On Thu, Sep 22, 2011, Erwann Abalea wrote: > Le 21/09/2011 21:20, Gabriel Marques a écrit : > >I'm developing a tool for signing digital TV apps, and one of the > >goals was to embed OCSP responses into the CMS signature file of > >the application. > >The idea is that the broadcaster equipment would query the OCSP > >and update the response with certain frequency, so that the > >receiver could check the certificate validity without Internet > >connection. > > > >Well, using the BouncyCastle lib I've forcedly embedded the > >response in the OtherRevocationInfoFormat field of the CMS file, > >but OpenSSL does not like the way I did it: > >-> openssl cms -cmsout -print -inform der -in > >/tmp/sig3/META-INF/BR-ecdsaTest.EC > >Error reading S/MIME message > >3076389608:error:0D0680A8:asn1 encoding > >routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319: > >3076389608:error:0D07803A:asn1 encoding > >routines:ASN1_ITEM_EX_D2I:nested asn1 > >error:tasn_dec.c:381:Type=X509_CRL_INFO > >3076389608:error:0D08303A:asn1 encoding > >routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 > >error:tasn_dec.c:751:Field=crl, Type=X509_CRL > >3076389608:error:0D08303A:asn1 encoding > >routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751: > >3076389608:error:0D07803A:asn1 encoding > >routines:ASN1_ITEM_EX_D2I:nested asn1 > >error:tasn_dec.c:339:Field=d.crl, Type=CMS_RevocationInfoChoice > > > >This could be because I'm doing something wrong (probably) or > >because OpenSSL (1.0e) is alway expecting a CRL set where other > >kind of revocation info could be present. > >I couldn't find a clear way to do insert OCSP responses into a CMS > >structure. > >The RFCs are the clearer source I could get: > > > >RFC 3852 - CMS structure: > > The latest RFC for CMS is 5652. But the phrasing is the same: > > ----- > IF ((certificates is present) AND > (any certificates with a type of other are present)) OR > ((crls is present) AND > (any crls with a type of other are present)) > THEN version MUST be 5 > ELSE > [...] > ----- > > In your examples, you set version to 3. > > Based on your parsed example, it seems you correctly set the tag > ([1]) for the "crls" element, but you didn't use the good encoding > for the "other" field (of type "OtherRevocationInfoFormat", as it > also must be tagged ([1]) and be identified by the correct OID > (1.3.6.1.5.5.7.16.2). > >
That agrees with my analysis. OpenSSL is choking on that field because it is expecting a CRL. Note that OpenSSL doesn't enfornce the version value in the parser. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
