CMS/ANS1 examples
Are there any good examples of using the ASN1 and CMS functions in openssl 1.0 for generic operations? I'm trying to talk to an SCVP server, which takes requests wrapped in DER encoded CMS ContentInfo structure. So far I can't find an openssl function to output a CMS that way, so any example code or pointers would be appreciated. -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CMS/ANS1 examples
> > Are there any good examples of using the ASN1 and CMS functions in openssl > > 1.0 > > for generic operations? > > I'm trying to talk to an SCVP server, which takes requests wrapped in DER > > encoded > > CMS ContentInfo structure. So far I can't find an openssl function to > > output a > > CMS that way, so any example code or pointers would be appreciated. > > Try demos/cms > I've been through all of that. The thing that confuses me is that I just want a ContactInfo wrapper. I don't need to sign it or compress it etc, and it looks like I can use CMS_data_create in that case, but then I just want to write it to a socket in DER format, not base64. Also I need to figure out how to build up other ASN1 structures to go inside the ContactInfo. I hoped looking at the CMS code would give me an example to follow, but if so, I haven't figured it out yet. -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
best ASN1 template example
I'm trying to understand the ASN1 macros like: ASN1_SEQUENCE IMPLEMENT_ASN1_FUNCTIONS etc to implement my own structures. What examples in the code would be best to follow, especially for nested structures with optional elements? -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
ASN1 code generator?
I just wanted to make sure I'm not missing something. Converting an ASN1 spec to code is a manual process, right? There is no parser/code generator as part of openssl? I'm looking at asn1c (http://lionet.info/asn1c/) but the code it generates seems stand-alone, not based on the existing openssl code. -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to get size of a cms?
Is there a way to find the size of the der-encoded CMS object without writing it to a file/buffer first? I'm doing this: cms = CMS_sign(scert, skey, NULL, mem, flags); i2d_CMS_bio(server, cms); but I need to send the size to the server in a header before I send the CMS. -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
ASN1 DEFAULT values
When declaring an ASN1 structure, is there a way to specify a default value,
or do you just have to set them after creating the structure with ???_new()?
for example "critical":
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
criticalBOOLEAN DEFAULT FALSE,
extnValue OCTET STRING }
--
Chris Bare
ch...@bareflix.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
length vs EOC
I'm trying to use openssl to generate a signed CMS that matches the output of a windows program written with the BouncyCastle library. One of the differences I've noticed is that my openssl output has the length set for each structure whereas the c# program has the length as inf and closes with an EOC. I tried setting the CMS_STREAM flag, but that didn't change my output. I realize it should not matter, but my code is crashing the server (which is 3rd party code so I can't change it) and the c# is not, so I'm wondering if it could be related to EOC. Here's a snipped of what my code is doing: int flags = CMS_STREAM; // or 0 BIO *mem = BIO_new(BIO_s_mem()); // write stuff to mem cms = CMS_sign(scert, skey, NULL, mem, flags); if (!i2d_CMS_bio(out, cms)) Is there some other flag, or some mode I can set to make it use EOC? -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: length vs EOC
