How to turn on certain elements in CMS objects

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

How to turn on certain elements in CMS objects

Stephan Mühlstrasser
Hi,

this message is related to another question that I sent with subject
"Unable to decrypt CMS object encrypted with EC prime256v1 certificate".

Below I have included the full ASN.1 dump of the CMS object generated by
a third-party application.

The CMS object has two properties that I so far was not able to
reproduce when creating CMS objects with OpenSSL:

First the AlgorithmIdentifier includes the EC curve name:

   40   19:               SEQUENCE {
   42    7:                 OBJECT IDENTIFIER ecPublicKey (1 2 840 10045
2 1)
   51    8:                 OBJECT IDENTIFIER ansiX9p256r1 (1 2 840
10045 3 1 7)
          :                 }

In CMS objects created with OpenSSL with the same recipient certificate,
the curve name is always omitted. Is it possible to make OpenSSL emit
the curve name as well?

Second the following:

  129   10:           [1] {
  131    8:             OCTET STRING B1 04 4A FD FC 8B 70 6D
          :             }

If I match this correctly to RFC 5652, this is

ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL

inside the KeyAgreeRecipientInfo SEQUENCE (see
https://tools.ietf.org/html/rfc5652#section-6.2.2).

Can OpenSSL emit this optional element? What is the purpose of the "ukm"
field?

Thank you
Stephan

Full ASN.1 dump follows:

    0  360: SEQUENCE {
    4    9:   OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
   15  345:   [0] {
   19  341:     SEQUENCE {
   23    1:       INTEGER 2
   26  256:       SET {
   30  253:         [1] {
   33    1:           INTEGER 3
   36   91:           [0] {
   38   89:             [1] {
   40   19:               SEQUENCE {
   42    7:                 OBJECT IDENTIFIER ecPublicKey (1 2 840 10045
2 1)
   51    8:                 OBJECT IDENTIFIER ansiX9p256r1 (1 2 840
10045 3 1 7)
          :                 }
   61   66:               BIT STRING
          :                 04 0E 81 BC 28 63 C8 5A 1E 09 7D 47 1F D3 24 92
          :                 15 6D 94 8A 8D 88 82 CC 65 1F FD 57 B4 B8 DD 77
          :                 97 AB E7 D0 1D 8E C1 FE F6 CB C4 C5 9D B7 7B DE
          :                 60 0E 84 F2 35 4E 19 42 EB B4 D9 F5 71 58 4F 53
          :                 89
          :               }
          :             }
  129   10:           [1] {
  131    8:             OCTET STRING B1 04 4A FD FC 8B 70 6D
          :             }
  141   21:           SEQUENCE {
  143    6:             OBJECT IDENTIFIER '1 3 132 1 11 1'
  151   11:             SEQUENCE {
  153    9:               OBJECT IDENTIFIER aes128-wrap (2 16 840 1 101
3 4 1 5)
          :               }
          :             }
  164  120:           SEQUENCE {
  166  118:             SEQUENCE {
  168   90:               SEQUENCE {
  170   85:                 SEQUENCE {
  172   11:                   SET {
  174    9:                     SEQUENCE {
  176    3:                       OBJECT IDENTIFIER countryName (2 5 4 6)
  181    2:                       PrintableString 'DE'
          :                       }
          :                     }
  185   15:                   SET {
  187   13:                     SEQUENCE {
  189    3:                       OBJECT IDENTIFIER localityName (2 5 4 7)
  194    6:                       UTF8String 'Munich'
          :                       }
          :                     }
  202   20:                   SET {
  204   18:                     SEQUENCE {
  206    3:                       OBJECT IDENTIFIER organizationName (2
5 4 10)
  211   11:                       UTF8String 'PDFlib GmbH'
          :                       }
          :                     }
  224   31:                   SET {
  226   29:                     SEQUENCE {
  228    3:                       OBJECT IDENTIFIER commonName (2 5 4 3)
  233   22:                       UTF8String 'PDFlib GmbH Demo CA G2'
          :                       }
          :                     }
          :                   }
  257    1:                 INTEGER 5
          :                 }
  260   24:               OCTET STRING
          :                 2E 27 CB 94 64 71 E7 05 96 51 08 34 67 92 34 D7
          :                 12 B1 69 8F 20 E9 F1 11
          :               }
          :             }
          :           }
          :         }
  286   76:       SEQUENCE {
  288    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
  299   29:         SEQUENCE {
  301    9:           OBJECT IDENTIFIER aes128-CBC (2 16 840 1 101 3 4 1 2)
  312   16:           OCTET STRING
          :             88 E4 52 8D 63 2F A9 A5 49 0E 8B FE 7D D0 93 F9
          :           }
  330   32:         [0]
          :           06 E8 97 3B AD 11 F8 49 41 C9 D6 C3 FD B4 22 4A
          :           89 DF AB 86 95 A7 D1 E0 C8 BF E5 8F 4D 79 7D D3
          :         }
          :       }
          :     }
          :   }

