On Thu, Sep 22, 2011, Gabriel Marques wrote: > Thanks Steve and Erwann, > > Putting the OCSP response inside a tagged object did the job for > OpenSSL recognizing the OtherRevocationInfoFormat. > BouncyCastle also changed the CMS version to 5 automatically when I > did it, and I've changed the OID to the proper one > (id-ri-ocsp-response). > > Now OpenSSL is complaining about a wrong tag :( > But I've re-checked the structure, and it seem fine now. > > > Here goes the logs: > > gabriel@gag-desktop:~/bin/openssl_src$ ~/bin/viewCert.sh > /tmp/sig3/META-INF/BR-ecdsaTest.EC > Error reading S/MIME message > 3076483816:error:0D0680A8:asn1 encoding > routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319: > 3076483816:error:0D06C03A:asn1 encoding > routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:831: > 3076483816:error:0D08303A:asn1 encoding > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 > error:tasn_dec.c:751:Field=otherRevInfoFormat, > Type=CMS_OtherRevocationInfoFormat > 3076483816:error:0D08303A:asn1 encoding > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:737: > > In the source, this is thrown when the asn1_check_tlen(/*Check an > ASN1 tag and length*/) function is called and return an error, so > I've added a printf to get more details (as there's no verbose flag > to openssl cms): > if (exptag >= 0) > { > if ((exptag != ptag) > printf("exptag %d\n", exptag); > printf("ptag %d\n", ptag); > ... > exptag 6 > ptag 16 > Error reading S/MIME message... >
Well it is expecting an OID but is getting a SEQUENCE. Looking at your ASN1 dump perhaps the OID otherRevInfoFormat isn't present? > ... > OtherRevocationInfoFormat ::= SEQUENCE { > otherRevInfoFormat OBJECT IDENTIFIER, > otherRevInfo ANY DEFINED BY otherRevInfoFormat } > > [1](1) //CRLS > [1](1) //OtherRevocationInfoFormat ------------------------> Missing OID?? > SEQUENCE (2 elem) //OCSP response > OBJECT IDENTIFIER 1.3.6.1.5.5.7.16.2 // > id-ri-ocsp-response > SEQUENCE (2 elem) // <-- response as > received - rfc2560 item 4.2.1 > ENUMERATED (0) // Response has valid > confirmations > [0] //EXPLICIT ResponseBytes > SEQUENCE (2 elem) > OBJECT IDENTIFIER Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org