Extract content of DER-encoded package by OID

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Extract content of DER-encoded package by OID

jMo925

Hello, 
I have a signedData package that contains an encryptedKeyPackage (specifically OID 2.16.840.1.101.2.1.2.78.2, aka id-ct-KP-encryptedKeyPkg) that I want to extract from it. I am somewhat able to extract the sequence that contains this data via the OpenSSL command line: 

$ openssl asn1parse -in <my_pkg.der> -inform DER -strparse <hard-coded offset I computed>

However, I am looking for the OpenSSL calls to do the same thing, ideally extract package contents by its OID without having to know the offset (such that I can extract the data from any given package by that particular OID). How would I go about doing this? I've been looking endlessly into asn1.h and x509.h, and am able to somewhat parse the entire package into a structure, but I could use some guidance as to how to further break it down into parts. Thank you, and I hope to hear a response back soon. 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Extract content of DER-encoded package by OID

Dr. Stephen Henson
On Tue, Jul 18, 2017, Justin Mogannam wrote:

> Hello,
> I have a signedData package that contains an encryptedKeyPackage
> (specifically OID 2.16.840.1.101.2.1.2.78.2, aka id-ct-KP-encryptedKeyPkg)
> that I want to extract from it. I am somewhat able to extract the sequence
> that contains this data via the OpenSSL command line:
>
> $ openssl asn1parse -in <my_pkg.der> -inform DER -strparse <hard-coded
> offset I computed>
>
> However, I am looking for the OpenSSL calls to do the same thing, ideally
> extract package contents by its OID without having to know the offset (such
> that I can extract the data from any given package by that particular OID).
> How would I go about doing this? I've been looking endlessly into asn1.h and
> x509.h, and am able to somewhat parse the entire package into a structure,
> but I could use some guidance as to how to further break it down into parts.
> Thank you, and I hope to hear a response back soon.
>

Well if this follows RFC6032 the outer part will be a ContentInfo structure
which you can parse using d2i_CMS_ContentInfo. From there you can use various
utility functions to analyse it.

For example CMS_get0_eContentType() to get the OID corresponding to the
encapsulated content type and CMS_get0_content() which (if I read the spec
correctly) should get you the EncryptedKeyPackage structure. After that you'll
have to parse it yourself because OpenSSL doesn't support that atructure.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Extract content of DER-encoded package by OID

jMo925
Hi Steve,
What you've described sounds exactly like what I want to do. Couple of
questions/concerns in regards to what you've just stated:

1) Is there a way to initialize a CMS_ContentInfo structure like there is a
way to initialize a BIO structure (such as with BIO_new()? ). I'm looking
through openssl/cms.h but I'm not seeing anything.

2) Once again, I'm looking in openssl/cms.h, and I could not find the
function prototype " d2i_CMS_ContentInfo". I even did a grep on the whole
directory. Is it located somewhere else? I have OpenSSL 1.0.1, which is
after 0.9.8 when the function was added to OpenSSL.

3) In looking at the function prototype (via
https://www.openssl.org/docs/man1.0.2/crypto/d2i_CMS_ContentInfo.html):
CMS_ContentInfo *d2i_CMS_ContentInfo(CMS_ContentInfo **a, unsigned char
**pp, long length);
I'm assuming **pp is just a pointer to the array with the DER-encoded
certificate in it? I just want to make sure since some of the parameter
names are a little ambiguous in OpenSSL.

I'm assuming once I'm able to get the DER-encoded certificate in a CMS
object, I can use the function you provided and the ones in cms.h to strip
off "layers" of the certificate to get the encryptedKeyPackage that I want
(which, of course as you mentioned, I'll be able to handle the rest from
there). Thank you very much for your response, as it was very helpful, and I
hope to get just as useful of a response back!

