Re: [openssl-users] Obtaining PKCS7 data length

2016-09-02 Thread David 
On 02/09/2016 16:39, Dr. Stephen Henson wrote:
> On Tue, Aug 30, 2016, David wrote:
>> How can I obtain the length of the overall sequence which contains PKCS7
>> signed data?  This is important because the length I already have may be
>> longer than the actual PKCS7 data.
>>
> I'm curious: why do you want that information?

I am loading PKCS7 data from Windows Portable Executable files which is
used for code signing ("Authenticode").

The file structure itself gives a length for the relevant data that I
pass to d2i_PKCS7().  However there may be trailing data which does not
relate to the PKCS7 structure.

My requirement for the length is to spot errors or abuse by comparing
the length parsed by OpenSSL to the PE specific headers, e.g. to detect
issues like MS13-098 [1].

> If you want the entire length of the parsed data you can use d2i_PKCS7() to
> parse the buffer: the passed pointer is then incremented to immediately follow
> the PKCS7 structure. You can then get the length by subtracting the
> start of the buffer.

Thank you - this works fine.

David

1 - https://technet.microsoft.com/en-gb/library/security/2915720
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Obtaining PKCS7 data length

2016-09-02 Thread Dr. Stephen Henson 
On Tue, Aug 30, 2016, David wrote:

> Hi,
> 
> I have some PKCS7 data which I can read like this with OpenSSL:
> 
> $ openssl asn1parse -i -inform der -in data.dat
> 0:d=0  hl=4 l=16208 cons: SEQUENCE
> 4:d=1  hl=2 l=9 prim:  OBJECT:pkcs7-signedData
> .. more ..
> 
> I can load it in code like so:
> 
> // buf contains the raw data, len the length
> BIO *bio = BIO_new_mem_buf(buf, len);
> 
> PKCS7 *pkcs7 = d2i_PKCS7_bio(bio, NULL);
> if (!pkcs7) {
> // die
> }
> printf("Success!");
> 
> This works fine and I can successfully obtain signer information etc.
> However I'd like to obtain the length value as parsed from the input
> data. In my example this was 16208, seen in the second line of the ASN1
> output.
> 
> I noticed there is a length attribute to the PKCS7 structure (see
> include/openssl/pkcs7.h) but pkcs7->length is always zero when I print it.
> 
> How can I obtain the length of the overall sequence which contains PKCS7
> signed data?  This is important because the length I already have may be
> longer than the actual PKCS7 data.
> 

I'm curious: why do you want that information?

If you want the entire length of the parsed data you can use d2i_PKCS7() to
parse the buffer: the passed pointer is then incremented to immediately follow
the PKCS7 structure. You can then get the length by subtracting the
start of the buffer.

If you want the length of the intial SEQUENCE then this data is handled
automatically by the parser and isn't directly available. You can use an ASN.1
function such as ASN1_get_object() to obtain it. However this wont always be
what you want: if the PKCS#7 structure used indefinite length constructed
encoding then you wont get anything useful.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Obtaining PKCS7 data length

2016-08-30 Thread David 
Hi,

I have some PKCS7 data which I can read like this with OpenSSL:

$ openssl asn1parse -i -inform der -in data.dat
0:d=0  hl=4 l=16208 cons: SEQUENCE
4:d=1  hl=2 l=9 prim:  OBJECT:pkcs7-signedData
.. more ..

I can load it in code like so:

// buf contains the raw data, len the length
BIO *bio = BIO_new_mem_buf(buf, len);

PKCS7 *pkcs7 = d2i_PKCS7_bio(bio, NULL);
if (!pkcs7) {
// die
}
printf("Success!");

This works fine and I can successfully obtain signer information etc.
However I'd like to obtain the length value as parsed from the input
data. In my example this was 16208, seen in the second line of the ASN1
output.

I noticed there is a length attribute to the PKCS7 structure (see
include/openssl/pkcs7.h) but pkcs7->length is always zero when I print it.

How can I obtain the length of the overall sequence which contains PKCS7
signed data?  This is important because the length I already have may be
longer than the actual PKCS7 data.

David
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users