Re: [openssl-users] View OCSP response in CMS

Thu, 22 Sep 2011 13:56:18 -0700 

On Thu, Sep 22, 2011, Gabriel Marques wrote:

> Thanks Steve and Erwann,
> 
> Putting the OCSP response inside a tagged object did the job for
> OpenSSL recognizing the OtherRevocationInfoFormat.
> BouncyCastle also changed the CMS version to 5 automatically when I
> did it, and I've changed the OID to the proper one
> (id-ri-ocsp-response).
> 
> Now OpenSSL is complaining about a wrong tag :(
> But I've re-checked the structure, and it seem fine now.
> 
> 
> Here goes the logs:
> 
> gabriel@gag-desktop:~/bin/openssl_src$ ~/bin/viewCert.sh
> /tmp/sig3/META-INF/BR-ecdsaTest.EC
> Error reading S/MIME message
> 3076483816:error:0D0680A8:asn1 encoding
> routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
> 3076483816:error:0D06C03A:asn1 encoding
> routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:831:
> 3076483816:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:tasn_dec.c:751:Field=otherRevInfoFormat,
> Type=CMS_OtherRevocationInfoFormat
> 3076483816:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:737:
> 
> In the source, this is thrown when the asn1_check_tlen(/*Check an
> ASN1 tag and length*/) function is called and return an error, so
> I've added a printf to get more details (as there's no verbose flag
> to openssl cms):
>     if (exptag >= 0)
>         {
>         if ((exptag != ptag)
>             printf("exptag %d\n", exptag);
>             printf("ptag %d\n", ptag);
> ...
> exptag 6
> ptag 16
> Error reading S/MIME message...
> 

Well it is expecting an OID but is getting a SEQUENCE.

Looking at your ASN1 dump perhaps the OID otherRevInfoFormat isn't present?

> ...
> OtherRevocationInfoFormat ::= SEQUENCE {
>         otherRevInfoFormat OBJECT IDENTIFIER,
>         otherRevInfo ANY DEFINED BY otherRevInfoFormat }
> 
>             [1](1) //CRLS
>                 [1](1) //OtherRevocationInfoFormat
------------------------> Missing OID??
>                     SEQUENCE (2 elem) //OCSP response
>                         OBJECT IDENTIFIER 1.3.6.1.5.5.7.16.2 //
> id-ri-ocsp-response
>                         SEQUENCE (2 elem) // <-- response as
> received - rfc2560 item 4.2.1
>                             ENUMERATED (0) // Response has valid
> confirmations
>                             [0] //EXPLICIT ResponseBytes
>                                 SEQUENCE (2 elem)
>                                     OBJECT IDENTIFIER

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to