- Justin

-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of
Dr. Stephen Henson
Sent: Wednesday, July 19, 2017 4:26 AM
To: [hidden email]
Subject: Re: [openssl-users] Extract content of DER-encoded package by OID

On Tue, Jul 18, 2017, Justin Mogannam wrote:

> Hello,
> I have a signedData package that contains an encryptedKeyPackage
> (specifically OID 2.16.840.1.101.2.1.2.78.2, aka
> id-ct-KP-encryptedKeyPkg) that I want to extract from it. I am
> somewhat able to extract the sequence that contains this data via the
OpenSSL command line:
>
> $ openssl asn1parse -in <my_pkg.der> -inform DER -strparse <hard-coded
> offset I computed>
>
> However, I am looking for the OpenSSL calls to do the same thing,
> ideally extract package contents by its OID without having to know the
> offset (such that I can extract the data from any given package by that
particular OID).
> How would I go about doing this? I've been looking endlessly into
> asn1.h and x509.h, and am able to somewhat parse the entire package
> into a structure, but I could use some guidance as to how to further break
it down into parts.
> Thank you, and I hope to hear a response back soon.
>

Well if this follows RFC6032 the outer part will be a ContentInfo structure
which you can parse using d2i_CMS_ContentInfo. From there you can use
various utility functions to analyse it.

For example CMS_get0_eContentType() to get the OID corresponding to the
encapsulated content type and CMS_get0_content() which (if I read the spec
correctly) should get you the EncryptedKeyPackage structure. After that
you'll have to parse it yourself because OpenSSL doesn't support that
atructure.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Extract content of DER-encoded package by OID

Dr. Stephen Henson
On Wed, Jul 19, 2017, Justin Mogannam wrote:

>
> 2) Once again, I'm looking in openssl/cms.h, and I could not find the
> function prototype " d2i_CMS_ContentInfo". I even did a grep on the whole
> directory. Is it located somewhere else? I have OpenSSL 1.0.1, which is
> after 0.9.8 when the function was added to OpenSSL.
>

See:

https://www.openssl.org/docs/faq.html#PROG13


> 3) In looking at the function prototype (via
> https://www.openssl.org/docs/man1.0.2/crypto/d2i_CMS_ContentInfo.html):
> CMS_ContentInfo *d2i_CMS_ContentInfo(CMS_ContentInfo **a, unsigned char
> **pp, long length);
> I'm assuming **pp is just a pointer to the array with the DER-encoded
> certificate in it? I just want to make sure since some of the parameter
> names are a little ambiguous in OpenSSL.
>
> I'm assuming once I'm able to get the DER-encoded certificate in a CMS
> object, I can use the function you provided and the ones in cms.h to strip
> off "layers" of the certificate to get the encryptedKeyPackage that I want
> (which, of course as you mentioned, I'll be able to handle the rest from
> there). Thank you very much for your response, as it was very helpful, and I
> hope to get just as useful of a response back!
>

I'm not sure what you mean by "certificate" here. The structure you mentioned
will be a CMS ContentInfo.

Anyway see:

https://www.openssl.org/docs/faq.html#PROG3

for details about how to decode the DER form.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Extract content of DER-encoded package by OID

jMo925
Thanks for the tips thus far. One of the last issues I'm having is actually
declaring a CMS_ContentInfo structure. I just declare :

CMS_ContentInfo cms;

Amd gcc tells me "error: storage size of 'cms' isn't known". This goes back
to my question 1 of the previous email: is there a particular function call
to use to construct a CMS_ContentInfo structure? Thanks!

