Behavior change in 1.0.1i crypto (?)

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Behavior change in 1.0.1i crypto (?)

Andy Schmidt
I have found some change in the behavior of the OpenSSL 1.0.1 crypto
library between releases h and i regarding the internal handling of
PKCS7 and X509 structures. Attached is a S/MIME signed message
generated by C calls to the OpenSSL 1.0.1i API. If I take this output
and then on the command line execute:

    openssl smime -in JohnHancock.smime -pk7out

1.0.1h succeeds and sends the PKCS7 to STDOUT.

But 1.0.1i fails, with the following message:
    Error reading S/MIME message
    8792:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid
object encoding:.\crypto\asn1\a_object.c:303:
    8792:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:.\crypto\asn1\tasn_dec.c:751:Field=type, Type=PKCS7
    8792:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:.\crypto\asn1\tasn_dec.c:751:Field=contents, Type=PKCS7_SIGNED
    8792:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:.\crypto\asn1\tasn_dec.c:751:
    8792:error:0D08403A:asn1 encoding
routines:ASN1_TEMPLATE_EX_D2I:nested asn1
error:.\crypto\asn1\tasn_dec.c:579:Field=d.sign, Type=PKCS7
    8792:error:0D0D106E:asn1 encoding routines:B64_READ_ASN1:decode
error:.\crypto\asn1\asn_mime.c:193:
    8792:error:0D0D40CC:asn1 encoding routines:SMIME_read_ASN1:asn1
sig parse error:.\crypto\asn1\asn_mime.c:502:

I apologize if this seem ambiguous. I have an application that calls
the OpenSSL API via C++ wrapper classes, and I haven't been able to
sufficiently unwind theses classes to recreate what is happening with
minimal C and OpenSSL API calls. I am new to both OpenSSL and the C++
application code base. However, the openssl command line tool
generates the same errors as my code when it tries to parse the PKCS7.

My application code did work with 1.0.1h (and also e and g) but no
longer works with 1.0.1i ... and I would like to emphasize that I am
not reporting a bug, just an unexpected change in behavior.

Andy

JohnHancock.smime (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Behavior change in 1.0.1i crypto (?)

Viktor Dukhovni
On Wed, Sep 03, 2014 at 02:01:35PM -0700, Andy Schmidt wrote:

>     openssl smime -in JohnHancock.smime -pk7out

Decoding the pkcs7 data with asn1parse results in:

    0:d=0  hl=4 l=4594 cons: SEQUENCE          
    4:d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
   15:d=1  hl=4 l=4579 cons: cont [ 0 ]        
   19:d=2  hl=4 l=4575 cons: SEQUENCE          
   23:d=3  hl=2 l=   1 prim: INTEGER           :01
   26:d=3  hl=2 l=  11 cons: SET              
   28:d=4  hl=2 l=   9 cons: SEQUENCE          
   30:d=5  hl=2 l=   5 prim: OBJECT            :sha1
   37:d=5  hl=2 l=   0 prim: NULL              
   39:d=3  hl=2 l=   2 cons: SEQUENCE          
   41:d=4  hl=2 l=   0 prim: OBJECT            :BAD OBJECT

Note the "BAD OBJECT" above.  Objects should not be zero length.

   43:d=3  hl=4 l=3943 cons: cont [ 0 ]        
   47:d=4  hl=4 l=1440 cons: SEQUENCE          
   51:d=5  hl=4 l= 904 cons: SEQUENCE          
   55:d=6  hl=2 l=   3 cons: cont [ 0 ]        
   57:d=7  hl=2 l=   1 prim: INTEGER           :02
   60:d=6  hl=2 l=   1 prim: INTEGER           :24
   63:d=6  hl=2 l=  13 cons: SEQUENCE          
   65:d=7  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
   76:d=7  hl=2 l=   0 prim: NULL              
   78:d=6  hl=4 l= 304 cons: SEQUENCE          
   82:d=7  hl=2 l=  11 cons: SET              
   84:d=8  hl=2 l=   9 cons: SEQUENCE          
   86:d=9  hl=2 l=   3 prim: OBJECT            :countryName
   91:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :--
   95:d=7  hl=2 l=  19 cons: SET              
   97:d=8  hl=2 l=  17 cons: SEQUENCE          
   99:d=9  hl=2 l=   3 prim: OBJECT            :commonName
  104:d=9  hl=2 l=  10 prim: PRINTABLESTRING   :Scott Boyd
  116:d=7  hl=2 l=  17 cons: SET              
  118:d=8  hl=2 l=  15 cons: SEQUENCE          
  120:d=9  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
  125:d=9  hl=2 l=   8 prim: T61STRING         :<NODATA>

Did you really want the string "<NODATA>" here?

  135:d=7  hl=2 l=  17 cons: SET              
  137:d=8  hl=2 l=  15 cons: SEQUENCE          
  139:d=9  hl=2 l=   3 prim: OBJECT            :localityName
  144:d=9  hl=2 l=   8 prim: T61STRING         :<NODATA>

And here?

  154:d=7  hl=2 l=  25 cons: SET              
  156:d=8  hl=2 l=  23 cons: SEQUENCE          
  158:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
  163:d=9  hl=2 l=  16 prim: PRINTABLESTRING   :The MacHax Group
  181:d=7  hl=2 l=  10 cons: SET              
  183:d=8  hl=2 l=   8 cons: SEQUENCE          
  185:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  190:d=9  hl=2 l=   1 prim: PRINTABLESTRING   :-

and "-" for the OU?