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to turn on certain elements in CMS objects

Dr. Stephen Henson
On Fri, Jul 01, 2016, Stephan M?hlstrasser wrote:

> Hi,
>
> this message is related to another question that I sent with subject
> "Unable to decrypt CMS object encrypted with EC prime256v1
> certificate".
>
> Below I have included the full ASN.1 dump of the CMS object
> generated by a third-party application.
>
> The CMS object has two properties that I so far was not able to
> reproduce when creating CMS objects with OpenSSL:
>
> First the AlgorithmIdentifier includes the EC curve name:
>
>   40   19:               SEQUENCE {
>   42    7:                 OBJECT IDENTIFIER ecPublicKey (1 2 840
> 10045 2 1)
>   51    8:                 OBJECT IDENTIFIER ansiX9p256r1 (1 2 840
> 10045 3 1 7)
>          :                 }
>
> In CMS objects created with OpenSSL with the same recipient
> certificate, the curve name is always omitted. Is it possible to
> make OpenSSL emit the curve name as well?
>

No as this is a violation of the standards. From RFC3278:

      originator MUST be the alternative originatorKey.  The
      originatorKey algorithm field MUST contain the id-ecPublicKey
      object identifier (see Section 8.1) with NULL parameters.  The
      originatorKey publicKey field MUST contain the DER-encoding of a
      value of the ASN.1 type ECPoint (see Section 8.2), which
      represents the sending agent's ephemeral EC public key.


> Second the following:
>
>  129   10:           [1] {
>  131    8:             OCTET STRING B1 04 4A FD FC 8B 70 6D
>          :             }
>
> If I match this correctly to RFC 5652, this is
>
> ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL
>
> inside the KeyAgreeRecipientInfo SEQUENCE (see
> https://tools.ietf.org/html/rfc5652#section-6.2.2).
>
> Can OpenSSL emit this optional element?

Yes but not using the command line utility. It would require a custom program
to set the parameter using the CMS API.

> What is the purpose of the "ukm" field?
>

It provides some additional optional random data used in the key encryption
key derivation algorithm.

Note that you can get a diagnistic dump using:

  openssl cms -cmsout -inform DER -print -in cmd.der

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to turn on certain elements in CMS objects

Dr. Stephen Henson
On Wed, Jul 06, 2016, Dr. Stephen Henson wrote:

> On Fri, Jul 01, 2016, Stephan M?hlstrasser wrote:
>
> >
> > First the AlgorithmIdentifier includes the EC curve name:
> >
> >   40   19:               SEQUENCE {
> >   42    7:                 OBJECT IDENTIFIER ecPublicKey (1 2 840
> > 10045 2 1)
> >   51    8:                 OBJECT IDENTIFIER ansiX9p256r1 (1 2 840
> > 10045 3 1 7)
> >          :                 }
> >
> > In CMS objects created with OpenSSL with the same recipient
> > certificate, the curve name is always omitted. Is it possible to
> > make OpenSSL emit the curve name as well?
> >
>
> No as this is a violation of the standards. From RFC3278:
>
>       originator MUST be the alternative originatorKey.  The
>       originatorKey algorithm field MUST contain the id-ecPublicKey
>       object identifier (see Section 8.1) with NULL parameters.  The
>       originatorKey publicKey field MUST contain the DER-encoding of a
>       value of the ASN.1 type ECPoint (see Section 8.2), which
>       represents the sending agent's ephemeral EC public key.
>

