Building a DER sequence

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Building a DER sequence

Ken Goldman-2
I have to build a DER byte stream for a sequence containing:

        algorithm ID
        issuer
        validity
        subject name
        extensions

What is the general approach?

Is there openssl support for this?

Do I construct a sequence and add items to it - top down?

Or do I construct the items and then make a sequence from it - bottom up?
       
Or do I place the items in a custom structure and then write the i2d()
myself?

Any advice, pointers, or sample code would be welcome.

Reply | Threaded
Open this post in threaded view
|

Re: Building a DER sequence

OpenSSL - User mailing list
    Do I construct a sequence and add items to it - top down?

No, because then you have to go back and patch the sequence length and perhaps slide everything up or down a copule of bytes.

I would look at an existing simple sequence and start writing your own based on that; look for ASN1_SEQUENCE macros in crypto/x509/x*.c files.  Another set of macros will declare the i2d/d2i and PEM functions if needed.


Reply | Threaded
Open this post in threaded view
|

Re: Building a DER sequence

Ken Goldman-2
On 6/26/2019 11:34 AM, Salz, Rich via openssl-users wrote:
>      Do I construct a sequence and add items to it - top down?
>
> No, because then you have to go back and patch the sequence length and perhaps slide everything up or down a copule of bytes.
>
> I would look at an existing simple sequence and start writing your own based on that; look for ASN1_SEQUENCE macros in crypto/x509/x*.c files.  Another set of macros will declare the i2d/d2i and PEM functions if needed.

I see those macros, but ... is there any documentation?

What partially worked was
        create an X509 item
        use i2d to serialize it
        ASN1_STRING_SET using the DER
        built an ASN1_TYPE from the ASN1_STRING with ASN1_TYPE_set
        sk_ASN1_TYPE_push

and then i2d_ASN1_SEQUENCE_ANY to get the DER result.

The items are _X509_NAME and X509_VAL.  Is there a shorter way?

       

Reply | Threaded
Open this post in threaded view
|

Re: Building a DER sequence

Ken Goldman-2
In reply to this post by OpenSSL - User mailing list
On 6/26/2019 11:34 AM, Salz, Rich via openssl-users wrote:
>      Do I construct a sequence and add items to it - top down?
>
> No, because then you have to go back and patch the sequence length and perhaps slide everything up or down a copule of bytes.
>
> I would look at an existing simple sequence and start writing your own based on that; look for ASN1_SEQUENCE macros in crypto/x509/x*.c files.  Another set of macros will declare the i2d/d2i and PEM functions if needed.

[I'm happy to read if someone can point me to an article, but I haven't
found anything.]

I am stuck on the X509 extensions.  I.e., with sample certificates,

dumpasn1 shows:

[snip]
453 448: . . [3] {
457 444: . . . SEQUENCE {
461  74: . . . . SEQUENCE {
463   3: . . . . . OBJECT IDENTIFIER subjectAltName (2 5 29 17)
        : . . . . . . (X.509 extension)
[snip]

What's that [3]?  Perhaps it means x509v3?

With openssl, it dumps as

         X509v3 extensions:
             X509v3 Subject Alternative Name: critical

How do I build the x509v3 extensions item (and convert it to an
ASN1_TYPE that I can push on the stack.

That is, I have the sequence using

        X509V3_EXT_conf_nid
        i2d_X509_EXTENSION
        ASN1_STRING_set
       
but how do I encapsulate that in a [3] and then to an ASN1_TYPE that I
can push on the STACK_OF(ASN1_TYPE) stack?

~~

A separate question:

I can build an X509_EXTENSION using X509V3_EXT_conf_nid.  How would I
connect several of them.  Would I use STACK_OF(X509_EXTENSION), push
the extensions, and then use i2d_something?  What's the 'something'.