  193:d=7  hl=2 l=  28 cons: SET              
  195:d=8  hl=2 l=  26 cons: SEQUENCE          
  197:d=9  hl=2 l=   9 prim: OBJECT            :emailAddress
  208:d=9  hl=2 l=  13 prim: IA5STRING         :[hidden email]
  223:d=7  hl=3 l= 160 cons: SET              
  226:d=8  hl=2 l=  16 cons: SEQUENCE          
  228:d=9  hl=2 l=   3 prim: OBJECT            :name
  233:d=9  hl=2 l=   9 prim: PRINTABLESTRING   :Hash:sha1
  244:d=8  hl=2 l=  40 cons: SEQUENCE          
  246:d=9  hl=2 l=   3 prim: OBJECT            :name
  251:d=9  hl=2 l=  33 prim: PRINTABLESTRING   :Server:bigtest5.devlan.bigfix.com
  286:d=8  hl=2 l=  28 cons: SEQUENCE          
  288:d=9  hl=2 l=   3 prim: OBJECT            :name
  293:d=9  hl=2 l=  21 prim: PRINTABLESTRING   :LicenseAllocation:100
  316:d=8  hl=2 l=  27 cons: SEQUENCE          
  318:d=9  hl=2 l=   3 prim: OBJECT            :name
  323:d=9  hl=2 l=  20 prim: PRINTABLESTRING   :CustomActions:Enable
  345:d=8  hl=2 l=  39 cons: SEQUENCE          
  347:d=9  hl=2 l=   3 prim: OBJECT            :name
  352:d=9  hl=2 l=  32 prim: PRINTABLESTRING   :CustomRetrievedProperties:Enable
  386:d=6  hl=2 l=  30 cons: SEQUENCE          
  388:d=7  hl=2 l=  13 prim: UTCTIME           :050317061647Z
  403:d=7  hl=2 l=  13 prim: UTCTIME           :150315061647Z
  418:d=6  hl=2 l=  37 cons: SEQUENCE          
  420:d=7  hl=2 l=  11 cons: SET              
  422:d=8  hl=2 l=   9 cons: SEQUENCE          
  424:d=9  hl=2 l=   3 prim: OBJECT            :commonName
  429:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :op
  433:d=7  hl=2 l=  22 cons: SET              
  435:d=8  hl=2 l=  20 cons: SEQUENCE          
  437:d=9  hl=2 l=   3 prim: OBJECT            :name
  442:d=9  hl=2 l=  13 prim: PRINTABLESTRING   :Type:Operator
  457:d=6  hl=3 l= 159 cons: SEQUENCE          
  460:d=7  hl=2 l=  13 cons: SEQUENCE          
  462:d=8  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  473:d=8  hl=2 l=   0 prim: NULL              
  475:d=7  hl=3 l= 141 prim: BIT STRING        
  619:d=6  hl=4 l= 336 cons: cont [ 3 ]        
  623:d=7  hl=4 l= 332 cons: SEQUENCE          
  627:d=8  hl=2 l=   9 cons: SEQUENCE          
  629:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  634:d=9  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
  638:d=8  hl=2 l=  44 cons: SEQUENCE          
  640:d=9  hl=2 l=   9 prim: OBJECT            :Netscape Comment
  651:d=9  hl=2 l=  31 prim: OCTET STRING      [HEX DUMP]:161D4F70656E53534C2047656E657261746564204365727469666963617465
  684:d=8  hl=2 l=  29 cons: SEQUENCE          
  686:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
  691:d=9  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414527352B137B6F3321178C08C45D10AE65010D6F1
  715:d=8  hl=3 l= 241 cons: SEQUENCE          
  718:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
  723:d=9  hl=3 l= 233 prim: OCTET STRING      [HEX DUMP]:3081E68014844BE2E207D03D6C0785F72F7B184CCD5B188086A181C9A481C63081C3310B3009060355040613025553311330110603550408130A43616C69666F726E6961311330110603550407130A456D65727976696C6C6531153013060355040A130C4269674669782C20496E632E311B3019060355040B13125369746520417574686F72697A6174696F6E312C302A06035504031323416374696F6E53697465205265676973747261723A44656E6E697320476F6F64726F773128302606092A864886F70D010901161944656E6E69735F476F6F64726F77404269674669782E636F6D820207EE
  959:d=5  hl=2 l=  13 cons: SEQUENCE          
  961:d=6  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
  972:d=6  hl=2 l=   0 prim: NULL              
  974:d=5  hl=4 l= 513 prim: BIT STRING        
 1491:d=4  hl=4 l=1592 cons: SEQUENCE          
 1495:d=5  hl=4 l=1056 cons: SEQUENCE          
 1499:d=6  hl=2 l=   3 cons: cont [ 0 ]        
 1501:d=7  hl=2 l=   1 prim: INTEGER           :02
 1504:d=6  hl=2 l=   1 prim: INTEGER           :23
 1507:d=6  hl=2 l=  13 cons: SEQUENCE          
 1509:d=7  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
 1520:d=7  hl=2 l=   0 prim: NULL              
 1522:d=6  hl=4 l= 304 cons: SEQUENCE          
 1526:d=7  hl=2 l=  11 cons: SET              
 1528:d=8  hl=2 l=   9 cons: SEQUENCE          
 1530:d=9  hl=2 l=   3 prim: OBJECT            :countryName
 1535:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :--
 1539:d=7  hl=2 l=  19 cons: SET              
 1541:d=8  hl=2 l=  17 cons: SEQUENCE          
 1543:d=9  hl=2 l=   3 prim: OBJECT            :commonName
 1548:d=9  hl=2 l=  10 prim: PRINTABLESTRING   :Scott Boyd
 1560:d=7  hl=2 l=  17 cons: SET              
 1562:d=8  hl=2 l=  15 cons: SEQUENCE          
 1564:d=9  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
 1569:d=9  hl=2 l=   8 prim: T61STRING         :<NODATA>
 1579:d=7  hl=2 l=  17 cons: SET              
 1581:d=8  hl=2 l=  15 cons: SEQUENCE          
 1583:d=9  hl=2 l=   3 prim: OBJECT            :localityName
 1588:d=9  hl=2 l=   8 prim: T61STRING         :<NODATA>
 1598:d=7  hl=2 l=  25 cons: SET              
 1600:d=8  hl=2 l=  23 cons: SEQUENCE          
 1602:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
 1607:d=9  hl=2 l=  16 prim: PRINTABLESTRING   :The MacHax Group
 1625:d=7  hl=2 l=  10 cons: SET              
 1627:d=8  hl=2 l=   8 cons: SEQUENCE          
 1629:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
 1634:d=9  hl=2 l=   1 prim: PRINTABLESTRING   :-
