would make a difference.

openssl x509 -in cert.crt -text -noout

WIth this I could view the certificate without any issues.

and could even do the transform to try and make sense of the tags with this:

openssl x509 -in cert.crt -outform der | openssl asn1parse -inform der

-----BEGIN CERTIFICATE-----
MIIESzCCAzOgAwIBAgIJANq6Drpt8SB5MA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNVBAYTAkVFMRE
wDwYDVQQIEwhIYXJqdW1hYTEQMA4GA1UEBxMHVGFsbGlubjEQMA4GA1UEChMHTW9kaXJ1bTE
UMBIGA1UECxMLRGV2ZWxvcG1lbnQxGjAYBgNVBAMTEWludGVyZmFjZTRTaWdua2V5MB4XDTE3
MTExNjE0MDUwN1oXDTMxMDcyNjE0MDUwN1owdjELMAkGA1UEBhMCRUUxETAPBgNVBAgTCE
hhcmp1bWFhMRAwDgYDVQQHEwdUYWxsaW5uMRAwDgYDVQQKEwdNb2RpcnVtMRQwEgYDVQ
QLEwtEZXZlbG9wbWVudDEaMBgGA1UEAxMRaW50ZXJmYWNlNFNpZ25rZXkwggEiMA0GCSqGSIb
3DQEBAQUAA4IBDwAwggEKAoIBAQD17fW0urJzMwcly0Ij6jrkyltgREpxvRp1W7eFbe4iCUP0G3YbV
D7T3qlDXa4j8up57t1KhhDVwfssBwGzSnZeZDVfzuF2Cdu9bDe7R8/obVLMUoShe4kr3qqUkzEF2/8y
Gnf+L2kE/qPgS1cWLg+1SHKuAXjlq2TWnduF+hO71jbGItbuI9EqWsym9/+ChUzm6KSeF/zVzQuunYP
pTXDOIAZoDvh22IDrWEeBbgVhhN+Z4jn8T/dOcyxGGY+wn6bC087nWLRJvxNyYBqUt1cI3fYIXO3Ag
PgktFOHgqNw5q4mXVJRynu31SN7T0GBJxBrhVhDZEBJknglia2zpssXAgMBAAGjgdswgdgwHQYDVR
0OBBYEFImadY2XUUEADcnAi2qwi433Npp+MIGoBgNVHSMEgaAwgZ2AFImadY2XUUEADcnAi2qwi
433Npp+oXqkeDB2MQswCQYDVQQGEwJFRTERMA8GA1UECBMISGFyanVtYWExEDAOBgNVBAcTB
1RhbGxpbm4xEDAOBgNVBAoTB01vZGlydW0xFDASBgNVBAsTC0RldmVsb3BtZW50MRowGAYDVQ
QDExFpbnRlcmZhY2U0U2lnbmtleYIJANq6Drpt8SB5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNA
QELBQADggEBAL0bSHmsVF/Pys1vLmehFIvkjopF2plRVklCalMiy+IJx8N9A91PsCbc2veykvIlFtEwVoV
ZGPtSlNDUl9HsSH/AzcatBRWe/Iz1W/4rMa1UWZsk2DDw6bjvo1KPYIvHBufUB4IXm/qyFL7IohYcWF
/sw0y+XMrvcd3c7ClZ1mq43GKnlHkXwaPWHoMnuviguIbgKAHKVT9pgqCZQSoIjN08oejCa7qVlYuU
Y5EGwzuHNErntmcgicP7sLWd4Pu1fAx+51tgDSGjh2m0SSDz2rv7CrJ44RXIUOWAMWbC4myssyea3
t+GrSvWrDGHRLXZUNmvy+zFSB+QFWEW2nlfYI8=
-----END CERTIFICATE-----
7

This works fine for me. I wonder, similar to what you pasted, if you were reading in the key vs your cert, etc.

[{'Certificate',<<48,130,4,75,48,130,3,51,160,3,2,1,2,2,9,
                  0,218,186,14,186,109,241,32,121,48,13,
                  ...>>,
                not_encrypted}]
2> [Entry] = public_key:pem_decode(Pem).
[{'Certificate',<<48,130,4,75,48,130,3,51,160,3,2,1,2,2,9,
                  0,218,186,14,186,109,241,32,121,48,13,
                  ...>>,
                not_encrypted}]
3> public_key:pem_entry_decode(Entry).
{'Certificate',{'TBSCertificate',v3,15760926039807697017,
                                 {'AlgorithmIdentifier',{1,2,840,113549,1,1,11},<<5,0>>},
...