Convert ASN1_OCTET_STRING contents to ASN1 Sequence

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Convert ASN1_OCTET_STRING contents to ASN1 Sequence

Chang Lee
Does anyone know of a way to take an ASN1_OCTET_STRING that contains a DER encoded Sequence and extract the contents of the Sequence as an ASN1_STRING.  Essentially, I want to construct an ASN1 object of the Sequence.  I guess I could manually parse the Sequence (and deal with the different types of length encoding) but I figure there must be an easier way.

Thanks,
CLee

Reply | Threaded
Open this post in threaded view
|

Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence

Dominik Oepen
Am 21.09.2011 23:27, schrieb Chang Lee:
> Does anyone know of a way to take an ASN1_OCTET_STRING that contains a
> DER encoded Sequence and extract the contents of the Sequence as an
> ASN1_STRING.  Essentially, I want to construct an ASN1 object of the
> Sequence.  I guess I could manually parse the Sequence (and deal with
> the different types of length encoding) but I figure there must be an
> easier way.

You can use the macros in asn1t.h for parsing DER encoded data. Have a
look at the comment starting at line 132 (I'm using OpenSSL 1.0.0e) of
this header file. It explains how to declare an ASN1 SEQUENCE. You can
find plenty of examples using these macros within the OpenSSL source
(for example crypto/pkcs7/p7_asn1.c).

However, I'm not exactly sure whether or not the ASN1 subsystem is meant
to be used outside of OpenSSL. I couldn't find a lot of documentation
about it and learned how to use it by reading the source. Maybe one of
the OpenSSL developers could comment on this.

Best regards,
Dominik
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence

Frank Morgner-2
On Thursday, September 22 at 08:41AM, Dominik Oepen wrote:

>
> Am 21.09.2011 23:27, schrieb Chang Lee:
> > Does anyone know of a way to take an ASN1_OCTET_STRING that contains a
> > DER encoded Sequence and extract the contents of the Sequence as an
> > ASN1_STRING.  Essentially, I want to construct an ASN1 object of the
> > Sequence.  I guess I could manually parse the Sequence (and deal with
> > the different types of length encoding) but I figure there must be an
> > easier way.
>
> You can use the macros in asn1t.h for parsing DER encoded data. Have a
> look at the comment starting at line 132 (I'm using OpenSSL 1.0.0e) of
> this header file. It explains how to declare an ASN1 SEQUENCE. You can
> find plenty of examples using these macros within the OpenSSL source
> (for example crypto/pkcs7/p7_asn1.c).
An other approach would be to strip tag and length from the octet string
with ASN1_get_object. Then use ASN1_put_object to wrap the data into a
sequence.

Cheers, Frank.

attachment0 (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence

Chang Lee
In reply to this post by Dominik Oepen
Thanks Dominik for the tip.  Actually, I have been poring over the OpenSSL code, though we're using the 0.9.8 branch, hoping to find a built-in primitive SEQUENCE to use but to no avail.  As you say, there are templates for primitives and I looked at how the PKCS7 was composed from those primitives but there are so many levels of indirection that it's time consuming to follow.  I guess using C to implement features that object oriented languages such as C++ expose declaratively makes things more complex.  I'll keep looking...

-CLee


On Thu, Sep 22, 2011 at 2:41 AM, Dominik Oepen <[hidden email]> wrote:
Am <a href="tel:21.09.2011%2023" value="+12109201123">21.09.2011 23:27, schrieb Chang Lee:
> Does anyone know of a way to take an ASN1_OCTET_STRING that contains a
> DER encoded Sequence and extract the contents of the Sequence as an
> ASN1_STRING.  Essentially, I want to construct an ASN1 object of the
> Sequence.  I guess I could manually parse the Sequence (and deal with
> the different types of length encoding) but I figure there must be an
> easier way.

You can use the macros in asn1t.h for parsing DER encoded data. Have a
look at the comment starting at line 132 (I'm using OpenSSL 1.0.0e) of
this header file. It explains how to declare an ASN1 SEQUENCE. You can
find plenty of examples using these macros within the OpenSSL source
(for example crypto/pkcs7/p7_asn1.c).

However, I'm not exactly sure whether or not the ASN1 subsystem is meant
to be used outside of OpenSSL. I couldn't find a lot of documentation
about it and learned how to use it by reading the source. Maybe one of
the OpenSSL developers could comment on this.