 1637:d=7  hl=2 l=  28 cons: SET              
 1639:d=8  hl=2 l=  26 cons: SEQUENCE          
 1641:d=9  hl=2 l=   9 prim: OBJECT            :emailAddress
 1652:d=9  hl=2 l=  13 prim: IA5STRING         :[hidden email]
 1667:d=7  hl=3 l= 160 cons: SET              
 1670:d=8  hl=2 l=  16 cons: SEQUENCE          
 1672:d=9  hl=2 l=   3 prim: OBJECT            :name
 1677:d=9  hl=2 l=   9 prim: PRINTABLESTRING   :Hash:sha1
 1688:d=8  hl=2 l=  40 cons: SEQUENCE          
 1690:d=9  hl=2 l=   3 prim: OBJECT            :name
 1695:d=9  hl=2 l=  33 prim: PRINTABLESTRING   :Server:bigtest5.devlan.bigfix.com
 1730:d=8  hl=2 l=  28 cons: SEQUENCE          
 1732:d=9  hl=2 l=   3 prim: OBJECT            :name
 1737:d=9  hl=2 l=  21 prim: PRINTABLESTRING   :LicenseAllocation:100
 1760:d=8  hl=2 l=  27 cons: SEQUENCE          
 1762:d=9  hl=2 l=   3 prim: OBJECT            :name
 1767:d=9  hl=2 l=  20 prim: PRINTABLESTRING   :CustomActions:Enable
 1789:d=8  hl=2 l=  39 cons: SEQUENCE          
 1791:d=9  hl=2 l=   3 prim: OBJECT            :name
 1796:d=9  hl=2 l=  32 prim: PRINTABLESTRING   :CustomRetrievedProperties:Enable
 1830:d=6  hl=2 l=  30 cons: SEQUENCE          
 1832:d=7  hl=2 l=  13 prim: UTCTIME           :050317000731Z
 1847:d=7  hl=2 l=  13 prim: UTCTIME           :150315000731Z
 1862:d=6  hl=2 l=  57 cons: SEQUENCE          
 1864:d=7  hl=2 l=  26 cons: SET              
 1866:d=8  hl=2 l=  24 cons: SEQUENCE          
 1868:d=9  hl=2 l=   3 prim: OBJECT            :commonName
 1873:d=9  hl=2 l=  17 prim: T61STRING         :[hidden email]
 1892:d=7  hl=2 l=  27 cons: SET              
 1894:d=8  hl=2 l=  25 cons: SEQUENCE          
 1896:d=9  hl=2 l=   3 prim: OBJECT            :name
 1901:d=9  hl=2 l=  18 prim: PRINTABLESTRING   :Type:Administrator
 1921:d=6  hl=4 l= 290 cons: SEQUENCE          
 1925:d=7  hl=2 l=  13 cons: SEQUENCE          
 1927:d=8  hl=2 l=   9 prim: OBJECT            :rsaEncryption
 1938:d=8  hl=2 l=   0 prim: NULL              
 1940:d=7  hl=4 l= 271 prim: BIT STRING        
 2215:d=6  hl=4 l= 336 cons: cont [ 3 ]        
 2219:d=7  hl=4 l= 332 cons: SEQUENCE          
 2223:d=8  hl=2 l=   9 cons: SEQUENCE          
 2225:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
 2230:d=9  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
 2234:d=8  hl=2 l=  44 cons: SEQUENCE          
 2236:d=9  hl=2 l=   9 prim: OBJECT            :Netscape Comment
 2247:d=9  hl=2 l=  31 prim: OCTET STRING      [HEX DUMP]:161D4F70656E53534C2047656E657261746564204365727469666963617465
 2280:d=8  hl=2 l=  29 cons: SEQUENCE          
 2282:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
 2287:d=9  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414E565F1F3930F93B85B0D3666F9561126C4EC5210
 2311:d=8  hl=3 l= 241 cons: SEQUENCE          
 2314:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
 2319:d=9  hl=3 l= 233 prim: OCTET STRING      [HEX DUMP]:3081E68014844BE2E207D03D6C0785F72F7B184CCD5B188086A181C9A481C63081C3310B3009060355040613025553311330110603550408130A43616C69666F726E6961311330110603550407130A456D65727976696C6C6531153013060355040A130C4269674669782C20496E632E311B3019060355040B13125369746520417574686F72697A6174696F6E312C302A06035504031323416374696F6E53697465205265676973747261723A44656E6E697320476F6F64726F773128302606092A864886F70D010901161944656E6E69735F476F6F64726F77404269674669782E636F6D820207EE
 2555:d=5  hl=2 l=  13 cons: SEQUENCE          
 2557:d=6  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
 2568:d=6  hl=2 l=   0 prim: NULL              
 2570:d=5  hl=4 l= 513 prim: BIT STRING        
 3087:d=4  hl=4 l= 899 cons: SEQUENCE          
 3091:d=5  hl=4 l= 619 cons: SEQUENCE          
 3095:d=6  hl=2 l=   3 cons: cont [ 0 ]        
 3097:d=7  hl=2 l=   1 prim: INTEGER           :02
 3100:d=6  hl=2 l=   4 prim: INTEGER           :-3774658F
 3106:d=6  hl=2 l=  13 cons: SEQUENCE          
 3108:d=7  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
 3119:d=7  hl=2 l=   0 prim: NULL              
 3121:d=6  hl=2 l=  57 cons: SEQUENCE          
 3123:d=7  hl=2 l=  26 cons: SET              
 3125:d=8  hl=2 l=  24 cons: SEQUENCE          
 3127:d=9  hl=2 l=   3 prim: OBJECT            :commonName
 3132:d=9  hl=2 l=  17 prim: T61STRING         :[hidden email]
 3151:d=7  hl=2 l=  27 cons: SET              
 3153:d=8  hl=2 l=  25 cons: SEQUENCE          
 3155:d=9  hl=2 l=   3 prim: OBJECT            :name
 3160:d=9  hl=2 l=  18 prim: PRINTABLESTRING   :Type:Administrator
 3180:d=6  hl=2 l=  30 cons: SEQUENCE          
 3182:d=7  hl=2 l=  13 prim: UTCTIME           :140903015324Z
 3197:d=7  hl=2 l=  13 prim: UTCTIME           :240831015324Z
 3212:d=6  hl=2 l=  37 cons: SEQUENCE          
 3214:d=7  hl=2 l=  11 cons: SET              
 3216:d=8  hl=2 l=   9 cons: SEQUENCE          
 3218:d=9  hl=2 l=   3 prim: OBJECT            :commonName
 3223:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :op
 3227:d=7  hl=2 l=  22 cons: SET              
 3229:d=8  hl=2 l=  20 cons: SEQUENCE          
 3231:d=9  hl=2 l=   3 prim: OBJECT            :name
 3236:d=9  hl=2 l=  13 prim: PRINTABLESTRING   :Type:Operator
 3251:d=6  hl=2 l=   7 cons: SEQUENCE          
 3253:d=7  hl=2 l=   2 cons: SEQUENCE          
 3255:d=8  hl=2 l=   0 prim: OBJECT            :BAD OBJECT

