Re: Authenticode timestamp processing: error while parsing timestamp request
On 18-08-2010 19:41, Alessandro Menti wrote: Thanks for your help, Jacob. Where can I find your signing tools? A quick Google search revealed no useful links. Sorry, closed source in-house code only, tied heavily into other closed source code, anyway it was a client, not a server. Alternatively, can you suggest me how to complete the original ASN.1 structures so as to add the explicit [0] tag? I have already searched the official OpenSSL documentation for some clues, but I have found nothing of interest (moreover, this is the first time I use the OpenSSL library in one of my projects). Sorry, I don't know how to specify ASN.1 structures in OpenSSL, my own code contained its own mini-DER encoder limited to just the needed structures, and didn't use OpenSSL either at the time. Anyway, I am not sure if your notation is the old deprecated one or the new one (OpenSSL transitioned from one way of doing ASN.1 to another some time ago, and there was a FAQ entry about not using ASN1_SOME_EVIL_MACRO). Thanks in advance, Alessandro Menti - Original structures - typedef struct { ASN1_OBJECT *type; ASN1_OCTET_STRING *data; } TimeStampContentInfo; typedef struct { ASN1_OBJECT *countersignatureType; TimeStampContentInfo *content; } TimeStampRequest; ASN1_SEQUENCE(TimeStampContentInfo) = { ASN1_SIMPLE(TimeStampContentInfo, type, ASN1_OBJECT), ASN1_EXP_OPT(TimeStampContentInfo, data, ASN1_OCTET_STRING, 0) } ASN1_SEQUENCE_END(TimeStampContentInfo) DECLARE_ASN1_FUNCTIONS(TimeStampRequest) ASN1_SEQUENCE(TimeStampRequest) = { ASN1_SIMPLE(TimeStampRequest, countersignatureType, ASN1_OBJECT), ASN1_SIMPLE(TimeStampRequest, content, TimeStampContentInfo) } ASN1_SEQUENCE_END(TimeStampRequest) IMPLEMENT_ASN1_FUNCTIONS(TimeStampRequest) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Authenticode timestamp processing: error while parsing timestamp request
Hi everyone, I'm trying to write a CGI program to generate timestamps for the Authenticode(TM) digital signature system. I'm having trouble extracting the original ContentInfo from the timestamp request (the ContentInfo is required to generate a valid reply). Since the requests are Base64-encoded, I have set up a BIO that reads the request from standard input and decodes it via the OpenSSL builtin Base64 filter; however, it seems that the request is not parsed correctly. Since I have adapted the ASN1 definitions from the osslsigncode project, is it possible that the absence of the attributes member in the ASN1 definitions is causing the request not to be decoded correctly? I attach a test program and a sample timestamp request for clarification. Thanks for your help, Alessandro Menti - Test program - #include stdio.h #include stdlib.h #include openssl/asn1.h #include openssl/asn1t.h #include openssl/bio.h #include openssl/objects.h #include openssl/pem.h #include openssl/pkcs7.h /* The ASN.1 format of the timestamp request, according to MSDN (see http://this), is: TimeStampRequest ::= SEQUENCE { countersignatureType OBJECT IDENTIFIER, attributes Attributes OPTIONAL, content ContentInfo } The countersignatureType is the OID 1.3.6.1.4.1.311.3.2.1; the attributes are not interpreted and the content is a ContentInfo as defined by PKCS#7. The definitions below have been adapted from the osslsigncode project (http://sf.net/projects/osslsigncode/). */ typedef struct { ASN1_OBJECT *type; ASN1_OCTET_STRING *data; } TimeStampContentInfo; typedef struct { ASN1_OBJECT *countersignatureType; TimeStampContentInfo *content; } TimeStampRequest; ASN1_SEQUENCE(TimeStampContentInfo) = { ASN1_SIMPLE(TimeStampContentInfo, type, ASN1_OBJECT), ASN1_EXP_OPT(TimeStampContentInfo, data, ASN1_OCTET_STRING, 