-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of
Dr. Stephen Henson
Sent: Wednesday, July 19, 2017 6:32 PM
To: [hidden email]
Subject: Re: [openssl-users] Extract content of DER-encoded package by OID

On Wed, Jul 19, 2017, Justin Mogannam wrote:

>
> 2) Once again, I'm looking in openssl/cms.h, and I could not find the
> function prototype " d2i_CMS_ContentInfo". I even did a grep on the
> whole directory. Is it located somewhere else? I have OpenSSL 1.0.1,
> which is after 0.9.8 when the function was added to OpenSSL.
>

See:

https://www.openssl.org/docs/faq.html#PROG13


> 3) In looking at the function prototype (via
> https://www.openssl.org/docs/man1.0.2/crypto/d2i_CMS_ContentInfo.html):
> CMS_ContentInfo *d2i_CMS_ContentInfo(CMS_ContentInfo **a, unsigned
> char **pp, long length); I'm assuming **pp is just a pointer to the
> array with the DER-encoded certificate in it? I just want to make sure
> since some of the parameter names are a little ambiguous in OpenSSL.
>
> I'm assuming once I'm able to get the DER-encoded certificate in a CMS
> object, I can use the function you provided and the ones in cms.h to
> strip off "layers" of the certificate to get the encryptedKeyPackage
> that I want (which, of course as you mentioned, I'll be able to handle
> the rest from there). Thank you very much for your response, as it was
> very helpful, and I hope to get just as useful of a response back!
>

I'm not sure what you mean by "certificate" here. The structure you
mentioned will be a CMS ContentInfo.

Anyway see:

https://www.openssl.org/docs/faq.html#PROG3

for details about how to decode the DER form.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Extract content of DER-encoded package by OID

Dr. Stephen Henson
On Thu, Jul 20, 2017, Justin Mogannam wrote:

> Thanks for the tips thus far. One of the last issues I'm having is actually
> declaring a CMS_ContentInfo structure. I just declare :
>
> CMS_ContentInfo cms;
>
> Amd gcc tells me "error: storage size of 'cms' isn't known". This goes back
> to my question 1 of the previous email: is there a particular function call
> to use to construct a CMS_ContentInfo structure? Thanks!
>

In common with many structures CMS_ContentInfo is opaque so you can only
declare pointers to the structure not the structure itself.  The
d2i_CMS_ContentInfo() function will return a pointer to a CMS_ContentInfo
structure containing the contents of the parsed DER buffer. You can then use
that pointer in other CMS utility functions.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Extract content of DER-encoded package by OID

jMo925
Okay, I've made some progress, but hit a wall now. Here's what I have so
far:

/************* start code *************/

char* encrypted; // DER-encoded buffer */
char* encryptedSize; // size in bytes of encrypted buffer

CMS_ContentInfo* cms;

unsigned char* p;
p = encrypted;

CMS_ContentInfo** cmsPtr = &cms;
cms = d2i_CMS_ContentInfo( NULL, &p, encryptedSize );
if ( cms == NULL ) printf("CMS is null!\n");

const ASN1_OBJECT* asn = CMS_get0_eContentType( cms );
if ( asn == NULL ) printf("ASN is null!\n");

/************* end code *************/

None of the checks failed, so the functions passed. However, when I check
asn->data, it appears to be "garbage", or nothing interesting to me. The
flags is 9 (so I'm assuming flag 0x01 and 0x08 were set). Does it look like
I'm doing everything correctly? How would I continue on in parsing the asn1
object/stripping off layers of it? Thanks, and I hope to hear back soon.

- Justin
 
-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of
Dr. Stephen Henson
Sent: Thursday, July 20, 2017 4:07 PM
To: [hidden email]
Subject: Re: [openssl-users] Extract content of DER-encoded package by OID

On Thu, Jul 20, 2017, Justin Mogannam wrote:

> Thanks for the tips thus far. One of the last issues I'm having is
> actually declaring a CMS_ContentInfo structure. I just declare :
>
> CMS_ContentInfo cms;
>
> Amd gcc tells me "error: storage size of 'cms' isn't known". This goes
> back to my question 1 of the previous email: is there a particular
> function call to use to construct a CMS_ContentInfo structure? Thanks!
>

In common with many structures CMS_ContentInfo is opaque so you can only
declare pointers to the structure not the structure itself.  The
d2i_CMS_ContentInfo() function will return a pointer to a CMS_ContentInfo
structure containing the contents of the parsed DER buffer. You can then use
that pointer in other CMS utility functions.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users