Best regards,
Dominik
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence

Dr. Stephen Henson
In reply to this post by Dominik Oepen
On Thu, Sep 22, 2011, Dominik Oepen wrote:

>
> However, I'm not exactly sure whether or not the ASN1 subsystem is meant
> to be used outside of OpenSSL. I couldn't find a lot of documentation
> about it and learned how to use it by reading the source. Maybe one of
> the OpenSSL developers could comment on this.
>

It can be used outside OpenSSL and has a few features which workaround
platform limitaions: exporting variables as functions for example.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence

Dr. Stephen Henson
In reply to this post by Chang Lee
On Thu, Sep 22, 2011, Chang Lee wrote:

> Thanks Dominik for the tip.  Actually, I have been poring over the OpenSSL
> code, though we're using the 0.9.8 branch, hoping to find a built-in
> primitive SEQUENCE to use but to no avail.  As you say, there are templates
> for primitives and I looked at how the PKCS7 was composed from those
> primitives but there are so many levels of indirection that it's time
> consuming to follow.  I guess using C to implement features that object
> oriented languages such as C++ expose declaratively makes things more
> complex.  I'll keep looking...
>

Can you be a bit more specific about what you are trying to do? Do you want to
parse a specific ASN1 structure or handle a general case?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence

Michael S. Zick-4
In reply to this post by Chang Lee
On Thu September 22 2011, Chang Lee wrote:
> Thanks Dominik for the tip.  Actually, I have been poring over the OpenSSL
> code, though we're using the 0.9.8 branch, hoping to find a built-in
> primitive SEQUENCE to use but to no avail.  As you say, there are templates
> for primitives and I looked at how the PKCS7 was composed from those
> primitives but there are so many levels of indirection that it's time
> consuming to follow.  
>

Let the compiler help you, try the: "-E" option switch.

Mike

> I guess using C to implement features that object
> oriented languages such as C++ expose declaratively makes things more
> complex.  I'll keep looking...
>
> -CLee
>
>
> On Thu, Sep 22, 2011 at 2:41 AM, Dominik Oepen <
> [hidden email]> wrote:
>
> > Am 21.09.2011 23:27, schrieb Chang Lee:
> > > Does anyone know of a way to take an ASN1_OCTET_STRING that contains a
> > > DER encoded Sequence and extract the contents of the Sequence as an
> > > ASN1_STRING.  Essentially, I want to construct an ASN1 object of the
> > > Sequence.  I guess I could manually parse the Sequence (and deal with
> > > the different types of length encoding) but I figure there must be an
> > > easier way.
> >
> > You can use the macros in asn1t.h for parsing DER encoded data. Have a
> > look at the comment starting at line 132 (I'm using OpenSSL 1.0.0e) of
> > this header file. It explains how to declare an ASN1 SEQUENCE. You can
> > find plenty of examples using these macros within the OpenSSL source
> > (for example crypto/pkcs7/p7_asn1.c).
> >
> > However, I'm not exactly sure whether or not the ASN1 subsystem is meant
> > to be used outside of OpenSSL. I couldn't find a lot of documentation
> > about it and learned how to use it by reading the source. Maybe one of
> > the OpenSSL developers could comment on this.
> >
> > Best regards,
> > Dominik
> > ______________________________________________________________________
> > OpenSSL Project                                 http://www.openssl.org
> > User Support Mailing List                    [hidden email]
> > Automated List Manager                           [hidden email]
> >
>


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence

Chang Lee
In reply to this post by Dr. Stephen Henson
I'm trying to parse the content of an ASN1_OCTET_STRING, which I know/expect to be a DER encoded SEQUENCE, into an object.  I need to do this because I'm trying to verify an Authenticode signature.  I need to generate a digest of the contents of the signedData sans the type & length bytes. Now generating the object via d2i_PKCS7 results in the p7->d.sign->contents->d.other->value.octet_string containing the contents of the ContentInfo.content [0] which is itself a SEQUENCE (SpcIndirectDataContent).  Unfortunately, Authenticode needs the digest of the content of SpcIndirectDataContent.  Therein lies the reason why I'm trying to 'peel' off one layer to get at the data.  I was initially hunting for a generic SEQUENCE object that I could parse the data but I couldn't find one.
I have attempted to create a SEQUENCE from the template but have yet to get it to work.  This is what I've tried:

///////HEADER FILE:

typedef struct authenticode_inner_content_st
{
ASN1_OCTET_STRING *pData;
} AUTHENTICODE_INNER_CONTENT;

DECLARE_ASN1_FUNCTIONS(AUTHENTICODE_INNER_CONTENT)

typedef struct authenticode_content_st
{
AUTHENTICODE_INNER_CONTENT *pInnerContent;
} AUTHENTICODE_CONTENT;

DECLARE_ASN1_FUNCTIONS(AUTHENTICODE_CONTENT)


///////CPP FILE:

ASN1_SEQUENCE(AUTHENTICODE_INNER_CONTENT) = {
ASN1_SIMPLE(AUTHENTICODE_INNER_CONTENT, pData, ASN1_OCTET_STRING)
}ASN1_SEQUENCE_END(AUTHENTICODE_INNER_CONTENT)

ASN1_SEQUENCE(AUTHENTICODE_CONTENT) = {
ASN1_SIMPLE(AUTHENTICODE_CONTENT, pInnerContent, AUTHENTICODE_INNER_CONTENT)
}ASN1_SEQUENCE_END(AUTHENTICODE_CONTENT)

IMPLEMENT_ASN1_FUNCTIONS(AUTHENTICODE_INNER_CONTENT)
IMPLEMENT_ASN1_FUNCTIONS(AUTHENTICODE_CONTENT)

...
ASN1_OCTET_STRING *content = p7->d.sign->contents->d.other->value.octet_string;
AUTHENTICODE_CONTENT *pAuthContent = d2i_AUTHENTICODE_CONTENT(NULL, (const unsigned char**)&content->data, content->length);
...
////////////////////////////////////////////


d2i_AUTHENTICODE_CONTENT(...) errors out.


-Clee




On Thu, Sep 22, 2011 at 10:07 AM, Dr. Stephen Henson <[hidden email]> wrote:
On Thu, Sep 22, 2011, Chang Lee wrote:

> Thanks Dominik for the tip.  Actually, I have been poring over the OpenSSL
> code, though we're using the 0.9.8 branch, hoping to find a built-in
> primitive SEQUENCE to use but to no avail.  As you say, there are templates
> for primitives and I looked at how the PKCS7 was composed from those
> primitives but there are so many levels of indirection that it's time
> consuming to follow.  I guess using C to implement features that object
> oriented languages such as C++ expose declaratively makes things more
> complex.  I'll keep looking...
>

Can you be a bit more specific about what you are trying to do? Do you want to
parse a specific ASN1 structure or handle a general case?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence

Dr. Stephen Henson
On Thu, Sep 22, 2011, Chang Lee wrote:

> I'm trying to parse the content of an ASN1_OCTET_STRING, which I know/expect
> to be a DER encoded SEQUENCE, into an object.  I need to do this because I'm
> trying to verify an Authenticode signature.  I need to generate a digest of
> the contents of the signedData sans the type & length bytes. Now generating
> the object via d2i_PKCS7 results in the
> p7->d.sign->contents->d.other->value.octet_string containing the contents of
> the ContentInfo.content [0] which is itself a SEQUENCE
> (SpcIndirectDataContent).  Unfortunately, Authenticode needs the digest of
> the content of SpcIndirectDataContent.  Therein lies the reason why I'm
> trying to 'peel' off one layer to get at the data.  I was initially hunting
> for a generic SEQUENCE object that I could parse the data but I couldn't
> find one.
> I have attempted to create a SEQUENCE from the template but have yet to get
> it to work.  This is what I've tried:
>

Ah OK. So you've got the data into an ASN1_OCTET_STRING whose contents are a
SEQUENCE and you want the content octets of that SEQUENCE but without the
SEQUENCE tag+length octets?

Well there isn't anything which does that directly. You can get the DER buffer
using ASN1_STRING_length(os) and ASN1_STRING_data(os). That will give you the
SEQUENCE tag at the start and the content included.

