PEM_read_bio_X509 returns Null

[khusboo7]

After I updated my openssl version from 1.0.2r to 1.1.1d of my iOS project , the function PEM_read_bio_X509 returns null. The following error is being printed in the console 4392048812:error:20068078:lib(32):func(104):reason(120):bio_lib.c:299: 4392048812:error:0906D06C:lib(9):func(109):reason(108):pem_lib.c:697: so that points to failures in pem_lib.c at line 697 and bio_lib.c at line 299, but looking at those files, it's not clear what that means (there aren't errors emitted at those lines).

[mattcaswell]

The line numbers are odd. Not sure why you see that.

However, we can get more information from the error number:

openssl errstr 20068078
error:20068078:BIO routines:BIO_gets:uninitialized

That corresponds to this line:

https://github.com/openssl/openssl/blob/894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596/crypto/bio/bio_lib.c#L453-L456

This suggests that the BIO has failed to initialise properly, or perhaps has been closed.

[khusboo7]

Thanks @mattcaswell for the quick reply. Instead of BIO_gets I have used BIO_put() in my app const int retVal = BIO_puts(bio, buf); I assume bio would have already initialised, as I am getting the return value(number of bytes written eg 1614 )from it .

[mattcaswell]

BIO_puts makes the same check, so if that is succeeding for you then it is certainly initialised at that point. Do you do anything with the BIO between where you do a BIO_puts, and your call to PEM_read_bio_X509?

To debug this, you might like to insert some calls to BIO_get_init() e.g. just after your BIO_puts, and just before your PEM_read_bio_X509, to confirm that return value is non-zero.

[khusboo7]

Hi @mattcaswell , I try to debug by putting the BIO_get_init() as suggested by you. int retval = BIO_get_init(bio); When I printed the return value , its 1.

[mattcaswell]

When I printed the return value , its 1.

Did you do this immediately before the call to PEM_read_bio_X509?

[khusboo7]

Yes

[mattcaswell]

Curious.

Is there any way you can get a debugger on this?. It makes no sense to me that the init value is (apparently) 1 immediately before this call, and somehow is 0 during it.

PEM_read_bio_X509 is actually a macro that calls PEM_ASN1_read_bio...which calls PEM_bytes_read_bio...which calls pem_bytes_read_bio_flags...which calls PEM_read_bio_ex..which calls get_name and get_header_and_data (both in pem_lib.c). It is these 2 functions that invoke the BIO_gets that is failing. It would be interesting to monitor the value of the init field in the BIO struct throughout this call chain to see where it gets changed.

[levitte]

@khusboo7, it might be easier if you give us sample code that shows what happens...

[khusboo7]

Sure, I will try if I can debug and see when the value changes

[khusboo7]

@levitte sure

[khusboo7]

@mattcaswell I tried to debug the code , but I am unable to debug as I am getting this error dyld: Library not loaded: /usr/local/lib/libssl.1.1.dylib Reason: image not found

I created a dynamic library using the following commands $ export CC=clang; $ export CROSS_TOP=/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer $ export CROSS_SDK=iPhoneOS.sdk $ export PATH="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin:$PATH" $ ./Configure ios64-cross Please let me know if there is any other way to debug the openSSL library code in iOS project. Thanks

[mattcaswell]

I know nothing about ios I'm afraid so I can't really advise. You might try statically linking OpenSSL to your application, which might simplify things.

[khusboo7]

@mattcaswell Actually if we statically link then we couldn't be able to debug the openSSL library code as we will not have access to the .c files.

[khusboo7]

@mattcaswell I was able to get the debug version of the openssl library into my app.But Unfortunately I am unable to debug the PEM_read_bio_X509(). When I call PEM_read_bio_X509(), none of the function in either bio_lib.c or pem_lib.c is being called. But When I call PEM_read_bio() , I can see that the function in bio_lib.c or pem_lib. is being called. Is the PEM_read_bio_X509 being deprecated in version 1.1.1d? Is there any other way to convert the PEM to x509 ? Thanks

[mattcaswell]

When I call PEM_read_bio_X509(), none of the function in either bio_lib.c or pem_lib.c is being called.

So how far down the call stack does it actually get? I noted the callstack I was expecting to see above:

PEM_read_bio_X509 is actually a macro that calls PEM_ASN1_read_bio...which calls PEM_bytes_read_bio...which calls pem_bytes_read_bio_flags...which calls PEM_read_bio_ex..which calls get_name and get_header_and_data (both in pem_lib.c).

Is the PEM_read_bio_X509 being deprecated in version 1.1.1d?

No. This function should be fine to use.

Is there any other way to convert the PEM to x509 ?

No. This is the intended function for that purpose.

[khusboo7]

So how far down the call stack does it actually get? I noted the callstack I was expecting to see above:

None of the above callstack was being called.I have put breakpoint on each of the functions that you have mention above but none of them was called

[mattcaswell]

None of the above callstack was being called.I have put breakpoint on each of the functions that you have mention above but none of them was called

That doesn't sound right. So, if you step into PEM_read_bio_X509 - where does it end up?

[khusboo7]

That doesn't sound right. So, if you step into PEM_read_bio_X509 - where does it end up?

It ends up in my code from where I have called it.It doesn't go to the library code.

[khusboo7]

When I call the PEM_read_bio() , it goes to the library code

[mattcaswell]

It ends up in my code from where I have called it.It doesn't go to the library code.

Then something is wrong with the debugging environment in some way. It can't add the error codes that you see without going into the library!

[rxing-tableau]

I encountered the same issue. Upgraded from 1.0.2r to 1.1.1d. PEM_read_bio_X509 returns NULL, but it is a Windows only in my case. BIO_get_init(bio) returns 1, right before PEM_read_bio_X509.

[jegbrother]

CERTIFICATE content (type string) need append "\n"

[nhorman]

Marking as inactive, will be closed at the end of 3.4 dev barring further input