Another length 0 "BAD OBJECT".

 3257:d=7  hl=2 l=   1 prim: BIT STRING        
 3260:d=6  hl=4 l= 450 cons: cont [ 3 ]        
 3264:d=7  hl=4 l= 446 cons: SEQUENCE          
 3268:d=8  hl=2 l=   9 cons: SEQUENCE          
 3270:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
 3275:d=9  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
 3279:d=8  hl=2 l=  29 cons: SEQUENCE          
 3281:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
 3286:d=9  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
 3310:d=8  hl=4 l= 354 cons: SEQUENCE          
 3314:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
 3319:d=9  hl=4 l= 345 prim: OCTET STRING      [HEX DUMP]:308201558014E565F1F3930F93B85B0D3666F9561126C4EC5210A1820138A482013430820130310B3009060355040613022D2D311330110603550403130A53636F747420426F79643111300F060355040814083C4E4F444154413E3111300F060355040714083C4E4F444154413E31193017060355040A1310546865204D61634861782047726F7570310A3008060355040B13012D311C301A06092A864886F70D010901160D73636F7474406861782E636F6D3181A0301006035504291309486173683A736861313028060355042913215365727665723A62696774657374352E6465766C616E2E6269676669782E636F6D301C060355042913154C6963656E7365416C6C6F636174696F6E3A313030301B06035504291314437573746F6D416374696F6E733A456E61626C65302706035504291320437573746F6D52657472696576656450726F706572746965733A456E61626C65820123
 3668:d=8  hl=2 l=  13 cons: SEQUENCE          
 3670:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
 3675:d=9  hl=2 l=   1 prim: BOOLEAN           :255
 3678:d=9  hl=2 l=   3 prim: OCTET STRING      [HEX DUMP]:030100
 3683:d=8  hl=2 l=  29 cons: SEQUENCE          
 3685:d=9  hl=2 l=  10 prim: OBJECT            :1.3.6.1.4.1.21299.6.1
 3697:d=9  hl=2 l=  15 prim: OCTET STRING      [HEX DUMP]:040D62757A7A6C655F25323562756D
 3714:d=5  hl=2 l=  13 cons: SEQUENCE          
 3716:d=6  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
 3727:d=6  hl=2 l=   0 prim: NULL              
 3729:d=5  hl=4 l= 257 prim: BIT STRING        
 3990:d=3  hl=4 l= 604 cons: SET              
 3994:d=4  hl=4 l= 600 cons: SEQUENCE          
 3998:d=5  hl=2 l=   1 prim: INTEGER           :01
 4001:d=5  hl=4 l= 311 cons: SEQUENCE          
 4005:d=6  hl=4 l= 304 cons: SEQUENCE          
 4009:d=7  hl=2 l=  11 cons: SET              
 4011:d=8  hl=2 l=   9 cons: SEQUENCE          
 4013:d=9  hl=2 l=   3 prim: OBJECT            :countryName
 4018:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :--
 4022:d=7  hl=2 l=  19 cons: SET              
 4024:d=8  hl=2 l=  17 cons: SEQUENCE          
 4026:d=9  hl=2 l=   3 prim: OBJECT            :commonName
 4031:d=9  hl=2 l=  10 prim: PRINTABLESTRING   :Scott Boyd
 4043:d=7  hl=2 l=  17 cons: SET              
 4045:d=8  hl=2 l=  15 cons: SEQUENCE          
 4047:d=9  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
 4052:d=9  hl=2 l=   8 prim: T61STRING         :<NODATA>
 4062:d=7  hl=2 l=  17 cons: SET              
 4064:d=8  hl=2 l=  15 cons: SEQUENCE          
 4066:d=9  hl=2 l=   3 prim: OBJECT            :localityName
 4071:d=9  hl=2 l=   8 prim: T61STRING         :<NODATA>
 4081:d=7  hl=2 l=  25 cons: SET              
 4083:d=8  hl=2 l=  23 cons: SEQUENCE          
 4085:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
 4090:d=9  hl=2 l=  16 prim: PRINTABLESTRING   :The MacHax Group
 4108:d=7  hl=2 l=  10 cons: SET              
 4110:d=8  hl=2 l=   8 cons: SEQUENCE          
 4112:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
 4117:d=9  hl=2 l=   1 prim: PRINTABLESTRING   :-
 4120:d=7  hl=2 l=  28 cons: SET              
 4122:d=8  hl=2 l=  26 cons: SEQUENCE          
 4124:d=9  hl=2 l=   9 prim: OBJECT            :emailAddress
 4135:d=9  hl=2 l=  13 prim: IA5STRING         :[hidden email]
 4150:d=7  hl=3 l= 160 cons: SET              
 4153:d=8  hl=2 l=  16 cons: SEQUENCE          
 4155:d=9  hl=2 l=   3 prim: OBJECT            :name
 4160:d=9  hl=2 l=   9 prim: PRINTABLESTRING   :Hash:sha1
 4171:d=8  hl=2 l=  40 cons: SEQUENCE          
 4173:d=9  hl=2 l=   3 prim: OBJECT            :name
 4178:d=9  hl=2 l=  33 prim: PRINTABLESTRING   :Server:bigtest5.devlan.bigfix.com
 4213:d=8  hl=2 l=  28 cons: SEQUENCE          
 4215:d=9  hl=2 l=   3 prim: OBJECT            :name
 4220:d=9  hl=2 l=  21 prim: PRINTABLESTRING   :LicenseAllocation:100
 4243:d=8  hl=2 l=  27 cons: SEQUENCE          
 4245:d=9  hl=2 l=   3 prim: OBJECT            :name
 4250:d=9  hl=2 l=  20 prim: PRINTABLESTRING   :CustomActions:Enable
 4272:d=8  hl=2 l=  39 cons: SEQUENCE          
 4274:d=9  hl=2 l=   3 prim: OBJECT            :name
 4279:d=9  hl=2 l=  32 prim: PRINTABLESTRING   :CustomRetrievedProperties:Enable
 4313:d=6  hl=2 l=   1 prim: INTEGER           :24
 4316:d=5  hl=2 l=   9 cons: SEQUENCE          
 4318:d=6  hl=2 l=   5 prim: OBJECT            :sha1
 4325:d=6  hl=2 l=   0 prim: NULL              
 4327:d=5  hl=2 l= 123 cons: cont [ 0 ]        
 4329:d=6  hl=2 l=  24 cons: SEQUENCE          
 4331:d=7  hl=2 l=   9 prim: OBJECT            :contentType
 4342:d=7  hl=2 l=  11 cons: SET              
 4344:d=8  hl=2 l=   9 prim: OBJECT            :pkcs7-data
 4355:d=6  hl=2 l=  28 cons: SEQUENCE          
 4357:d=7  hl=2 l=   9 prim: OBJECT            :signingTime
 4368:d=7  hl=2 l=  15 cons: SET              
 4370:d=8  hl=2 l=  13 prim: UTCTIME           :140903015331Z
 4385:d=6  hl=2 l=  28 cons: SEQUENCE          
 4387:d=7  hl=2 l=   9 prim: OBJECT            :1.3.6.1.4.1.21299.9
 4398:d=7  hl=2 l=  15 cons: SET              
 4400:d=8  hl=2 l=  13 prim: OCTET STRING      :buzzle_%25bum
 4415:d=6  hl=2 l=  35 cons: SEQUENCE          
 4417:d=7  hl=2 l=   9 prim: OBJECT            :messageDigest
 4428:d=7  hl=2 l=  22 cons: SET              
 4430:d=8  hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:3E5C2E4829180F2057A46CCE6A909B7B21C1FDEB
 4452:d=5  hl=2 l=  13 cons: SEQUENCE          
 4454:d=6  hl=2 l=   9 prim: OBJECT            :rsaEncryption
 4465:d=6  hl=2 l=   0 prim: NULL              
 4467:d=5  hl=3 l= 128 prim: OCTET STRING      [HEX DUMP]:53E4F0F10BD0A564B86BFF1132D204BEA843804DED992622014E57EB20889EB827A254FD1CFC4DA95686EF820530FD58CB9754AE88BD16ABF37B4CECD2DEA605590777ED209B1BC0380AD908AAC097FC7E807530FDFA1C20C79144EE5AA3884DB19037457E8337150446FC7A65BFED8A92ADF725EEB12A777B4258DA0816BA84
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Behavior change in 1.0.1i crypto (?)

Andy Schmidt
Great, thank you!

The problem is that the API call sequence generates different S/MIME
and/or PKCS7 output between 1.0.1h and 1.0.1i. The attached files are
generated from the same API call sequence, JohnHancock.smime.h with
1.0.1h and JohnHancock.smime.i with 1.0.1i. The h version S/MIME does
not have the BAD OBJECTs (or <INVALID> with my openssl executable),
parsed with "openssl smime -in JohnHancock.smime.h -pk7out | openssl
asn1parse | grep INVALID"

On Wed, Sep 3, 2014 at 2:40 PM, Viktor Dukhovni
<[hidden email]> wrote:

> On Wed, Sep 03, 2014 at 02:01:35PM -0700, Andy Schmidt wrote:
>
>>     openssl smime -in JohnHancock.smime -pk7out
>
> Decoding the pkcs7 data with asn1parse results in:
>
>     0:d=0  hl=4 l=4594 cons: SEQUENCE
>     4:d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
>    15:d=1  hl=4 l=4579 cons: cont [ 0 ]
>    19:d=2  hl=4 l=4575 cons: SEQUENCE
>    23:d=3  hl=2 l=   1 prim: INTEGER           :01
>    26:d=3  hl=2 l=  11 cons: SET
>    28:d=4  hl=2 l=   9 cons: SEQUENCE
>    30:d=5  hl=2 l=   5 prim: OBJECT            :sha1
>    37:d=5  hl=2 l=   0 prim: NULL
>    39:d=3  hl=2 l=   2 cons: SEQUENCE
>    41:d=4  hl=2 l=   0 prim: OBJECT            :BAD OBJECT
>
> Note the "BAD OBJECT" above.  Objects should not be zero length.
>
>    43:d=3  hl=4 l=3943 cons: cont [ 0 ]
>    47:d=4  hl=4 l=1440 cons: SEQUENCE
>    51:d=5  hl=4 l= 904 cons: SEQUENCE
>    55:d=6  hl=2 l=   3 cons: cont [ 0 ]
>    57:d=7  hl=2 l=   1 prim: INTEGER           :02
>    60:d=6  hl=2 l=   1 prim: INTEGER           :24
>    63:d=6  hl=2 l=  13 cons: SEQUENCE
>    65:d=7  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
>    76:d=7  hl=2 l=   0 prim: NULL
>    78:d=6  hl=4 l= 304 cons: SEQUENCE
>    82:d=7  hl=2 l=  11 cons: SET
>    84:d=8  hl=2 l=   9 cons: SEQUENCE
>    86:d=9  hl=2 l=   3 prim: OBJECT            :countryName
>    91:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :--
>    95:d=7  hl=2 l=  19 cons: SET
>    97:d=8  hl=2 l=  17 cons: SEQUENCE
>    99:d=9  hl=2 l=   3 prim: OBJECT            :commonName
>   104:d=9  hl=2 l=  10 prim: PRINTABLESTRING   :Scott Boyd
>   116:d=7  hl=2 l=  17 cons: SET
>   118:d=8  hl=2 l=  15 cons: SEQUENCE
>   120:d=9  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
>   125:d=9  hl=2 l=   8 prim: T61STRING         :<NODATA>
>
> Did you really want the string "<NODATA>" here?
>
>   135:d=7  hl=2 l=  17 cons: SET
>   137:d=8  hl=2 l=  15 cons: SEQUENCE
>   139:d=9  hl=2 l=   3 prim: OBJECT            :localityName
>   144:d=9  hl=2 l=   8 prim: T61STRING         :<NODATA>
>
> And here?
>
>   154:d=7  hl=2 l=  25 cons: SET
>   156:d=8  hl=2 l=  23 cons: SEQUENCE
>   158:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
>   163:d=9  hl=2 l=  16 prim: PRINTABLESTRING   :The MacHax Group
>   181:d=7  hl=2 l=  10 cons: SET
>   183:d=8  hl=2 l=   8 cons: SEQUENCE
>   185:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
>   190:d=9  hl=2 l=   1 prim: PRINTABLESTRING   :-
>
> and "-" for the OU?
>
>   193:d=7  hl=2 l=  28 cons: SET
>   195:d=8  hl=2 l=  26 cons: SEQUENCE
>   197:d=9  hl=2 l=   9 prim: OBJECT            :emailAddress
>   208:d=9  hl=2 l=  13 prim: IA5STRING         :[hidden email]
>   223:d=7  hl=3 l= 160 cons: SET
>   226:d=8  hl=2 l=  16 cons: SEQUENCE
>   228:d=9  hl=2 l=   3 prim: OBJECT            :name
>   233:d=9  hl=2 l=   9 prim: PRINTABLESTRING   :Hash:sha1
>   244:d=8  hl=2 l=  40 cons: SEQUENCE
>   246:d=9  hl=2 l=   3 prim: OBJECT            :name
>   251:d=9  hl=2 l=  33 prim: PRINTABLESTRING   :Server:bigtest5.devlan.bigfix.com
>   286:d=8  hl=2 l=  28 cons: SEQUENCE
>   288:d=9  hl=2 l=   3 prim: OBJECT            :name
>   293:d=9  hl=2 l=  21 prim: PRINTABLESTRING   :LicenseAllocation:100
>   316:d=8  hl=2 l=  27 cons: SEQUENCE
>   318:d=9  hl=2 l=   3 prim: OBJECT            :name
>   323:d=9  hl=2 l=  20 prim: PRINTABLESTRING   :CustomActions:Enable
>   345:d=8  hl=2 l=  39 cons: SEQUENCE
>   347:d=9  hl=2 l=   3 prim: OBJECT            :name
>   352:d=9  hl=2 l=  32 prim: PRINTABLESTRING   :CustomRetrievedProperties:Enable
>   386:d=6  hl=2 l=  30 cons: SEQUENCE
>   388:d=7  hl=2 l=  13 prim: UTCTIME           :050317061647Z
>   403:d=7  hl=2 l=  13 prim: UTCTIME           :150315061647Z
>   418:d=6  hl=2 l=  37 cons: SEQUENCE
>   420:d=7  hl=2 l=  11 cons: SET
>   422:d=8  hl=2 l=   9 cons: SEQUENCE
>   424:d=9  hl=2 l=   3 prim: OBJECT            :commonName
>   429:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :op
>   433:d=7  hl=2 l=  22 cons: SET
>   435:d=8  hl=2 l=  20 cons: SEQUENCE
>   437:d=9  hl=2 l=   3 prim: OBJECT            :name
>   442:d=9  hl=2 l=  13 prim: PRINTABLESTRING   :Type:Operator
>   457:d=6  hl=3 l= 159 cons: SEQUENCE
>   460:d=7  hl=2 l=  13 cons: SEQUENCE
>   462:d=8  hl=2 l=   9 prim: OBJECT            :rsaEncryption
>   473:d=8  hl=2 l=   0 prim: NULL
>   475:d=7  hl=3 l= 141 prim: BIT STRING
>   619:d=6  hl=4 l= 336 cons: cont [ 3 ]
>   623:d=7  hl=4 l= 332 cons: SEQUENCE
>   627:d=8  hl=2 l=   9 cons: SEQUENCE
>   629:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
>   634:d=9  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
>   638:d=8  hl=2 l=  44 cons: SEQUENCE
>   640:d=9  hl=2 l=   9 prim: OBJECT            :Netscape Comment
>   651:d=9  hl=2 l=  31 prim: OCTET STRING      [HEX DUMP]:161D4F70656E53534C2047656E657261746564204365727469666963617465
>   684:d=8  hl=2 l=  29 cons: SEQUENCE
>   686:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
>   691:d=9  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414527352B137B6F3321178C08C45D10AE65010D6F1
>   715:d=8  hl=3 l= 241 cons: SEQUENCE
>   718:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
>   723:d=9  hl=3 l= 233 prim: OCTET STRING      [HEX DUMP]:3081E68014844BE2E207D03D6C0785F72F7B184CCD5B188086A181C9A481C63081C3310B3009060355040613025553311330110603550408130A43616C69666F726E6961311330110603550407130A456D65727976696C6C6531153013060355040A130C4269674669782C20496E632E311B3019060355040B13125369746520417574686F72697A6174696F6E312C302A06035504031323416374696F6E53697465205265676973747261723A44656E6E697320476F6F64726F773128302606092A864886F70D010901161944656E6E69735F476F6F64726F77404269674669782E636F6D820207EE
>   959:d=5  hl=2 l=  13 cons: SEQUENCE
>   961:d=6  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
>   972:d=6  hl=2 l=   0 prim: NULL
>   974:d=5  hl=4 l= 513 prim: BIT STRING
>  1491:d=4  hl=4 l=1592 cons: SEQUENCE
>  1495:d=5  hl=4 l=1056 cons: SEQUENCE
>  1499:d=6  hl=2 l=   3 cons: cont [ 0 ]
>  1501:d=7  hl=2 l=   1 prim: INTEGER           :02
>  1504:d=6  hl=2 l=   1 prim: INTEGER           :23
>  1507:d=6  hl=2 l=  13 cons: SEQUENCE
