Re: Authenticode timestamp processing: error while parsing timestamp request

2010-08-19 Thread Jakob Bohm 

On 18-08-2010 19:41, Alessandro Menti wrote:


Thanks for your help, Jacob.

Where can I find your signing tools? A quick Google search
revealed no useful links.


Sorry, closed source in-house code only, tied heavily into other
closed source code, anyway it was a client, not a server.


Alternatively, can you suggest me how to complete the original
ASN.1 structures so as to add the explicit [0] tag? I have already
searched the official OpenSSL documentation for some clues, but I
have found nothing of interest (moreover, this is the first time
I use the OpenSSL library in one of my projects).


Sorry, I don't know how to specify ASN.1 structures in OpenSSL,
my own code contained its own mini-DER encoder limited to just
the needed structures, and didn't use OpenSSL either at the time.

Anyway, I am not sure if your notation is the old deprecated one
or the new one (OpenSSL transitioned from one way of doing ASN.1
to another some time ago, and there was a FAQ entry about not
using ASN1_SOME_EVIL_MACRO).


Thanks in advance,
Alessandro Menti

- Original structures -
typedef struct {
 ASN1_OBJECT *type;
 ASN1_OCTET_STRING *data;
} TimeStampContentInfo;

typedef struct {
 ASN1_OBJECT *countersignatureType;
 TimeStampContentInfo *content;
} TimeStampRequest;

ASN1_SEQUENCE(TimeStampContentInfo) = {
 ASN1_SIMPLE(TimeStampContentInfo, type, ASN1_OBJECT),
 ASN1_EXP_OPT(TimeStampContentInfo, data, ASN1_OCTET_STRING, 0)
} ASN1_SEQUENCE_END(TimeStampContentInfo)

DECLARE_ASN1_FUNCTIONS(TimeStampRequest)
ASN1_SEQUENCE(TimeStampRequest) = {
 ASN1_SIMPLE(TimeStampRequest, countersignatureType, ASN1_OBJECT),
 ASN1_SIMPLE(TimeStampRequest, content, TimeStampContentInfo)
} ASN1_SEQUENCE_END(TimeStampRequest)
IMPLEMENT_ASN1_FUNCTIONS(TimeStampRequest)



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Authenticode timestamp processing: error while parsing timestamp request

2010-08-18 Thread Alessandro Menti 

Hi everyone,
I'm trying to write a CGI program to generate timestamps for the
Authenticode(TM) digital signature system.

I'm having trouble extracting the original ContentInfo from the timestamp
request (the ContentInfo is required to generate a valid reply). Since the
requests are Base64-encoded, I have set up a BIO that reads the request from
standard input and decodes it via the OpenSSL builtin Base64 filter; however,
it seems that the request is not parsed correctly.
Since I have adapted the ASN1 definitions from the osslsigncode project, is
it possible that the absence of the attributes member in the ASN1
definitions is causing the request not to be decoded correctly?

I attach a test program and a sample timestamp request for clarification.

Thanks for your help,
Alessandro Menti

- Test program -
#include stdio.h
#include stdlib.h
#include openssl/asn1.h
#include openssl/asn1t.h
#include openssl/bio.h
#include openssl/objects.h
#include openssl/pem.h
#include openssl/pkcs7.h

/*
   The ASN.1 format of the timestamp request, according to MSDN (see
   http://this), is:
  TimeStampRequest ::= SEQUENCE {
  countersignatureType OBJECT IDENTIFIER,
  attributes Attributes OPTIONAL, 
  content    ContentInfo
  }
   The countersignatureType is the OID 1.3.6.1.4.1.311.3.2.1; the
   attributes are not interpreted and the content is a ContentInfo
   as defined by PKCS#7.

   The definitions below have been adapted from the osslsigncode project
   (http://sf.net/projects/osslsigncode/).
 */
typedef struct {
    ASN1_OBJECT *type;
    ASN1_OCTET_STRING *data;
} TimeStampContentInfo;

typedef struct {
    ASN1_OBJECT *countersignatureType;
    TimeStampContentInfo *content;
} TimeStampRequest;

ASN1_SEQUENCE(TimeStampContentInfo) = {
    ASN1_SIMPLE(TimeStampContentInfo, type, ASN1_OBJECT),
    ASN1_EXP_OPT(TimeStampContentInfo, data, ASN1_OCTET_STRING, 0)
} ASN1_SEQUENCE_END(TimeStampContentInfo)