> On Wed, Jun 17, 2009, Chris Bare wrote: > > > I'm trying to use openssl to generate a signed CMS that matches the output > > of > > a windows program written with the BouncyCastle library. One of the > > differences I've noticed is that my openssl output has the length set for > > each > > structure whereas the c# program has the length as inf and closes with an > > EOC. > > > > I tried setting the CMS_STREAM flag, but that didn't change my output. > > I realize it should not matter, but my code is crashing the server (which is > > 3rd party code so I can't change it) and the c# is not, so I'm wondering if > > it > > could be related to EOC. > > > > Here's a snipped of what my code is doing: > > > > int flags = CMS_STREAM; // or 0 > > > > BIO *mem = BIO_new(BIO_s_mem()); > > // write stuff to mem > > cms = CMS_sign(scert, skey, NULL, mem, flags); > > if (!i2d_CMS_bio(out, cms)) > > > > Is there some other flag, or some mode I can set to make it use EOC? > > > > The CMS_STREAM flag is ignored for OpenSSL < 1.0.0. For supported versions of > OpenSSL it will produce an output with EOCs. > > Steve. > -- I'm using openssl-1.0.0-beta2 and I've tried setting CMS_STREAM as well as CMS_STREAM|CMS_PARTIAL, but I have not gotten any output with EOC. Any idea what else I'm missing? -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: length vs EOC
> > > > > > The CMS_STREAM flag is ignored for OpenSSL < 1.0.0. For supported > > > versions of > > > OpenSSL it will produce an output with EOCs. > > > > > > Steve. > > > -- > > > > I'm using openssl-1.0.0-beta2 and I've tried setting CMS_STREAM as well as > > CMS_STREAM|CMS_PARTIAL, but I have not gotten any output with EOC. > > Any idea what else I'm missing? > > > > Use i2d_CMS_bio_stream() instead. > Thanks, that did the trick. -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
"read bio not set" error
I'm following the example client on: http://linux.die.net/man/3/bio_new_ssl_connect I am able to establish the ssl connection and send data, but when I go to do BIO_read, I get this error: error:140950D3:SSL routines:SSL3_READ_N:read bio not set I can see with wireshark that the server is sending back some data, but BIO_read returns -1. Any suggestions? -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: "read bio not set" error
> I'm following the example client on:
> http://linux.die.net/man/3/bio_new_ssl_connect
>
> I am able to establish the ssl connection and send data, but when I go to do
> BIO_read, I get this error:
>
> error:140950D3:SSL routines:SSL3_READ_N:read bio not set
>
> I can see with wireshark that the server is sending back some data, but
> BIO_read returns -1.
>
with further debugging I find that the ssl object's rbio and wbio fields are
nulled out after calling:
i2d_CMS_bio_stream(output, cms, mem, flags));
Any idea why that would be?
Here's a distilled version of the code:
ctx = SSL_CTX_new(SSLv23_client_method());
output = BIO_new_ssl_connect(ctx);
BIO_get_ssl(output, &ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
BIO_set_conn_hostname(output, host);
if(BIO_do_connect(output) <= 0)
//handle
if ((use_ssl) && (SSL_get_verify_result(ssl) != X509_V_OK))
//handle
if ((use_ssl) && (BIO_do_handshake(output) <= 0))
//handle
int flags = CMS_STREAM|CMS_NOSMIMECAP;
cms = CMS_sign(NULL, NULL, NULL, mem, flags);
if (!CMS_add1_signer(cms, scert, skey, NULL, flags))
//handle
printf ("ssl->rbio %p\n", ssl->rbio);
printf ("ssl->wbio %p\n", ssl->wbio);
if (!i2d_CMS_bio_stream(output, cms, mem, flags))
printf ("error writing output\n");
printf ("i2d_CMS_bio_stream");
printf ("ssl->rbio %p\n", ssl->rbio);
printf ("ssl->wbio %p\n", ssl->wbio);
output is:
ssl->rbio 0x1aadf60
ssl->wbio 0x1aadf60
i2d_CMS_bio_stream
ssl->rbio (nil)
ssl->wbio (nil)
So naturally, after that the next call to BIO_read (output) fails.
why would the bio's be getting set to null?
Is there some other flag or function I need to use to prevent this?
--
Chris Bare
ch...@bareflix.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: "read bio not set" error
> > printf ("ssl->rbio %p\n", ssl->rbio);
> > printf ("ssl->wbio %p\n", ssl->wbio);
> > if (!i2d_CMS_bio_stream(output, cms, mem, flags))
> > printf ("error writing output\n");
> > printf ("i2d_CMS_bio_stream");
> > printf ("ssl->rbio %p\n", ssl->rbio);
> > printf ("ssl->wbio %p\n", ssl->wbio);
> >
> >
> > output is:
> > ssl->rbio 0x1aadf60
> > ssl->wbio 0x1aadf60
> > i2d_CMS_bio_stream
> > ssl->rbio (nil)
> > ssl->wbio (nil)
> >
> > So naturally, after that the next call to BIO_read (output) fails.