>  1509:d=7  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
>  1520:d=7  hl=2 l=   0 prim: NULL
>  1522:d=6  hl=4 l= 304 cons: SEQUENCE
>  1526:d=7  hl=2 l=  11 cons: SET
>  1528:d=8  hl=2 l=   9 cons: SEQUENCE
>  1530:d=9  hl=2 l=   3 prim: OBJECT            :countryName
>  1535:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :--
>  1539:d=7  hl=2 l=  19 cons: SET
>  1541:d=8  hl=2 l=  17 cons: SEQUENCE
>  1543:d=9  hl=2 l=   3 prim: OBJECT            :commonName
>  1548:d=9  hl=2 l=  10 prim: PRINTABLESTRING   :Scott Boyd
>  1560:d=7  hl=2 l=  17 cons: SET
>  1562:d=8  hl=2 l=  15 cons: SEQUENCE
>  1564:d=9  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
>  1569:d=9  hl=2 l=   8 prim: T61STRING         :<NODATA>
>  1579:d=7  hl=2 l=  17 cons: SET
>  1581:d=8  hl=2 l=  15 cons: SEQUENCE
>  1583:d=9  hl=2 l=   3 prim: OBJECT            :localityName
>  1588:d=9  hl=2 l=   8 prim: T61STRING         :<NODATA>
>  1598:d=7  hl=2 l=  25 cons: SET
>  1600:d=8  hl=2 l=  23 cons: SEQUENCE
>  1602:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
>  1607:d=9  hl=2 l=  16 prim: PRINTABLESTRING   :The MacHax Group
>  1625:d=7  hl=2 l=  10 cons: SET
>  1627:d=8  hl=2 l=   8 cons: SEQUENCE
>  1629:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
>  1634:d=9  hl=2 l=   1 prim: PRINTABLESTRING   :-
>  1637:d=7  hl=2 l=  28 cons: SET
>  1639:d=8  hl=2 l=  26 cons: SEQUENCE
>  1641:d=9  hl=2 l=   9 prim: OBJECT            :emailAddress
>  1652:d=9  hl=2 l=  13 prim: IA5STRING         :[hidden email]
>  1667:d=7  hl=3 l= 160 cons: SET
>  1670:d=8  hl=2 l=  16 cons: SEQUENCE
>  1672:d=9  hl=2 l=   3 prim: OBJECT            :name
>  1677:d=9  hl=2 l=   9 prim: PRINTABLESTRING   :Hash:sha1
>  1688:d=8  hl=2 l=  40 cons: SEQUENCE
>  1690:d=9  hl=2 l=   3 prim: OBJECT            :name
>  1695:d=9  hl=2 l=  33 prim: PRINTABLESTRING   :Server:bigtest5.devlan.bigfix.com
>  1730:d=8  hl=2 l=  28 cons: SEQUENCE
>  1732:d=9  hl=2 l=   3 prim: OBJECT            :name
>  1737:d=9  hl=2 l=  21 prim: PRINTABLESTRING   :LicenseAllocation:100
>  1760:d=8  hl=2 l=  27 cons: SEQUENCE
>  1762:d=9  hl=2 l=   3 prim: OBJECT            :name
>  1767:d=9  hl=2 l=  20 prim: PRINTABLESTRING   :CustomActions:Enable
>  1789:d=8  hl=2 l=  39 cons: SEQUENCE
>  1791:d=9  hl=2 l=   3 prim: OBJECT            :name
>  1796:d=9  hl=2 l=  32 prim: PRINTABLESTRING   :CustomRetrievedProperties:Enable
>  1830:d=6  hl=2 l=  30 cons: SEQUENCE
>  1832:d=7  hl=2 l=  13 prim: UTCTIME           :050317000731Z
>  1847:d=7  hl=2 l=  13 prim: UTCTIME           :150315000731Z
>  1862:d=6  hl=2 l=  57 cons: SEQUENCE
>  1864:d=7  hl=2 l=  26 cons: SET
>  1866:d=8  hl=2 l=  24 cons: SEQUENCE
>  1868:d=9  hl=2 l=   3 prim: OBJECT            :commonName
>  1873:d=9  hl=2 l=  17 prim: T61STRING         :[hidden email]
>  1892:d=7  hl=2 l=  27 cons: SET
>  1894:d=8  hl=2 l=  25 cons: SEQUENCE
>  1896:d=9  hl=2 l=   3 prim: OBJECT            :name
>  1901:d=9  hl=2 l=  18 prim: PRINTABLESTRING   :Type:Administrator
>  1921:d=6  hl=4 l= 290 cons: SEQUENCE
>  1925:d=7  hl=2 l=  13 cons: SEQUENCE
>  1927:d=8  hl=2 l=   9 prim: OBJECT            :rsaEncryption
>  1938:d=8  hl=2 l=   0 prim: NULL
>  1940:d=7  hl=4 l= 271 prim: BIT STRING
>  2215:d=6  hl=4 l= 336 cons: cont [ 3 ]
>  2219:d=7  hl=4 l= 332 cons: SEQUENCE
>  2223:d=8  hl=2 l=   9 cons: SEQUENCE
>  2225:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
>  2230:d=9  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
>  2234:d=8  hl=2 l=  44 cons: SEQUENCE
>  2236:d=9  hl=2 l=   9 prim: OBJECT            :Netscape Comment
>  2247:d=9  hl=2 l=  31 prim: OCTET STRING      [HEX DUMP]:161D4F70656E53534C2047656E657261746564204365727469666963617465
>  2280:d=8  hl=2 l=  29 cons: SEQUENCE
>  2282:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
>  2287:d=9  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414E565F1F3930F93B85B0D3666F9561126C4EC5210
>  2311:d=8  hl=3 l= 241 cons: SEQUENCE
>  2314:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
>  2319:d=9  hl=3 l= 233 prim: OCTET STRING      [HEX DUMP]:3081E68014844BE2E207D03D6C0785F72F7B184CCD5B188086A181C9A481C63081C3310B3009060355040613025553311330110603550408130A43616C69666F726E6961311330110603550407130A456D65727976696C6C6531153013060355040A130C4269674669782C20496E632E311B3019060355040B13125369746520417574686F72697A6174696F6E312C302A06035504031323416374696F6E53697465205265676973747261723A44656E6E697320476F6F64726F773128302606092A864886F70D010901161944656E6E69735F476F6F64726F77404269674669782E636F6D820207EE
>  2555:d=5  hl=2 l=  13 cons: SEQUENCE
>  2557:d=6  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
>  2568:d=6  hl=2 l=   0 prim: NULL
>  2570:d=5  hl=4 l= 513 prim: BIT STRING
>  3087:d=4  hl=4 l= 899 cons: SEQUENCE
>  3091:d=5  hl=4 l= 619 cons: SEQUENCE
>  3095:d=6  hl=2 l=   3 cons: cont [ 0 ]
>  3097:d=7  hl=2 l=   1 prim: INTEGER           :02
>  3100:d=6  hl=2 l=   4 prim: INTEGER           :-3774658F
>  3106:d=6  hl=2 l=  13 cons: SEQUENCE
>  3108:d=7  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
>  3119:d=7  hl=2 l=   0 prim: NULL
>  3121:d=6  hl=2 l=  57 cons: SEQUENCE
>  3123:d=7  hl=2 l=  26 cons: SET
>  3125:d=8  hl=2 l=  24 cons: SEQUENCE
>  3127:d=9  hl=2 l=   3 prim: OBJECT            :commonName
>  3132:d=9  hl=2 l=  17 prim: T61STRING         :[hidden email]
>  3151:d=7  hl=2 l=  27 cons: SET
>  3153:d=8  hl=2 l=  25 cons: SEQUENCE
>  3155:d=9  hl=2 l=   3 prim: OBJECT            :name
>  3160:d=9  hl=2 l=  18 prim: PRINTABLESTRING   :Type:Administrator
>  3180:d=6  hl=2 l=  30 cons: SEQUENCE
>  3182:d=7  hl=2 l=  13 prim: UTCTIME           :140903015324Z
>  3197:d=7  hl=2 l=  13 prim: UTCTIME           :240831015324Z
>  3212:d=6  hl=2 l=  37 cons: SEQUENCE
>  3214:d=7  hl=2 l=  11 cons: SET
>  3216:d=8  hl=2 l=   9 cons: SEQUENCE
>  3218:d=9  hl=2 l=   3 prim: OBJECT            :commonName
>  3223:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :op
>  3227:d=7  hl=2 l=  22 cons: SET
>  3229:d=8  hl=2 l=  20 cons: SEQUENCE
>  3231:d=9  hl=2 l=   3 prim: OBJECT            :name
>  3236:d=9  hl=2 l=  13 prim: PRINTABLESTRING   :Type:Operator
