How to deal with new OIDs

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

How to deal with new OIDs

Dominik Oepen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

in a project I maintain I have to deal with OIDs not contained within
OpenSSL. In particular, I use OpenSSL to parse ASN1 encoded data
containing OIDs (using the Macros from asn1t.h) and do switch-case
statements on the resulting NIDs. Until now I used to patch OpenSSL
(adding the OIDs to objects.txt and running the objects.pl script to
generate the NIDs) to contain my OIDs but this approach is far from ideal.

I know that I can add new OIDs to OpenSSL internals table using the
OBJ_create function. So I could add all my OIDs in a library
initialization function and save the resulting NIDs in some global
data structure. But, as the man page already mentions, I can't use
these NIDs for switch-case statements and probably also not for the
ASN1 macros.

So I would like to ask if there are any best practices on how to deal
with this kind of problem. I'm pretty sure that other people must have
already encountered this problem, but I couldn't find any code or
documentation on how to deal with it.

Best regards,
Dominik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5nqm0ACgkQ8RP9uQqpDVTEEgCbBFj48Nf1MqdcPnqm3z4nQBxd
KK0An1sjuz/vOrEsPo1KTgJESlQ8O7Kz
=D9st
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to deal with new OIDs

Dr. Stephen Henson
On Wed, Sep 07, 2011, Dominik Oepen wrote:

> Hi all,
>
> in a project I maintain I have to deal with OIDs not contained within
> OpenSSL. In particular, I use OpenSSL to parse ASN1 encoded data
> containing OIDs (using the Macros from asn1t.h) and do switch-case
> statements on the resulting NIDs. Until now I used to patch OpenSSL
> (adding the OIDs to objects.txt and running the objects.pl script to
> generate the NIDs) to contain my OIDs but this approach is far from ideal.
>
> I know that I can add new OIDs to OpenSSL internals table using the
> OBJ_create function. So I could add all my OIDs in a library
> initialization function and save the resulting NIDs in some global
> data structure. But, as the man page already mentions, I can't use
> these NIDs for switch-case statements and probably also not for the
> ASN1 macros.
>
> So I would like to ask if there are any best practices on how to deal
> with this kind of problem. I'm pretty sure that other people must have
> already encountered this problem, but I couldn't find any code or
> documentation on how to deal with it.
>

That is problematical because if you change objects.txt you end up creating
new NIDs which are pretty much guaranteed to be incomaptible with future
version of OpenSSL that add new OIDs.

The best you can do is to check if the OID exists using for example
OBJ_txt2nid() and if not create it using OBJ_create().

Using dynamically created nids for "any defined by" structure isn't currently
possible using the macros. I can see two options both a bit messy.

One is to manualy encode the relevant field by using the catch all ASN1_TYPE
structure.

Another is to create the structures needed by the macros i.e an ASN1_ADB_TABLE_st
but which is *not* const so you can write the relevant values dynamically at
runtime. Looking through the macros that should only require that you redefine
the ASN1_ADB macro.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to deal with new OIDs

Steffen DETTMER
In reply to this post by Dominik Oepen
Hi all,
Hi Dominik,

> in a project I maintain I have to deal with OIDs not
> contained within OpenSSL. In particular, I use OpenSSL to
> parse ASN1 encoded data containing OIDs (using the Macros
> from asn1t.h) and do switch-case statements on the resulting
> NIDs. Until now I used to patch OpenSSL (adding the OIDs to
> objects.txt and running the objects.pl script to generate the
> NIDs) to contain my OIDs but this approach is far from ideal.

Do you need to work with OIDs and other DER for ASN.1 encoded
data and are using a specific part of OpenSSL as DER
encoder/decoder? In this case you might take a look to

http://lionet.info/asn1c/compiler.html

It is free (BSD), is exists since many years and there is a
lot of documentations and examples, one deals with X.509.

Just in case it helps.

oki,

Steffen

From the webpage:

The asn1c is a free, open source compiler of ASN.1 specifications into C
source code. It supports a range of ASN.1 syntaxes, including
ISO/IEC/ITU ASN.1 1988, '94, '97, 2002 and later amendments. The
supported sets of encoding rules are

    * BER: ITU-T Rec. X.690 | ISO/IEC 8825-1 (2002) (BER/DER/CER)
    * PER: X.691|8825-2 (2002) (PER).
    * XER: X.693|8825-3 (2001) (BASIC-XER/CXER).

The compiler was written specifically to address security concerns while
providing streaming decoding capabilities.