0) } ASN1_SEQUENCE_END(TimeStampContentInfo) DECLARE_ASN1_FUNCTIONS(TimeStampRequest) ASN1_SEQUENCE(TimeStampRequest) = { ASN1_SIMPLE(TimeStampRequest, countersignatureType, ASN1_OBJECT), ASN1_SIMPLE(TimeStampRequest, content, TimeStampContentInfo) } ASN1_SEQUENCE_END(TimeStampRequest) IMPLEMENT_ASN1_FUNCTIONS(TimeStampRequest) /* Function prototypes */ TimeStampRequest *d2i_TimeStampRequest_bio(BIO *bp, TimeStampRequest **tsr); int main() { PKCS7_SIGNER_INFO *respSigner; BIO *dataFeedIn, *dataFilter; TimeStampRequest *request; OpenSSL_add_all_algorithms(); dataFilter=BIO_new(BIO_f_base64()); dataFeedIn=BIO_new_fp(stdin, BIO_NOCLOSE); dataFeedIn=BIO_push(dataFilter, dataFeedIn); request=d2i_TimeStampRequest_bio(dataFeedIn, NULL); /* If decoding was successful, request should be a pointer to a valid TimeStampRequest structure; otherwise, it should be NULL */ if (request==NULL) printf(Error\n); else printf(Success\n); return 0; } TimeStampRequest *d2i_TimeStampRequest_bio(BIO *bp, TimeStampRequest **tsr) { return ASN1_item_d2i_bio(ASN1_ITEM_rptr(TimeStampRequest), bp, tsr); } - Sample timestamp request - MIICIwYKKwYBBAGCNwMCATCCAhMGCSqGSIb3DQEHAaCCAgQEggIANlq5EqVVVLmMCQ9na+KbNTYHaFZ/s/XGttBL+ZCBjA3LCH/fqRyTrlfiUj758X6usGzMU0xaCKNVezuj3OCrI19GeBHn4xpT9CQY+ZgWqNdXO04A0Vtu253tvXHnkfu2lmrnLKsQt9YcvyB1eEWiqW/eZECTlsl9cchKzC7z8fj1I2r8Zs3RgXfgFbV6d9iSCxcoGgHfoDKmiOaYIkDP6apc83yDNdfj486EQ2GrRIUPrlLnnctlMZ0OGCqAsIzt0E2Ye3TAy9Q0HsZNdDbYYcpCLiH1H2HJFq8U1oDJaS5+O60eaA3qsZ+phyBNTUT80Lpbs/kV3JvEl64+/9YHpRHvYlMc14dXo0qStmLko4iSxY2i5XB3ud9zlZPNy595+IglJ4fXs9i8Vqla0sdiAKmoZBQqBJOEeuP0M2A/OWpLuw/7EUliHeE0HLLYxG79CvPP1/4hhUlx7F3WlCjIwPG0Yfj3m75wdgWxPnehcrCKv+UzHiYlWcJnFy0wu7fLzXTQnUCdnO7wu56PRgCKPDwuDamtE5yTEeV68C6Q8GOmUOBrDdy3LTYB2LOzy1q4tfS2I0wUsYr0yX9tnSoUIEdoGHGWnULv10sFHWx5gefDJBjMZ552JuvuCZcG/JrHURaaaKc0ftvt8K6thXjNhOhUrARR2Bm6rqdCW/NoOyA= __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Authenticode timestamp processing: error while parsing timestamp request
Your ASN.1 looks a lot like what I am sending in my own signing tools (developed independently from the sf project you mention). I ran your example request through Peter Gutman's dumpasn1 with my old config file, and here is the output, which looks like the same requests I generate (no attributes, explicit [0] tag before the OCTET string): 0 547: SEQUENCE { 4 10: OBJECT IDENTIFIER : timestampRequest (1 3 6 1 4 1 311 3 2 1) 16 531: SEQUENCE { 209: OBJECT IDENTIFIER : data (1 2 840 113549 1 7 1) 31 516: [0] { 35 512: OCTET STRING : 36 5A B9 12 A5 55 54 B9 8C 09 0F 67 6B E2 9B 35 : 36 07 68 56 7F B3 F5 C6 B6 D0 4B F9 90 81 8C 0D : CB 08 7F DF A9 1C 93 AE 57 E2 52 3E F9 F1 7E AE : B0 6C CC 53 4C 5A 08 A3 55 7B 3B A3 DC E0 AB 23 : 5F 46 78 11 E7 E3 1A 53 F4 24 18 F9 98 16 A8 D7 : 57 3B 4E 00 D1 5B 6E DB 9D ED BD 71 E7 91 FB B6 : 96 6A E7 2C AB 10 B7 D6 1C BF 20 75 78 45 A2 A9 : 6F DE 64 40 93 96 C9 7D 71 C8 4A CC 2E F3 F1 F8 : [ Another 384 bytes skipped ] : } : } : } I suspect that your OpenSSL declarations are missing the explicit [0] tag. On 18-08-2010 11:23, Alessandro Menti wrote: Hi everyone, I'm trying to write a CGI program to generate timestamps for the Authenticode(TM) digital signature system. I'm having trouble extracting the original ContentInfo from the timestamp request (the ContentInfo is required to generate a valid reply). Since the requests are Base64-encoded, I have set up a BIO that reads the request from standard input and decodes it via the OpenSSL builtin Base64 filter; however, it seems that the request is not parsed correctly. Since I have adapted the ASN1 definitions from the