Re: [openssl-users] Obtaining PKCS7 data length
On 02/09/2016 16:39, Dr. Stephen Henson wrote: > On Tue, Aug 30, 2016, David wrote: >> How can I obtain the length of the overall sequence which contains PKCS7 >> signed data? This is important because the length I already have may be >> longer than the actual PKCS7 data. >> > I'm curious: why do you want that information? I am loading PKCS7 data from Windows Portable Executable files which is used for code signing ("Authenticode"). The file structure itself gives a length for the relevant data that I pass to d2i_PKCS7(). However there may be trailing data which does not relate to the PKCS7 structure. My requirement for the length is to spot errors or abuse by comparing the length parsed by OpenSSL to the PE specific headers, e.g. to detect issues like MS13-098 [1]. > If you want the entire length of the parsed data you can use d2i_PKCS7() to > parse the buffer: the passed pointer is then incremented to immediately follow > the PKCS7 structure. You can then get the length by subtracting the > start of the buffer. Thank you - this works fine. David 1 - https://technet.microsoft.com/en-gb/library/security/2915720 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Obtaining PKCS7 data length
On Tue, Aug 30, 2016, David wrote: > Hi, > > I have some PKCS7 data which I can read like this with OpenSSL: > > $ openssl asn1parse -i -inform der -in data.dat > 0:d=0 hl=4 l=16208 cons: SEQUENCE > 4:d=1 hl=2 l=9 prim: OBJECT:pkcs7-signedData > .. more .. > > I can load it in code like so: > > // buf contains the raw data, len the length > BIO *bio = BIO_new_mem_buf(buf, len); > > PKCS7 *pkcs7 = d2i_PKCS7_bio(bio, NULL); > if (!pkcs7) { > // die > } > printf("Success!"); > > This works fine and I can successfully obtain signer information etc. > However I'd like to obtain the length value as parsed from the input > data. In my example this was 16208, seen in the second line of the ASN1 > output. > > I noticed there is a length attribute to the PKCS7 structure (see > include/openssl/pkcs7.h) but pkcs7->length is always zero when I print it. > > How can I obtain the length of the overall sequence which contains PKCS7 > signed data? This is important because the length I already have may be > longer than the actual PKCS7 data. > I'm curious: why do you want that information? If you want the entire length of the parsed data you can use d2i_PKCS7() to parse the buffer: the passed pointer is then incremented to immediately follow the PKCS7 structure. You can then get the length by subtracting the start of the buffer. If you want the length of the intial SEQUENCE then this data is handled automatically by the parser and isn't directly available. You can use an ASN.1 function such as ASN1_get_object() to obtain it. However this wont always be what you want: if the PKCS#7 structure used indefinite length constructed encoding then you wont get anything useful. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Obtaining PKCS7 data length
Hi, I have some PKCS7 data which I can read like this with OpenSSL: $ openssl asn1parse -i -inform der -in data.dat 0:d=0 hl=4 l=16208 cons: SEQUENCE 4:d=1 hl=2 l=9 prim: OBJECT:pkcs7-signedData .. more .. I can load it in code like so: // buf contains the raw data, len the length BIO *bio = BIO_new_mem_buf(buf, len); PKCS7 *pkcs7 = d2i_PKCS7_bio(bio, NULL); if (!pkcs7) { // die } printf("Success!"); This works fine and I can successfully obtain signer information etc. However I'd like to obtain the length value as parsed from the input data. In my example this was 16208, seen in the second line of the ASN1 output. I noticed there is a length attribute to the PKCS7 structure (see include/openssl/pkcs7.h) but pkcs7->length is always zero when I print it. How can I obtain the length of the overall sequence which contains PKCS7 signed data? This is important because the length I already have may be longer than the actual PKCS7 data. David -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users