Ошибка при обработке запроса встречено неверное значение тега asn1

Форум КриптоПро
 » 
Средства криптографической защиты информации
 » 
КриптоПро CSP 5.0
 » 
Ошибка [ErrorCode: 0x8009310b] Встречено неверное значение тега ASN1.

Форум КриптоПро
 » 
Средства криптографической защиты информации
 » 
КриптоПро CSP 5.0
 » 
Ошибка [ErrorCode: 0x8009310b] Встречено неверное значение тега ASN1.

Страницы 1

Чтобы отправить ответ, нужно авторизоваться или зарегистрироваться

Страницы 1

Чтобы отправить ответ, нужно авторизоваться или зарегистрироваться

Статус: Активный участник

Группы: Участники

Зарегистрирован: 09.12.2016(UTC)
Сообщений: 127


Откуда: Таганрог

Сказал «Спасибо»: 15 раз

Приветствую! Столкнулся с проблемой — некорректно (как я понимаю) формируется запрос на сертификат.
Прошерстил форум, именно такой связки проблем и технологий не нашел, встреченные рекомендации пробовал — не помогает( В документации тоже ответов не нашлось (может не там искал?)

Имеем на клиентах, браузеры

GH 61.0.3163.79 (версия плагина КриптоПро 2.0.13027) (обновил в надежде на решение проблемы, не помогло, как видно)
FF 55.0.3 (версия плагина КриптоПро 2.0.12888)

Соответственно,

используется асинхронный вариант

API.

Сразу уточню,

при запросе через API уровня ОС (работает старый NPAPI-шный плагин) — все четко

.

КриптоПро CSP: 4.0.9907
Версия ядра: 4.0.9015 КС1

При запросе указываю параметры провайдера:

Тип: 80
Имя: Crypto-Pro GOST R 34.10-2012 Cryptographic Service Provider

На сервере используется штатный майкрософтовский УЦ, котором в качестве криптопровайдера указан КриптоПро (GOST R 34.10-2012).

КриптоПро CSP: 4.0.9842
Версия ядра: 4.0.9014 КС1

Код запроса отрабатывает корретно.

<script type="text/javascript">

var ENROLL_X500NAME_FLAGS = {
    XCN_CERT_NAME_STR_NONE                       : 0,
    XCN_CERT_SIMPLE_NAME_STR                     : 0x00000001, // Это флаг плагину не нравится, ругается: The parameter is incorrect. (0x80070057)
    XCN_CERT_OID_NAME_STR                        : 0x00000002,
    XCN_CERT_X500_NAME_STR                       : 0x00000003,
    XCN_CERT_XML_NAME_STR                        : 0x00000004,
    XCN_CERT_NAME_STR_SEMICOLON_FLAG             : 0x40000000,
    XCN_CERT_NAME_STR_NO_PLUS_FLAG               : 0x20000000,
    XCN_CERT_NAME_STR_NO_QUOTING_FLAG            : 0x10000000,
    XCN_CERT_NAME_STR_CRLF_FLAG                  : 0x8000000,
    XCN_CERT_NAME_STR_COMMA_FLAG                 : 0x4000000,
    XCN_CERT_NAME_STR_REVERSE_FLAG               : 0x2000000,
    XCN_CERT_NAME_STR_FORWARD_FLAG               : 0x1000000,
    XCN_CERT_NAME_STR_DISABLE_IE4_UTF8_FLAG      : 0x10000,
    XCN_CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG    : 0x20000,
    XCN_CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG   : 0x40000,
    XCN_CERT_NAME_STR_FORCE_UTF8_DIR_STR_FLAG    : 0x80000,
    XCN_CERT_NAME_STR_DISABLE_UTF8_DIR_STR_FLAG  : 0x100000
};

function(fullName, providerType, providerName) 
{        
      // Ф-я ExecWithPlugin просто обертка над cadesplugin.async_spawn, перехватывающая и расшифровывающая ошибки.
      ExecWithPlugin(function* () { 

            // Ф-я GetEnrollObject - обертка для создания асинхронного объекта из пространства имен X509Enrollment
            var privateKey = yield* GetEnrollObject("CX509PrivateKey");             
            yield privateKey.propset_ProviderName(providerName);
            yield privateKey.propset_ProviderType(providerType);
            yield privateKey.propset_KeySpec(ENROLL_X509KEYSPEC.XCN_AT_SIGNATURE);                

            var certificateRequestPkcs10 = yield* GetEnrollObject("CX509CertificateRequestPkcs10");
            yield certificateRequestPkcs10.InitializeFromPrivateKey(ENROLL_CONTEXT.ContextUser, privateKey, ""); 

            var distinguishedName = yield* GetEnrollObject("CX500DistinguishedName");
                        
            // fullName - проиндексированный OID(ами) массив значений для RDN.