osslsigncode project, is it possible that the absence of the attributes member in the ASN1 definitions is causing the request not to be decoded correctly? I attach a test program and a sample timestamp request for clarification. Thanks for your help, Alessandro Menti - Test program - #includestdio.h #includestdlib.h #includeopenssl/asn1.h #includeopenssl/asn1t.h #includeopenssl/bio.h #includeopenssl/objects.h #includeopenssl/pem.h #includeopenssl/pkcs7.h /* The ASN.1 format of the timestamp request, according to MSDN (see http://this), is: TimeStampRequest ::= SEQUENCE { countersignatureType OBJECT IDENTIFIER, attributes Attributes OPTIONAL, contentContentInfo } The countersignatureType is the OID 1.3.6.1.4.1.311.3.2.1; the attributes are not interpreted and the content is a ContentInfo as defined by PKCS#7. The definitions below have been adapted from the osslsigncode project (http://sf.net/projects/osslsigncode/). */ typedef struct { ASN1_OBJECT *type; ASN1_OCTET_STRING *data; } TimeStampContentInfo; typedef struct { ASN1_OBJECT *countersignatureType; TimeStampContentInfo *content; } TimeStampRequest; ASN1_SEQUENCE(TimeStampContentInfo) = { ASN1_SIMPLE(TimeStampContentInfo, type, ASN1_OBJECT), ASN1_EXP_OPT(TimeStampContentInfo, data, ASN1_OCTET_STRING, 0) } ASN1_SEQUENCE_END(TimeStampContentInfo) DECLARE_ASN1_FUNCTIONS(TimeStampRequest) ASN1_SEQUENCE(TimeStampRequest) = { ASN1_SIMPLE(TimeStampRequest, countersignatureType, ASN1_OBJECT), ASN1_SIMPLE(TimeStampRequest, content, TimeStampContentInfo) } ASN1_SEQUENCE_END(TimeStampRequest) IMPLEMENT_ASN1_FUNCTIONS(TimeStampRequest) /* Function prototypes */ TimeStampRequest *d2i_TimeStampRequest_bio(BIO *bp, TimeStampRequest **tsr); int main() { PKCS7_SIGNER_INFO *respSigner; BIO *dataFeedIn, *dataFilter; TimeStampRequest *request; OpenSSL_add_all_algorithms(); dataFilter=BIO_new(BIO_f_base64()); dataFeedIn=BIO_new_fp(stdin, BIO_NOCLOSE); dataFeedIn=BIO_push(dataFilter, dataFeedIn); request=d2i_TimeStampRequest_bio(dataFeedIn, NULL); /* If decoding was successful, request should be a pointer to a valid TimeStampRequest structure; otherwise, it should be NULL */ if (request==NULL) printf(Error\n); else printf(Success\n); return 0; } TimeStampRequest *d2i_TimeStampRequest_bio(BIO *bp, TimeStampRequest **tsr) { return ASN1_item_d2i_bio(ASN1_ITEM_rptr(TimeStampRequest), bp, tsr); } - Sample timestamp request -
RE: Authenticode timestamp processing: error while parsing timestamp request
Thanks for your help, Jacob. Where can I find your signing tools? A quick Google search revealed no useful links. Alternatively, can you suggest me how to complete the original ASN.1 structures so as to add the explicit [0] tag? I have already searched the official OpenSSL documentation for some clues, but I have found nothing of interest (moreover, this is the first time I use the OpenSSL library in one of my projects). Thanks in advance, Alessandro Menti - Original structures - typedef struct { ASN1_OBJECT *type; ASN1_OCTET_STRING *data; } TimeStampContentInfo; typedef struct { ASN1_OBJECT *countersignatureType; TimeStampContentInfo *content; } TimeStampRequest; ASN1_SEQUENCE(TimeStampContentInfo) = { ASN1_SIMPLE(TimeStampContentInfo, type, ASN1_OBJECT), ASN1_EXP_OPT(TimeStampContentInfo, data, ASN1_OCTET_STRING, 0) } ASN1_SEQUENCE_END(TimeStampContentInfo) DECLARE_ASN1_FUNCTIONS(TimeStampRequest) ASN1_SEQUENCE(TimeStampRequest) = { ASN1_SIMPLE(TimeStampRequest, countersignatureType, ASN1_OBJECT), ASN1_SIMPLE(TimeStampRequest, content, TimeStampContentInfo) } ASN1_SEQUENCE_END(TimeStampRequest) IMPLEMENT_ASN1_FUNCTIONS(TimeStampRequest) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org