>  3251:d=6  hl=2 l=   7 cons: SEQUENCE
>  3253:d=7  hl=2 l=   2 cons: SEQUENCE
>  3255:d=8  hl=2 l=   0 prim: OBJECT            :BAD OBJECT
>
> Another length 0 "BAD OBJECT".
>
>  3257:d=7  hl=2 l=   1 prim: BIT STRING
>  3260:d=6  hl=4 l= 450 cons: cont [ 3 ]
>  3264:d=7  hl=4 l= 446 cons: SEQUENCE
>  3268:d=8  hl=2 l=   9 cons: SEQUENCE
>  3270:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
>  3275:d=9  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
>  3279:d=8  hl=2 l=  29 cons: SEQUENCE
>  3281:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
>  3286:d=9  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
>  3310:d=8  hl=4 l= 354 cons: SEQUENCE
>  3314:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
>  3319:d=9  hl=4 l= 345 prim: OCTET STRING      [HEX DUMP]:308201558014E565F1F3930F93B85B0D3666F9561126C4EC5210A1820138A482013430820130310B3009060355040613022D2D311330110603550403130A53636F747420426F79643111300F060355040814083C4E4F444154413E3111300F060355040714083C4E4F444154413E31193017060355040A1310546865204D61634861782047726F7570310A3008060355040B13012D311C301A06092A864886F70D010901160D73636F7474406861782E636F6D3181A0301006035504291309486173683A736861313028060355042913215365727665723A62696774657374352E6465766C616E2E6269676669782E636F6D301C060355042913154C6963656E7365416C6C6F636174696F6E3A313030301B06035504291314437573746F6D416374696F6E733A456E61626C65302706035504291320437573746F6D52657472696576656450726F706572746965733A456E61626C65820123
>  3668:d=8  hl=2 l=  13 cons: SEQUENCE
>  3670:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
>  3675:d=9  hl=2 l=   1 prim: BOOLEAN           :255
>  3678:d=9  hl=2 l=   3 prim: OCTET STRING      [HEX DUMP]:030100
>  3683:d=8  hl=2 l=  29 cons: SEQUENCE
>  3685:d=9  hl=2 l=  10 prim: OBJECT            :1.3.6.1.4.1.21299.6.1
>  3697:d=9  hl=2 l=  15 prim: OCTET STRING      [HEX DUMP]:040D62757A7A6C655F25323562756D
>  3714:d=5  hl=2 l=  13 cons: SEQUENCE
>  3716:d=6  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
>  3727:d=6  hl=2 l=   0 prim: NULL
>  3729:d=5  hl=4 l= 257 prim: BIT STRING
>  3990:d=3  hl=4 l= 604 cons: SET
>  3994:d=4  hl=4 l= 600 cons: SEQUENCE
>  3998:d=5  hl=2 l=   1 prim: INTEGER           :01
>  4001:d=5  hl=4 l= 311 cons: SEQUENCE
>  4005:d=6  hl=4 l= 304 cons: SEQUENCE
>  4009:d=7  hl=2 l=  11 cons: SET
>  4011:d=8  hl=2 l=   9 cons: SEQUENCE
>  4013:d=9  hl=2 l=   3 prim: OBJECT            :countryName
>  4018:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :--
>  4022:d=7  hl=2 l=  19 cons: SET
>  4024:d=8  hl=2 l=  17 cons: SEQUENCE
>  4026:d=9  hl=2 l=   3 prim: OBJECT            :commonName
>  4031:d=9  hl=2 l=  10 prim: PRINTABLESTRING   :Scott Boyd
>  4043:d=7  hl=2 l=  17 cons: SET
>  4045:d=8  hl=2 l=  15 cons: SEQUENCE
>  4047:d=9  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
>  4052:d=9  hl=2 l=   8 prim: T61STRING         :<NODATA>
>  4062:d=7  hl=2 l=  17 cons: SET
>  4064:d=8  hl=2 l=  15 cons: SEQUENCE
>  4066:d=9  hl=2 l=   3 prim: OBJECT            :localityName
>  4071:d=9  hl=2 l=   8 prim: T61STRING         :<NODATA>
>  4081:d=7  hl=2 l=  25 cons: SET
>  4083:d=8  hl=2 l=  23 cons: SEQUENCE
>  4085:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
>  4090:d=9  hl=2 l=  16 prim: PRINTABLESTRING   :The MacHax Group
>  4108:d=7  hl=2 l=  10 cons: SET
>  4110:d=8  hl=2 l=   8 cons: SEQUENCE
>  4112:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
>  4117:d=9  hl=2 l=   1 prim: PRINTABLESTRING   :-
>  4120:d=7  hl=2 l=  28 cons: SET
>  4122:d=8  hl=2 l=  26 cons: SEQUENCE
>  4124:d=9  hl=2 l=   9 prim: OBJECT            :emailAddress
>  4135:d=9  hl=2 l=  13 prim: IA5STRING         :[hidden email]
>  4150:d=7  hl=3 l= 160 cons: SET
>  4153:d=8  hl=2 l=  16 cons: SEQUENCE
>  4155:d=9  hl=2 l=   3 prim: OBJECT            :name
>  4160:d=9  hl=2 l=   9 prim: PRINTABLESTRING   :Hash:sha1
>  4171:d=8  hl=2 l=  40 cons: SEQUENCE
>  4173:d=9  hl=2 l=   3 prim: OBJECT            :name
>  4178:d=9  hl=2 l=  33 prim: PRINTABLESTRING   :Server:bigtest5.devlan.bigfix.com
>  4213:d=8  hl=2 l=  28 cons: SEQUENCE
>  4215:d=9  hl=2 l=   3 prim: OBJECT            :name
>  4220:d=9  hl=2 l=  21 prim: PRINTABLESTRING   :LicenseAllocation:100
>  4243:d=8  hl=2 l=  27 cons: SEQUENCE
>  4245:d=9  hl=2 l=   3 prim: OBJECT            :name
>  4250:d=9  hl=2 l=  20 prim: PRINTABLESTRING   :CustomActions:Enable
>  4272:d=8  hl=2 l=  39 cons: SEQUENCE
>  4274:d=9  hl=2 l=   3 prim: OBJECT            :name
>  4279:d=9  hl=2 l=  32 prim: PRINTABLESTRING   :CustomRetrievedProperties:Enable
>  4313:d=6  hl=2 l=   1 prim: INTEGER           :24
>  4316:d=5  hl=2 l=   9 cons: SEQUENCE
>  4318:d=6  hl=2 l=   5 prim: OBJECT            :sha1
>  4325:d=6  hl=2 l=   0 prim: NULL
>  4327:d=5  hl=2 l= 123 cons: cont [ 0 ]
>  4329:d=6  hl=2 l=  24 cons: SEQUENCE
>  4331:d=7  hl=2 l=   9 prim: OBJECT            :contentType
>  4342:d=7  hl=2 l=  11 cons: SET
>  4344:d=8  hl=2 l=   9 prim: OBJECT            :pkcs7-data
>  4355:d=6  hl=2 l=  28 cons: SEQUENCE
>  4357:d=7  hl=2 l=   9 prim: OBJECT            :signingTime
>  4368:d=7  hl=2 l=  15 cons: SET
>  4370:d=8  hl=2 l=  13 prim: UTCTIME           :140903015331Z
>  4385:d=6  hl=2 l=  28 cons: SEQUENCE
>  4387:d=7  hl=2 l=   9 prim: OBJECT            :1.3.6.1.4.1.21299.9
>  4398:d=7  hl=2 l=  15 cons: SET
>  4400:d=8  hl=2 l=  13 prim: OCTET STRING      :buzzle_%25bum
>  4415:d=6  hl=2 l=  35 cons: SEQUENCE
>  4417:d=7  hl=2 l=   9 prim: OBJECT            :messageDigest
>  4428:d=7  hl=2 l=  22 cons: SET
>  4430:d=8  hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:3E5C2E4829180F2057A46CCE6A909B7B21C1FDEB
>  4452:d=5  hl=2 l=  13 cons: SEQUENCE
>  4454:d=6  hl=2 l=   9 prim: OBJECT            :rsaEncryption
>  4465:d=6  hl=2 l=   0 prim: NULL
>  4467:d=5  hl=3 l= 128 prim: OCTET STRING      [HEX DUMP]:53E4F0F10BD0A564B86BFF1132D204BEA843804DED992622014E57EB20889EB827A254FD1CFC4DA95686EF820530FD58CB9754AE88BD16ABF37B4CECD2DEA605590777ED209B1BC0380AD908AAC097FC7E807530FDFA1C20C79144EE5AA3884DB19037457E8337150446FC7A65BFED8A92ADF725EEB12A777B4258DA0816BA84
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