Correction... that is not allowed by RFC3278 but is allowed in RFC5753 but
OpenSSL doesn't currently generate that format. It's not clear what purpose it
serves as the EC parameters are specified in the recipient's key and
certificate anyway.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to turn on certain elements in CMS objects

Stephan Mühlstrasser
Am 06.07.16 um 16:02 schrieb Dr. Stephen Henson:

> On Wed, Jul 06, 2016, Dr. Stephen Henson wrote:
>
>> On Fri, Jul 01, 2016, Stephan M?hlstrasser wrote:
>>
>>>
>>> First the AlgorithmIdentifier includes the EC curve name:
>>>
>>>   40   19:               SEQUENCE {
>>>   42    7:                 OBJECT IDENTIFIER ecPublicKey (1 2 840
>>> 10045 2 1)
>>>   51    8:                 OBJECT IDENTIFIER ansiX9p256r1 (1 2 840
>>> 10045 3 1 7)
>>>          :                 }
>>>
>>> In CMS objects created with OpenSSL with the same recipient
>>> certificate, the curve name is always omitted. Is it possible to
>>> make OpenSSL emit the curve name as well?
>>>
>>
>> No as this is a violation of the standards. From RFC3278:
>>
>>       originator MUST be the alternative originatorKey.  The
>>       originatorKey algorithm field MUST contain the id-ecPublicKey
>>       object identifier (see Section 8.1) with NULL parameters.  The
>>       originatorKey publicKey field MUST contain the DER-encoding of a
>>       value of the ASN.1 type ECPoint (see Section 8.2), which
>>       represents the sending agent's ephemeral EC public key.
>>
>
> Correction... that is not allowed by RFC3278 but is allowed in RFC5753 but
> OpenSSL doesn't currently generate that format. It's not clear what purpose it
> serves as the EC parameters are specified in the recipient's key and
> certificate anyway.

So do I understand it correctly that OpenSSL currentls only supports
RFC3278? Does that mean that it can't process CMS enveloped data objects
that are created according to RFC5753?

In my other thread titled "Unable to decrypt CMS object encrypted with
EC prime256v1 certificate" the CMS object that cannot be decrypted with
OpenSSL does contain the EC parameters. Can that be related to the problem?

--
Stephan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to turn on certain elements in CMS objects

Stephan Mühlstrasser
In reply to this post by Dr. Stephen Henson
Am 06.07.16 um 15:46 schrieb Dr. Stephen Henson:

>...
>
>> Second the following:
>>
>>  129   10:           [1] {
>>  131    8:             OCTET STRING B1 04 4A FD FC 8B 70 6D
>>          :             }
>>
>> If I match this correctly to RFC 5652, this is
>>
>> ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL
>>
>> inside the KeyAgreeRecipientInfo SEQUENCE (see
>> https://tools.ietf.org/html/rfc5652#section-6.2.2).
>>
>> Can OpenSSL emit this optional element?
>
> Yes but not using the command line utility. It would require a custom program
> to set the parameter using the CMS API.

Could you pleaee briefly explain how set the parameter? I could not find
anything in the documentation of the CMS API about this.

>> What is the purpose of the "ukm" field?
>>
>
> It provides some additional optional random data used in the key encryption
> key derivation algorithm.
>
> Note that you can get a diagnistic dump using:
>
>   openssl cms -cmsout -inform DER -print -in cmd.der

I wasn't aware of this feature, that looks very useful, thanks!

--
Stephan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to turn on certain elements in CMS objects

Dr. Stephen Henson
In reply to this post by Stephan Mühlstrasser
On Wed, Jul 06, 2016, Stephan M?hlstrasser wrote:

> So do I understand it correctly that OpenSSL currentls only supports
> RFC3278? Does that mean that it can't process CMS enveloped data
> objects that are created according to RFC5753?
>

OpenSSL should be able to decrypt either RFC3278 or RFC5753 forms.

> In my other thread titled "Unable to decrypt CMS object encrypted
> with EC prime256v1 certificate" the CMS object that cannot be
> decrypted with OpenSSL does contain the EC parameters. Can that be
> related to the problem?
>

It shouldn't affect OpenSSL's ability to decrypt the object as that
information is not used anywhere in the key derivation.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users