I'm trying to convert this file in DER format to PEM.
Using openssl.exe utility (tried in versions 0.98.1 and 1.02 of openssl) I tried the following commands:
openssl x509 -inform der PA_AD_RB_V2_3.der -out PA_AD_RB_V2_3.pem
openssl pkcs7 -inform der PA_AD_RB_V2_3.der -print_certs -out PA_AD_RB_V2_3.pem
openssl rsa -inform der -in PA_AD_RB_V2_3.der -out PA_AD_RB_V2_3.pem
All of them return the following errors:
16196:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:./crypto/asn1/tasn_dec.c:1294: 16196:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:./crypto/asn1/tasn_dec.c:830: 16196:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:./crypto/asn1/tasn_dec.c:749:Field=type, Type=PKCS7
Of course there are some differences between commands but the message is the same. I couldn't figure out what encryption the DER file is encoded, that's why Itried different commands.
Is something wrong in DER file? Or I messed up somewhere in the commands?
My final goal is to pass the PEM file to the -certfile parameter in smime -sign
1 Answer
These tools you tried aren't generic "DER to PEM" converters. All of them work with files in very specific formats, for example openssl x509 wants to be given an X.509 certificate and nothing else. But ASN.1 DER is a very generic format (just like XML or JSON); it's indeed used for X.509 certificates, but it's also used for a hundred of other different things.
The file you have is neither X.509 certificate nor a PKCS#7 message – it is a "trust list" or "signing policy" in the RFC 3125 format, which OpenSSL doesn't know what to do with. So even if you converted it to PEM using base64 -e, your next command would still fail due to the format being unrecognized.
(It's certainly possible to make a tool that would convert any DER file to PEM, because "PEM" format is literally Base64 of the same DER file, plus the begin/end headers of course. But if it does not consist of a X.509 certificate, then it makes no sense to use it as a -certfile regardless of the format.)
I don't know of any apropriate tools for working with RFC 3125 signature policies, but looking at it with openssl asn1parse and dumpasn1, the policy seems to include these two X.509 certificates:
It will be easiest to download the individual certificates directly from these URLs.
6