JohnHancock.smime.i (9K) Download Attachment
JohnHancock.smime.h (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Behavior change in 1.0.1i crypto (?)

Viktor Dukhovni
On Wed, Sep 03, 2014 at 04:34:05PM -0700, Andy Schmidt wrote:

> The problem is that the API call sequence generates different S/MIME
> and/or PKCS7 output between 1.0.1h and 1.0.1i. The attached files are
> generated from the same API call sequence, JohnHancock.smime.h with
> 1.0.1h and JohnHancock.smime.i with 1.0.1i. The h version S/MIME does
> not have the BAD OBJECTs (or <INVALID> with my openssl executable),
> parsed with "openssl smime -in JohnHancock.smime.h -pk7out | openssl
> asn1parse | grep INVALID"

The difference I see is:

     d=0  hl=4 l=.... cons: SEQUENCE
     d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
     d=1  hl=4 l=.... cons: cont [ 0 ]
     d=2  hl=4 l=.... cons: SEQUENCE
     d=3  hl=2 l=   1 prim: INTEGER           :01
     d=3  hl=2 l=  11 cons: SET
     d=4  hl=2 l=   9 cons: SEQUENCE
     d=5  hl=2 l=   5 prim: OBJECT            :sha1
     d=5  hl=2 l=   0 prim: NULL
    -d=3  hl=2 l=   3 cons: SEQUENCE
    -d=4  hl=2 l=   1 prim: OBJECT            :itu-t
    -d=3  hl=4 l=.... cons: cont [ 0 ]
    +d=3  hl=2 l=   2 cons: SEQUENCE
    +d=4  hl=2 l=   0 prim: OBJECT            :BAD OBJECT
    +d=3  hl=4 l=.... cons: cont [ 0 ]

The "itu-t" OID is not correctly set in the PKCS7 encoding.  The
same issue shows up again later.  It is not clear what the origin
of the problem might be.  One possibly relevant difference is in
crypto/objects/obj_dat.h:

commit d70c0be4c1e33985a79d691786db72661fdfd057
Author: Matt Caswell <[hidden email]>
Date:   Wed Aug 6 22:18:45 2014 +0100

    make update

...
-{"ITU-T","itu-t",NID_itu_t,1,&(lvalues[4439]),0},
+{"ITU-T","itu-t",NID_itu_t,0,NULL,0},
...

That's a wild guess, it may well be unrelated.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Behavior change in 1.0.1i crypto (?)

Dr. Stephen Henson
In reply to this post by Andy Schmidt
On Wed, Sep 03, 2014, Andy Schmidt wrote:

> Great, thank you!
>
> The problem is that the API call sequence generates different S/MIME
> and/or PKCS7 output between 1.0.1h and 1.0.1i. The attached files are
> generated from the same API call sequence, JohnHancock.smime.h with
> 1.0.1h and JohnHancock.smime.i with 1.0.1i. The h version S/MIME does
> not have the BAD OBJECTs (or <INVALID> with my openssl executable),
> parsed with "openssl smime -in JohnHancock.smime.h -pk7out | openssl
> asn1parse | grep INVALID"
>

There is a bug in 1.0.1h and earlier related to the NID_itu_t. It is defined
as the single value '0'. The encoding rules require at least two components in
an OID so there is actually no way to encode just '0'.

In OpenSSL 1.0.1h NID_itu_t is incorrectly encoded as as 0.0. If you check the
1.0.1h output using earlier versions it incorrectly shows the result as
"itu-t" if you try 1.0.1i it shows "0.0" which is correct.

The fix to this bug made NID_itu_t an invalid object which cannot legally be
put in an ASN1_OBJECT: which is why it shows as invalid. A better option would
be for the encoder to choke attempting to use an invalid OID but that's more
complex to implement and has some side effects.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Behavior change in 1.0.1i crypto (?)

Andy Schmidt
I really appreciate this help. It turns out that these S/MIME
signatures actually multiply signed, and my application is using the
low-level OpenSSL data structures and system calls for the
implementation. So this is in fact a 'user error' ... it's just going
to take me some time to learn enough OpenSSL to find and make the fix.

On Thu, Sep 4, 2014 at 9:58 AM, Dr. Stephen Henson <[hidden email]> wrote:

> On Wed, Sep 03, 2014, Andy Schmidt wrote:
>
>> Great, thank you!
>>
>> The problem is that the API call sequence generates different S/MIME
>> and/or PKCS7 output between 1.0.1h and 1.0.1i. The attached files are
>> generated from the same API call sequence, JohnHancock.smime.h with
>> 1.0.1h and JohnHancock.smime.i with 1.0.1i. The h version S/MIME does
>> not have the BAD OBJECTs (or <INVALID> with my openssl executable),
>> parsed with "openssl smime -in JohnHancock.smime.h -pk7out | openssl
>> asn1parse | grep INVALID"
>>
>
> There is a bug in 1.0.1h and earlier related to the NID_itu_t. It is defined
> as the single value '0'. The encoding rules require at least two components in
> an OID so there is actually no way to encode just '0'.
>
> In OpenSSL 1.0.1h NID_itu_t is incorrectly encoded as as 0.0. If you check the
> 1.0.1h output using earlier versions it incorrectly shows the result as
> "itu-t" if you try 1.0.1i it shows "0.0" which is correct.
>
> The fix to this bug made NID_itu_t an invalid object which cannot legally be
> put in an ASN1_OBJECT: which is why it shows as invalid. A better option would
> be for the encoder to choke attempting to use an invalid OID but that's more
> complex to implement and has some side effects.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]