> >
> > why would the bio's be getting set to null?
> > Is there some other flag or function I need to use to prevent this?
> >
>
> Ouch, this is a nasty bug PR #1748 which has only been noticed when something
> non-trivial is attempted with SSL BIOs.
>
> I'll look into fixing it.
>
In further testing, I discovered that saving rbio and wbio, then restoring
them in the ssl structure allowed the rest of the program to perform
correctly.
Let me know if you need any more details on what my program is doing with the
cms.
--
Chris Bare
ch...@bareflix.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: "read bio not set" error
> A fix has now been applied, please try the current 1.0.0 CVS, get the next > snapshot or just manually apply: > > http://cvs.openssl.org/chngview?cn=18310 > > Steve. I built from the latest CVS and it now works fine. Thanks for the fix. -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
CMS_verify question
I'm trying to verify a CMS signedData that I get from a server. As far as I know, what the server is sending is correct, but I get this error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure error:2E09D06D:CMS routines:CMS_verify:content verify error If I pass the CMS_NO_CONTENT_VERIFY flag to CMS_verify, of course I don't get the error. Any suggestions on how to track this down? -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
how to get CMS contents
What is the proper way to access this data: data = cms->d.signedData->encapContentInfo->eContent->data; length = cms->d.signedData->encapContentInfo->eContent->length; The above only works if I include a private header: crypto/cms/cms_lcl.h -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
calling i2d_CMS_bio_stream twice
I'm trying to log the exact data I am sending to the server by doing this: if (!i2d_CMS_bio_stream (server, cms, mem, flags)) // error BIO_reset(mem); if (!i2d_CMS_bio_stream (logfile, cms, mem, flags)) // err I get no error for the second call to i2d_CMS_bio_stream, but I also get 0 bytes output to the file. If I comment out the first call, it works fine. Is there something else I need to reset, or once it's sent, do I have to start all over with a new cms object? -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
"illegal options on item template" error
I'm trying to read in a CVResponse sequence using d2i_CVResponse based on a
structure I've defined. I get the following errors:
140033302341272:error:0D0780AA:asn1 encoding routines:ASN1_ITEM_EX_D2I:illegal
options on item template:tasn_dec.c:192:Type=GENERAL_NAMES
140033302341272:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:738:Field=requestorRef, Type=CVResponse
Here's the spec I'm trying to implement:
/**
CVRequest ::= SEQUENCE {
cvRequestVersion INTEGER DEFAULT 1,
query Query,
requestorRef [0] GeneralNames OPTIONAL,
requestNonce [1] OCTET STRING OPTIONAL,
requestorName [2] GeneralName OPTIONAL,
responderName [3] GeneralName OPTIONAL,
requestExtensions [4] Extensions OPTIONAL,
signatureAlg [5] AlgorithmIdentifier OPTIONAL,
hashAlg[6] OBJECT IDENTIFIER OPTIONAL,
requestorText [7] UTF8String (SIZE (1..256)) OPTIONAL }
***/
and what I've defined so far:
typedef struct {
ASN1_INTEGER *cvRequestVersion;
Query *query;
GENERAL_NAMES *requestorRef;
ASN1_OCTET_STRING *requestNonce;
//incomplete
} CVRequest;
ASN1_SEQUENCE(CVRequest) = {
ASN1_SIMPLE(CVRequest, cvRequestVersion, ASN1_INTEGER),
ASN1_SIMPLE(CVRequest, query, Query),
ASN1_IMP_OPT(CVRequest, requestorRef, GENERAL_NAMES, 0),
ASN1_IMP_OPT(CVRequest, requestNonce, ASN1_OCTET_STRING, 1)
} ASN1_SEQUENCE_END(CVRequest)
IMPLEMENT_ASN1_FUNCTIONS(CVRequest)
Is the error complaining out the structure I have defined, or the der data it
is trying to process?
As far as I can tell the der data doesn't even contain a requestorRef.
Any suggestions?
--
Chris Bare
ch...@bareflix.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
