Hello folks, I'm developing a tool for signing digital TV apps, and one of the goals was to embed OCSP responses into the CMS signature file of the application. The idea is that the broadcaster equipment would query the OCSP and update the response with certain frequency, so that the receiver could check the certificate validity without Internet connection. Well, using the BouncyCastle lib I've forcedly embedded the response in the OtherRevocationInfoFormat field of the CMS file, but OpenSSL does not like the way I did it: -> openssl cms -cmsout -print -inform der -in /tmp/sig3/META-INF/BR-ecdsaTest.EC Error reading S/MIME message 3076389608:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319: 3076389608:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509_CRL_INFO 3076389608:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=crl, Type=X509_CRL 3076389608:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751: 3076389608:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:339:Field=d.crl, Type=CMS_RevocationInfoChoice This could be because I'm doing something wrong (probably) or because OpenSSL (1.0e) is alway expecting a CRL set where other kind of revocation info could be present. I couldn't find a clear way to do insert OCSP responses into a CMS structure. The RFCs are the clearer source I could get: RFC 3852 - CMS structure: SignedData ::= SEQUENCE { version CMSVersion, digestAlgorithms DigestAlgorithmIdentifiers, encapContentInfo EncapsulatedContentInfo, certificates [0] IMPLICIT CertificateSet OPTIONAL, crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, signerInfos SignerInfos } RFC 5940 - RevocationInfoChoices structure: RevocationInfoChoice ::= CHOICE { crl CertificateList, other [1] IMPLICIT OtherRevocationInfoFormat } OtherRevocationInfoFormat ::= SEQUENCE { otherRevInfoFormat OBJECT IDENTIFIER, otherRevInfo ANY DEFINED BY otherRevInfoFormat } So my question is, does OpenSSL support OCSP responses in CMS structures? (by support I mean it won't break - if it can parse the structure without knowing what to do is enough) OpenSSL is my base reference, so if it cannot even print-out the CSM structure I don't know of other tools I can use. Ideally, I don't want to create a proprietary format of CMS signatures. For those interested, this is how the messages look inside: SEQUENCE(2 elem) //Regular CMS structure with an embedded CRL - OpenSSL understands it OBJECT IDENTIFIER1.2.840.113549.1.7.2 //signedData PKCS #7 [0](1) //SignedData SEQUENCE(6 elem) //RFC 3852 INTEGER 3 //CMS version SET(1 elem) //folded - digest algs. SEQUENCE(1 elem) //folded - encap. content info [0](2) //folded - certificates [1](1) //CRLS SEQUENCE(3 elem) //start of CRL structure SEQUENCE(6 elem) INTEGER 1 //Version 2 SEQUENCE(1 elem) OBJECT IDENTIFIER1.2.840.10045.4.1 // issuer sig. alg.: ecdsa-with-SHA1 SEQUENCE(6 elem) //folded - Issuer: /C=BR/ST=SP/L=Sao Paulo/O=ACME SA/OU=bank/CN=ACME root CA UTCTime 11-09-21 13:58:48 UTC //issued at UTCTime 11-11-10 13:58:48 UTC //valid till [0](1) //folded - certificate list SEQUENCE(1 elem) OBJECT IDENTIFIER1.2.840.10045.4.1 // CRL sig. alg.: ecdsa-with-SHA1 BIT STRING(1 elem) //folded - CRL signature SET(1 elem) //folded - CMS signer info SEQUENCE(2 elem) //Modified CMS structure with an embedded OCSP response - OpenSSL don't like it OBJECT IDENTIFIER1.2.840.113549.1.7.2 //signedData PKCS #7 [0](1) //SignedData SEQUENCE(6 elem) //RFC 3852 INTEGER 3 //CMS version SET(1 elem) //folded - digest algs. SEQUENCE(1 elem) //folded - encap. content info [0](2) //folded - certificates [1](1) //CRLS SEQUENCE(2 elem) //OCSP response OBJECT IDENTIFIER 1.3.6.1.5.5.7.48.1.1 // ocspBasic OCTET STRING (1 elem) //folded - issuer identification and certificate SEQUENCE(4 elem) SEQUENCE(4 elem) [0](1) //version [1](1) //folded - issuer info - Thawte SGC OCSP Responder GeneralizedTime 2011-09-20 05:51:40 UTC //issued time SEQUENCE (1 elem) //status info and hashes SEQUENCE(2 elem) //sig. alg BIT STRING(1024 bit) [0](1) //signature SET(1 elem) //folded - CMS signer info Thanks for any comment, Gabriel Marques ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org |
- View OCSP response in CMS Gabriel Marques
- Re: View OCSP response in CMS Dr. Stephen Henson
- Re: [openssl-users] View OCSP response in CMS Erwann Abalea
- Re: [openssl-users] View OCSP response in CMS Dr. Stephen Henson
- Re: [openssl-users] View OCSP response in ... Erwann Abalea
- Re: [openssl-users] View OCSP response... Gabriel Marques
- Re: [openssl-users] View OCSP res... Dr. Stephen Henson
- Re: [openssl-users] View OCSP... Gabriel Marques