Reply | Threaded
Open this post in threaded view
|

Re: Building a DER sequence

Viktor Dukhovni
In reply to this post by Ken Goldman-2

> On Jun 25, 2019, at 10:59 AM, Ken Goldman <[hidden email]> wrote:
>
> I have to build a DER byte stream for a sequence containing:
>
> algorithm ID
> issuer
> validity
> subject name
> extensions
>
> What is the general approach?

See for example:

https://github.com/openssl/openssl/blob/bc42bd6298702a1abf70aa6383d36886dd5af4b3/crypto/x509/x_x509.c#L18-L31

--
--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Building a DER sequence

OpenSSL - User mailing list
In reply to this post by Ken Goldman-2
>    I see those macros, but ... is there any documentation?
 
No.
 

Reply | Threaded
Open this post in threaded view
|

Re: Building a DER sequence

Viktor Dukhovni
On Mon, Jul 01, 2019 at 09:40:25PM +0000, Salz, Rich via openssl-users wrote:
> >    I see those macros, but ... is there any documentation?
>  
> No.

There's a high-level overview at:

    https://www.openssl.org/docs/manmaster/man3/X509_dup.html

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Building a DER sequence

Ken Goldman-2
In reply to this post by Viktor Dukhovni
On 7/1/2019 5:19 PM, Viktor Dukhovni wrote:

>
>> On Jun 25, 2019, at 10:59 AM, Ken Goldman <[hidden email]> wrote:
>>
>> I have to build a DER byte stream for a sequence containing:
>>
>> algorithm ID
>> issuer
>> validity
>> subject name
>> extensions
>>
>> What is the general approach?
>
> See for example:
>
> https://github.com/openssl/openssl/blob/bc42bd6298702a1abf70aa6383d36886dd5af4b3/crypto/x509/x_x509.c#L18-L31
>

Does link just point to array of macros?

If so, they don't help without any explanation.


Reply | Threaded
Open this post in threaded view
|

Re: Building a DER sequence

Ken Goldman-2
In reply to this post by Viktor Dukhovni
On 7/1/2019 6:03 PM, Viktor Dukhovni wrote:
> On Mon, Jul 01, 2019 at 09:40:25PM +0000, Salz, Rich via openssl-users wrote:
>>>     I see those macros, but ... is there any documentation?
>>    
>> No.
>
> There's a high-level overview at:
>
>      https://www.openssl.org/docs/manmaster/man3/X509_dup.html

That link points to the X509_dup page.  It doesn't explain how to
build a DER sequence, does it?



Reply | Threaded
Open this post in threaded view
|

Re: Building a DER sequence

Viktor Dukhovni
On Jul 3, 2019, at 2:41 PM, Ken Goldman <[hidden email]> wrote:

> That link points to the X509_dup page.  It doesn't explain how to
> build a DER sequence, does it?

The documentation is incomplete, and much RTFS is required, but it
and code pointers should get you started.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Building a DER sequence

Ken Goldman-2
On 7/3/2019 4:30 PM, Viktor Dukhovni wrote:
> On Jul 3, 2019, at 2:41 PM, Ken Goldman <[hidden email]> wrote:
>
>> That link points to the X509_dup page.  It doesn't explain how to
>> build a DER sequence, does it?
>
> The documentation is incomplete, and much RTFS is required, but it
> and code pointers should get you started.

Here's what I have today.

I have a STACK_OF(ASN1_TYPE) to which I have added the issuer, validity,
and subject.

I can get the DER with i2d_ASN1_SEQUENCE_ANY.

I have a STACK_OF(X509_EXTENSION) to which I have added several extensions.

Questions:

1 - Is the an API sequence to add the extension STACK to the asn1_type
STACK?

2 - If not, is there an API sequence to get the DER for the extension
STACK.  If so, I can append it and adjust the overall length.

3 - Is there a way to get the extension DER from a standard x509
certificate.  If so, I can create it and pull out what I need.

4 - I'm trying to create DER that includes only issuer, validity,
subject, and extensions.  It's not a standard X509 certificate.  Is
there a better way?