---[ End of Message ]---





















































 
About Ingenico: Ingenico is a leading provider of payment, transaction and business solutions, with over 15 million terminals deployed in more than 125 countries. Over 3,000 employees worldwide support merchants, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue.
http://www.ingenico.com/.
 This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
 P Please consider the environment before printing this e-mail
 
 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to deal with new OIDs

Peter Sylvester-3
In reply to this post by Dr. Stephen Henson
On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote:
> On Wed, Sep 07, 2011, Dominik Oepen wrote:
>

Are these OIDs are by chance the ones described in ticket 1794?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to deal with new OIDs

Dominik Oepen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 08.09.2011 11:49, schrieb Peter Sylvester:
> On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote:
>> On Wed, Sep 07, 2011, Dominik Oepen wrote:
>>
>
> Are these OIDs are by chance the ones described in ticket 1794?

Thanks for the hint, but I'm not using the SRP OIDs. I need two
"families" of OIDs for my project: The OIDs for the elliptic curves
defined in RFC 5639 and the OIDs used for the new german identity card,
defined in the technical guidelines of the Federal Office for
Information Security (BSI).

I once submitted a patch for the RFC 5639 curves
(http://rt.openssl.org/Ticket/Display.html?id=2239&user=guest&pass=guest) but
there seemed to be no interest in it, even though a similar patch was
subsequently submitted by somebody else
(http://old.nabble.com/-openssl.org--2359---PATCH--td29927422.html).

If there is any interest I can supply a patch for the BSI OIDs. They
might also be of interest to people outside of Germany, since they have
been incorporated by the ICAO in a technical guideline
(http://www2.icao.int/en/MRTD/Downloads/Technical%20Reports/Technical%20Report.pdf).

Best regards,
Dominik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5o0bEACgkQ8RP9uQqpDVTEDwCdFng351tAtDSc6HkxO41II/rb
3vsAoK9L0B+r6ZQsrnzL4+qec02CvcOK
=MQTC
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to deal with new OIDs

Dominik Oepen
In reply to this post by Steffen DETTMER
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Steffen,

Am 08.09.2011 11:16, schrieb Steffen DETTMER:

> Hi all,
> Hi Dominik,
>
>> in a project I maintain I have to deal with OIDs not
>> contained within OpenSSL. In particular, I use OpenSSL to
>> parse ASN1 encoded data containing OIDs (using the Macros
>> from asn1t.h) and do switch-case statements on the resulting
>> NIDs. Until now I used to patch OpenSSL (adding the OIDs to
>> objects.txt and running the objects.pl script to generate the
>> NIDs) to contain my OIDs but this approach is far from ideal.
>
> Do you need to work with OIDs and other DER for ASN.1 encoded
> data and are using a specific part of OpenSSL as DER
> encoder/decoder?

That's exactly what I'm doing.

>In this case you might take a look to
>
> http://lionet.info/asn1c/compiler.html
>
> It is free (BSD), is exists since many years and there is a
> lot of documentations and examples, one deals with X.509.
>
> Just in case it helps.

Thanks for the tip.

The code is already written (and working) using OpenSSLs ASN1 macros. I
just want to stop patching OpenSSL in order to deal with OIDs not
contained within OpenSSL. Using a new tool would probably mean that I
will have to rewrite quite a lot of code. That's why I will try Steve's
suggestions first. If I fail I'll have a look at the ASN1 compiler you
suggested.

Again, thanks for the help,
Dominik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5o0/wACgkQ8RP9uQqpDVTe4ACfVb/yHExWm5tfVV+UXJMCefES
+YkAn0VjUJesMHmUbUc2jG5f5FX8kC6A
=drw6
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to deal with new OIDs

Peter Sylvester-3
In reply to this post by Dominik Oepen
On 09/08/2011 04:31 PM, Dominik Oepen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Am 08.09.2011 11:49, schrieb Peter Sylvester:
>> On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote:
>>> On Wed, Sep 07, 2011, Dominik Oepen wrote:
>>>
>> Are these OIDs are by chance the ones described in ticket 1794?

Actually I meant 2239.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to deal with new OIDs

Dominik Oepen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 08.09.2011 16:41, schrieb Peter Sylvester:

> On 09/08/2011 04:31 PM, Dominik Oepen wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Am 08.09.2011 11:49, schrieb Peter Sylvester:
>>> On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote:
>>>> On Wed, Sep 07, 2011, Dominik Oepen wrote:
>>>>
>>> Are these OIDs are by chance the ones described in ticket 1794?
>
> Actually I meant 2239.

Yup, this is the RFC 5639 patch I was mentioning.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5o2d4ACgkQ8RP9uQqpDVTGfgCfa9y2/CCwqGt+uzuGHQO/sBDk
+lcAoIDW5tobv+fi9mYmjQKqVoVbTxWz
=yB89
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]