            var certName = "";
            var oids = Object.keys(fullName);
            
            for(var i = 0; i < oids.length; i++){
                if (certName != "")
                    certName += ", ";
                
                certName += (oids[i] + "=" + fullName[oids[i]]);  
            }
                                                        
            yield distinguishedName.Encode(certName, ENROLL_X500NAME_FLAGS.XCN_CERT_NAME_STR_NONE); 
            yield certificateRequestPkcs10.propset_Subject(distinguishedName);

            var keyUsageExtension = yield* GetEnrollObject("CX509ExtensionKeyUsage");
                        
            yield keyUsageExtension.InitializeEncode(
                        ENROLL_X509KEYUSAGE_FLAGS.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
                        ENROLL_X509KEYUSAGE_FLAGS.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE |
                        ENROLL_X509KEYUSAGE_FLAGS.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
                        ENROLL_X509KEYUSAGE_FLAGS.XCN_CERT_NON_REPUDIATION_KEY_USAGE);
                        
            yield (yield certificateRequestPkcs10.X509Extensions).Add(keyUsageExtension);

            var enroll = yield* GetEnrollObject("CX509Enrollment");
            yield enroll.InitializeFromRequest(certificateRequestPkcs10);
                
            // Пробовал менять тип кодировки при значении XCN_CRYPT_STRING_BINARY  получаю: 
            // Данные ASN1 повреждены. 0x80093103 (ASN: 259)

            // А при XCN_CRYPT_STRING_NOCR - Падает сам плагин (в Хроме).             
                                      // Сигнатура проблемы:
                                      // Имя события проблемы:	APPCRASH
                                      // Имя приложения:	nmcades.exe
                                      // Версия приложения:	1.0.10478.0
                                      // Отметка времени приложения:	597d48c9
                                      // Имя модуля с ошибкой:	nmcades.exe
                                      // Версия модуля с ошибкой:	1.0.10478.0
                                      // Отметка времени модуля с ошибкой:	597d48c9
                                      // Код исключения:	40000015
                                      // Смещение исключения:	000166f5
                                      // Версия ОС:	6.1.7601.2.1.0.256.48
                                      // Код языка:	1049
                                      // Дополнительные сведения 1:	177b
                                      // Дополнительные сведения 2:	177b64d1b0e35f4876ae099d0b42016e
                                      // Дополнительные сведения 3:	7793
                                      // Дополнительные сведения 4:	7793eef4e9c0c3a122a47f8bca2bf0a0
                                            
            var certReq = yield enroll.CreateRequest(ENROLL_ENCODING_TYPE.XCN_CRYPT_STRING_BASE64); 
            var containerName = yield privateKey.ContainerName;
    });
}
</script>

Значения флагов и констант взяты из MSDN, только флаги в ENROLL_X500NAME_FLAGS привел к единообразному 16-ричному виду, может как-то не так (добавил в исходник сюда)?

Но в итоге на сервере, при отправке запроса ЦС, получаю сообщение:
Встречено неверное значение тега ASN1. 0x8009310b (ASN: 267)

Кроме экспериментов с кодировкой самого запроса, пробовал по всякому формировать RDN (штано OID=значение) через «, «. Никаких изменений ( Руками делал строку, в которой забирал значения параметров с пробелами в кавычки, результат прежний.

Вот тут сам файл запроса, уже приехавший на сервер.

Может глаза замылились не вижу очевидной ошибки?

1800 / 612 / 37

Регистрация: 22.12.2009

Сообщений: 1,544

Всем привет!
Пишу код —

1
2
3
4
5
6
7
8
9
10

 ContentInfo plainContent = new ContentInfo(msg);
 
            // EnvelopedCms represents encrypted data
            EnvelopedCms encryptedMessage = new EnvelopedCms(plainContent);
 
            // add a recipient
            CmsRecipient recipient = new CmsRecipient(recipientCert);
 
            // encrypt data with public key of recipient
            encryptedMessage.Encrypt(recipient);

В строчке

1
2

            // encrypt data with public key of recipient
            encryptedMessage.Encrypt(recipient);

Вылетает ошибка —

Кто может подсказать, в чем дело?
Заранее всем спасибо!

Answers

• Thanks Elke . Issue fixed . Application team send one more updated CSR and now i am able to create certificate .

  • Marked as answer by

    Tuesday, July 29, 2014 3:01 AM

Answers

• Thanks Elke . Issue fixed . Application team send one more updated CSR and now i am able to create certificate .

  • Marked as answer by

    Tuesday, July 29, 2014 3:01 AM

CCNA, веб-разработчик, ПК для устранения неполадок

Я компьютерный энтузиаст и практикующий ИТ-специалист. У меня за плечами многолетний опыт работы в области компьютерного программирования, устранения неисправностей и ремонта оборудования. Я специализируюсь на веб-разработке и дизайне баз данных. У меня также есть сертификат CCNA для проектирования сетей и устранения неполадок.

Answers

• • Marked as answer by
    Anonymous
    Tuesday, September 28, 2021 12:00 AM

All replies

• User113421904 posted

  Hi,

  I did see one post before that this error is related to permissions of certificate store. Are you running from administrative accounts, make sure you have enough permissions during the installing of certificates.

• User-1286092494 posted

  Thanks Zhao. I was wondering if you guys have any kind of knowledge base article that talks about this error within IIS 7 during an SSL certificate install?  It would be great if there is one.