If you want to skip over the tag+length octets of that buffer you need to do
some lower level stuff. If you use ASN1_get_object() it will tell you the
length of the sequence and skip the header. So the updated pointer will be
that start of the SEQUENCE contents and the length will be the length of that
content.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence

Chang Lee
Thanks for the info. I'll try to get it to work using ASN1_get_object().
Just for my edification, was my approach using the templates and macros not a viable option?


On Thu, Sep 22, 2011 at 12:22 PM, Dr. Stephen Henson <[hidden email]> wrote:
On Thu, Sep 22, 2011, Chang Lee wrote:

> I'm trying to parse the content of an ASN1_OCTET_STRING, which I know/expect
> to be a DER encoded SEQUENCE, into an object.  I need to do this because I'm
> trying to verify an Authenticode signature.  I need to generate a digest of
> the contents of the signedData sans the type & length bytes. Now generating
> the object via d2i_PKCS7 results in the
> p7->d.sign->contents->d.other->value.octet_string containing the contents of
> the ContentInfo.content [0] which is itself a SEQUENCE
> (SpcIndirectDataContent).  Unfortunately, Authenticode needs the digest of
> the content of SpcIndirectDataContent.  Therein lies the reason why I'm
> trying to 'peel' off one layer to get at the data.  I was initially hunting
> for a generic SEQUENCE object that I could parse the data but I couldn't
> find one.
> I have attempted to create a SEQUENCE from the template but have yet to get
> it to work.  This is what I've tried:
>

Ah OK. So you've got the data into an ASN1_OCTET_STRING whose contents are a
SEQUENCE and you want the content octets of that SEQUENCE but without the
SEQUENCE tag+length octets?

Well there isn't anything which does that directly. You can get the DER buffer
using ASN1_STRING_length(os) and ASN1_STRING_data(os). That will give you the
SEQUENCE tag at the start and the content included.

If you want to skip over the tag+length octets of that buffer you need to do
some lower level stuff. If you use ASN1_get_object() it will tell you the
length of the sequence and skip the header. So the updated pointer will be
that start of the SEQUENCE contents and the length will be the length of that
content.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence

Dr. Stephen Henson
On Thu, Sep 22, 2011, Chang Lee wrote:

> Thanks for the info. I'll try to get it to work using ASN1_get_object().
> Just for my edification, was my approach using the templates and macros not
> a viable option?
>

Well it would work but you'd have to parse the whole structure which isn't
necessary if you just want to skip the SEQUENCE header. Even then when you
outputted the structure you'd get the SEQUENCE header again.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence

Chang Lee
ASN1_get_object() got the job done.  Thanks.


On Thu, Sep 22, 2011 at 1:34 PM, Dr. Stephen Henson <[hidden email]> wrote:
On Thu, Sep 22, 2011, Chang Lee wrote:

> Thanks for the info. I'll try to get it to work using ASN1_get_object().
> Just for my edification, was my approach using the templates and macros not
> a viable option?
>

Well it would work but you'd have to parse the whole structure which isn't
necessary if you just want to skip the SEQUENCE header. Even then when you
outputted the structure you'd get the SEQUENCE header again.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence

Chang Lee
In reply to this post by Frank Morgner-2
Nice tip.  I'll look into that.


On Thu, Sep 22, 2011 at 4:19 AM, Frank Morgner <[hidden email]> wrote:
On Thursday, September 22 at 08:41AM, Dominik Oepen wrote:
>
> Am <a href="tel:21.09.2011%2023" value="+12109201123">21.09.2011 23:27, schrieb Chang Lee:
> > Does anyone know of a way to take an ASN1_OCTET_STRING that contains a
> > DER encoded Sequence and extract the contents of the Sequence as an
> > ASN1_STRING.  Essentially, I want to construct an ASN1 object of the
> > Sequence.  I guess I could manually parse the Sequence (and deal with
> > the different types of length encoding) but I figure there must be an
> > easier way.
>
> You can use the macros in asn1t.h for parsing DER encoded data. Have a
> look at the comment starting at line 132 (I'm using OpenSSL 1.0.0e) of
> this header file. It explains how to declare an ASN1 SEQUENCE. You can
> find plenty of examples using these macros within the OpenSSL source
> (for example crypto/pkcs7/p7_asn1.c).

An other approach would be to strip tag and length from the octet string
with ASN1_get_object. Then use ASN1_put_object to wrap the data into a
sequence.

Cheers, Frank.