Me again,
I got the hint (thanks Peter) that I used the wrong CLAs with od.
Sorry for that, it has been a while since I used it the last time.
Anyway, I guess the attachment still is a signature.
Max, could you paste the output of `od -t x1` of your CRMF file?
BR,
Martin
On 4/4/08, Martin Peylo <[EMAIL PROTECTED]> wrote:
> Hi Max,
>
> is the "smime.p7s" file attached to your previous mail supposed to
> contain pure CRMF? If I `od -x` it, I am missing those "30 8X"s I am
> used to see often as they are the start of longer sequences. Is this
> the right (DER) encoding? I also would not expect it to start with
> 0x80 but with 0x30 which would start the outermost sequence. Anyway,
> when I google for p7s, it's rather a "pkcs7-signature" than a
> Certificate Request, so I might misunderstand that.
>
> I am unable to interpret the ASN.1 dump you sent as I only learned to
> read ASN.1 DER in hex while debugging using Wireshark. Could you
> please send it as hexdump, so I can compare it with my validated CRMF
> traces. If you'd like, I can also send you some CMP (including CRMF)
> traces you can look at with Wireshark, just request them by PM so I
> don't flood the mailinglist with them.
>
>
> Best regards,
> Martin
>
>
>
> On 4/3/08, Massimiliano Pala <[EMAIL PROTECTED]> wrote:
>
> > Hi Martin,
> >
> > thanks for your suggestion :) After writing the email, I think that I
> found
> > the correct way to do it. By using the following:
> >
> > ASN1_ITEM_TEMPLATE(CRMF_REQ) =
> > ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
> > requests, CRMF_CERT_REQ_MESSAGE)
> > ASN1_ITEM_TEMPLATE_END(CRMF_REQ)
> >
> > I still can not load the request issued by NSS browser. Can you load it ?
> > Do you
> > know what the format is ? I attach it to this email. I definitely do not
> > understand
> > what happens. In detail:
> >
> > 0-The ASN1 dump is as follows:
> >
> > 0:d=0 hl=4 l= 477 cons: SEQUENCE
> > 4:d=1 hl=4 l= 473 cons: SEQUENCE
> > 8:d=2 hl=4 l= 407 cons: SEQUENCE
> > 12:d=3 hl=2 l= 4 prim: INTEGER :4D7A150A
> > 18:d=3 hl=4 l= 355 cons: SEQUENCE
> > 22:d=4 hl=2 l= 1 prim: cont [ 0 ]
> > 25:d=4 hl=2 l= 89 cons: cont [ 5 ]
> > 27:d=5 hl=2 l= 87 cons: SEQUENCE
> >
> > [...]
> >
> > 116:d=4 hl=3 l= 240 cons: cont [ 6 ]
> > 119:d=5 hl=3 l= 168 cons: SEQUENCE
> > 122:d=6 hl=2 l= 7 prim: OBJECT :dsaEncryption
> > 131:d=6 hl=3 l= 156 cons: SEQUENCE
> >
> > [...]
> >
> > 359:d=4 hl=2 l= 16 cons: cont [ 9 ]
> > 361:d=5 hl=2 l= 14 cons: SEQUENCE
> > 363:d=6 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
> > 368:d=6 hl=2 l= 1 prim: BOOLEAN :255
> > 371:d=6 hl=2 l= 4 prim: OCTET STRING
> >
> > [...]
> >
> > 419:d=2 hl=2 l= 60 cons: cont [ 1 ]
> > 421:d=3 hl=2 l= 9 cons: SEQUENCE
> > 423:d=4 hl=2 l= 7 prim: OBJECT :dsaWithSHA1
> > 432:d=3 hl=2 l= 47 prim: BIT STRING
> >
> >
> > 2-There should be an INTEGER (certReqId) and a CertTemplate, but then if
> > this is the case what heck is the prim [0] (which I suppose should be
> > the serial number) empty (at 22) ?
> >
> > 3-Than the later [5] (at 25) is, correctly, a Name, I suppose. Is this
> > a valid coding ? Am I totally wrong ?