   We would like to put this information in our knowledge base to better assist our customers at VeriSign.

   Thank you for your support.

   Regards,

  Jason R.
   

• • Marked as answer by
    Anonymous
    Tuesday, September 28, 2021 12:00 AM

• User1810624584 posted

  I leave this behind for anyone else searching for an answer to this question.  NOTE: I am not using a VeriSign certificate, so this is not directly pertinent to the original question.  I leave it behind because the error message is the same and
  hits on the search engines.

  I leave the message with double colons here so that search will pick it up more readily.

  CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x08009310b (ASN: 267)

  I requested a certificate from an IIS 7.0 Web Server.  I used the request to create a certificate within our internal CA and generate a .cer file.  When I went to install the .cer file in the web server, I got hit with this error message. 
  It didn’t take too much digging to find a hint that perhaps the CA was not trusted by the Web Server.  I added the internal CA chain to the Web Server and this got me past the message.  Just to be sure, I removed the root certificate from the Trusted
  Root Certification Authorities folder and tried again — I got the error again.  This is a verified cause.  Certainly this may not be the only cause.  I sure wish the error message were better.

• User351018772 posted

   I’ve had the same issue, below is my information…

  • Windows 2008 Web Server 64-bit Edition
  • IIS7
  • SQL 2005 Express
  • Network Solutions Basic SSL certificate

  Each time I try to complete the certificate request I get the following error…

  CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267)

  I should also mention that I have already added the 3 other certificates provided by NetworkSolutions under the Certificates snap-in. When I open up IIS I do not see my certificate request listed however IIS knows that it’s there so I’m not sure if I should
  see it listed or not. Under «Certificates -> Certificate Enrollment Requests -> Certificates» I can see the pending request. Up until a few minutes ago I had several listed there and have since cleared/deleted them out and re-requested the certificate
  from NetworkSolutions although I don’t have any faith this will work. There were several from past failed attempts. Should I be able to see the certificate request in IIS7 after creating the initial request before it’s completed? My server doesn’t do much
  other than host a few websites and run SQL 2005 Express. I know some have said something about SQL but I can’t imagine what that has to do with my situation since I simply want to add an SSL certificate to IIS7 to run a single website with SSL encryption.

  Is it just me or should this not be ridiculously simple to accomplish and yet it’s been the single most frustrating thing I had to do in a great long while. NetworkSolutions doesn’t have any answers, Microsoft wants to charge me an arm and leg just to say
  «Hi», and I’m losing my patience with the whole thing since it should literally take less than 5 minutes to complete a simple certificate request.

  Does anyone out there have a solution to this problem because I’m Googled out…

  Thanks in advance for any support provided,

  Matt

• User882081861 posted

  I’d recommend contacting the certification authority and asking them what their preferred way is to abandon the problematic keypair and how to best make a totally new CSR.

• User56899015 posted
  This happened to me because I screwed up.

  Heres what I did:

  I created a certificate request and sent it to the CA. I got the new cert and installed it.

  Here’s where I went wrong:

  I mis-typed the friendly name during the cert install and stupidly deleted the cert via IIS manager.

  How I fixed it:

  Take the initial certificate request file (sent to CA) and rename it with a .cer extension.
  Open the certificate management snap in.
  Right click on «Certificate Enrollment Requests» and import the certificate signing request file.
  Go back to IIS Manager and import the certificate that the CA sent back in response to your initial request.

  Basically, you must have an unfulfilled certificate request corresponding to the certificate provided by your CA before «complete certificate request» is successful.

• User1063753466 posted
  greg88 — I just created this forum account to tell you that you are a genius. Your solution totally worked for me.

• User1180450644 posted
  Gregg88 — Saved my butt too — thanks!

• User418653656 posted

  I got the same error, through a mistake on my part, but the solution did not work for me.

  I was using a GoDaddy cert, which had an intermediate certificate.  I followed the instructions to import the GoDaddy intermediate cert into the «Certificates (Local Computer)/Intermediate Certification Authority/Certificates store.

  Turns out, I apparently double clicked on the actual web site cert, which happily went in the store.

  I think went to IIS which gave me the OP’s error.

  Drove me nuts, until I found the web cert in the Intermediate Certification Authority.  lol.

  So, the fix for me was to export and delete the web site cert, import the proper intermediate cert, and then import the cert like normal into the «Certificates (Local Computer)/Personal/Certificates store.

  Now, oddly, IIS still thinks there is a cert request outstanding.  I’m assuming I can just ignore this, as I already have the cert loaded.

  == John ==

• User-1938893238 posted

  «I mis-typed the friendly name during the cert install»

  What does that mean? What defines a mis-typing of the friendly name?… 

  I need to know to understand if I did the same «mistake».

  thanks

• User1903832623 posted

  @greg88: Dude, u are super genious!

  Just a note:

  Take the initial certificate request file (sent to CA) and rename it with a .cer extension.

  i couldn’t import the Certificate Request File renamed as .cer, because the certificate snap-in was
  nagging about invalid operation. So i just tried to import in the Certificate Enrollment Requests the certificate itself… and BANG! it worked like a charm! 

  You made my day