> >
> > Instead of parsing the Name as the subject, my program interprets it as
> > issuer (should be tagged as [3]), and I get the following error:
> >
> > 2896:error:0D0780AA:asn1 encoding
> > routines:ASN1_ITEM_EX_D2I:illegal options on item
> > template:tasn_dec.c:192:Type=X509_NAME_INTERNAL
> > 2896:error:0D08303A:asn1 encoding
> > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> > error:tasn_dec.c:737:Field=issuer, Type=CERT_TEMPLATE
> > 2896:error:0D08303A:asn1 encoding
> > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> > error:tasn_dec.c:751:Field=certTemplate,
> > Type=CRMF_CERT_REQUEST
> > 2896:error:0D08303A:asn1 encoding
> > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> > error:tasn_dec.c:751:Field=certReq,
> > Type=CRMF_CERT_REQ_MESSAGE
> > 2896:error:0D08303A:asn1 encoding
> > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> > error:tasn_dec.c:712:
> > 2896:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
> >
> > Any idea here ?
> >
> > Later,
> > Max
> >
> >
> >
> > Martin Peylo wrote:
> >
> > > Hi Massimiliano,
> > >
> > > I don't know if that's the best solution, but it worked for me that way:
> > >
> > > in crmf.h:
> > >
> > > typedef struct crmf_certreqmsg_st
> > > {
> > > »·······CRMF_CERTREQUEST *certReq;
> > > »·······CRMF_PROOFOFPOSSESION *popo; /* 0 */
> > > »·······CRMF_ATTRIBUTETYPEANDVALUE *regInfo; /* 1 */
> > > } CRMF_CERTREQMSG;
> > > DECLARE_ASN1_FUNCTIONS(CRMF_CERTREQMSG)
> > >
> > > DECLARE_STACK_OF(CRMF_CERTREQMSG) /* CertReqMessages */
> > > DECLARE_ASN1_SET_OF(CRMF_CERTREQMSG) /* CertReqMessages
> > */
> > >
> > >
> > > in crmf_asn.c:
> > >
> > > ASN1_SEQUENCE(CRMF_CERTREQMSG) = {
> > > »·······ASN1_SIMPLE(CRMF_CERTREQMSG, certReq,
> > CRMF_CERTREQUEST),
> > > »·······ASN1_IMP_OPT(CRMF_CERTREQMSG, popo,
> > CRMF_PROOFOFPOSSESION, 0),
> > > »·······ASN1_IMP_SEQUENCE_OF_OPT(CRMF_CERTREQMSG,
> > regInfo,
> > > CRMF_ATTRIBUTETYPEANDVALUE, 1)
> > > } ASN1_SEQUENCE_END(CRMF_CERTREQMSG)
> > >
> > > IMPLEMENT_ASN1_FUNCTIONS(CRMF_CERTREQMSG)
> > >
> > >
> > > I needed it for CMP. In order to use the "CertReqMessages", I am doing:
> > >
> > > In cmp.h:
> > > typedef struct cmp_pkibody_st
> > > {
> > > »·······int type;
> > > »·······union{
> > > »·······»·······STACK_OF(CRMF_CERTREQMSG) *ir; /* 0
> > */
> > > ...
> > >
> > > In cmp_asn.c:
> > > ASN1_CHOICE(CMP_PKIBODY) = {
> > > »·······ASN1_EXP_SEQUENCE_OF(CMP_PKIBODY, value.ir,
> > CRMF_CERTREQMSG, 0),
> > > ...
> > >
> > >
> > > There might be other ways to do it - the OpenSSL ASN.1 documentation
> > > seems to be not complete - but it works fine that way.
> > >
> > > As there are not many things to use CRMF for: what are you
> > > implementing? Do you know my code to use CMP with OpenSSL? You can
> > > obtain the full code including the snippets I pasted above from
> > > <http://www.izac.de/cmp>.
> > >
> >
> >
> >
> > --
> >
> > Best Regards,
> >
> > Massimiliano Pala
> >
> > --o------------------------------------------------------------------------
> > Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
> > [EMAIL PROTECTED]
> >
> > Dartmouth Computer Science Dept Home Phone: +1 (603)
> 397-3883
> > PKI/Trust - Office 063 Work Phone: +1 (603)
> 646-9179
> > --o------------------------------------------------------------------------
> >
> >
> >
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