DECLARE_ASN1_FUNCTIONS(TimeStampRequest)
ASN1_SEQUENCE(TimeStampRequest) = {
    ASN1_SIMPLE(TimeStampRequest, countersignatureType, ASN1_OBJECT),
    ASN1_SIMPLE(TimeStampRequest, content, TimeStampContentInfo)
} ASN1_SEQUENCE_END(TimeStampRequest)
IMPLEMENT_ASN1_FUNCTIONS(TimeStampRequest)

/* Function prototypes */
TimeStampRequest *d2i_TimeStampRequest_bio(BIO *bp, TimeStampRequest **tsr);

int main() {
    PKCS7_SIGNER_INFO *respSigner;
    BIO *dataFeedIn, *dataFilter;
    TimeStampRequest *request;
    OpenSSL_add_all_algorithms();
    dataFilter=BIO_new(BIO_f_base64());
    dataFeedIn=BIO_new_fp(stdin, BIO_NOCLOSE);
    dataFeedIn=BIO_push(dataFilter, dataFeedIn);
    request=d2i_TimeStampRequest_bio(dataFeedIn, NULL);
    /* If decoding was successful, request should be a pointer to a valid
   TimeStampRequest structure; otherwise, it should be NULL */
    if (request==NULL)
    printf(Error\n);
    else
    printf(Success\n);
    return 0;
}

TimeStampRequest *d2i_TimeStampRequest_bio(BIO *bp, TimeStampRequest **tsr) {
    return ASN1_item_d2i_bio(ASN1_ITEM_rptr(TimeStampRequest), bp, tsr);
}

- Sample timestamp request -
MIICIwYKKwYBBAGCNwMCATCCAhMGCSqGSIb3DQEHAaCCAgQEggIANlq5EqVVVLmMCQ9na+KbNTYHaFZ/s/XGttBL+ZCBjA3LCH/fqRyTrlfiUj758X6usGzMU0xaCKNVezuj3OCrI19GeBHn4xpT9CQY+ZgWqNdXO04A0Vtu253tvXHnkfu2lmrnLKsQt9YcvyB1eEWiqW/eZECTlsl9cchKzC7z8fj1I2r8Zs3RgXfgFbV6d9iSCxcoGgHfoDKmiOaYIkDP6apc83yDNdfj486EQ2GrRIUPrlLnnctlMZ0OGCqAsIzt0E2Ye3TAy9Q0HsZNdDbYYcpCLiH1H2HJFq8U1oDJaS5+O60eaA3qsZ+phyBNTUT80Lpbs/kV3JvEl64+/9YHpRHvYlMc14dXo0qStmLko4iSxY2i5XB3ud9zlZPNy595+IglJ4fXs9i8Vqla0sdiAKmoZBQqBJOEeuP0M2A/OWpLuw/7EUliHeE0HLLYxG79CvPP1/4hhUlx7F3WlCjIwPG0Yfj3m75wdgWxPnehcrCKv+UzHiYlWcJnFy0wu7fLzXTQnUCdnO7wu56PRgCKPDwuDamtE5yTEeV68C6Q8GOmUOBrDdy3LTYB2LOzy1q4tfS2I0wUsYr0yX9tnSoUIEdoGHGWnULv10sFHWx5gefDJBjMZ552JuvuCZcG/JrHURaaaKc0ftvt8K6thXjNhOhUrARR2Bm6rqdCW/NoOyA=

  
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Authenticode timestamp processing: error while parsing timestamp request

2010-08-18 Thread Jakob Bohm 

Your ASN.1 looks a lot like what I am sending in my own signing
tools (developed independently from the sf project you mention).

I ran your example request through Peter Gutman's dumpasn1 with
my old config file, and here is the output, which looks like the
same requests I generate (no attributes, explicit [0] tag before
the OCTET string):

   0  547: SEQUENCE {
   4   10:   OBJECT IDENTIFIER
 : timestampRequest (1 3 6 1 4 1 311 3 2 1)
  16  531:   SEQUENCE {
  209: OBJECT IDENTIFIER
 :   data (1 2 840 113549 1 7 1)
  31  516: [0] {
  35  512:   OCTET STRING
 : 36 5A B9 12 A5 55 54 B9 8C 09 0F 67 6B E2 9B 35
 : 36 07 68 56 7F B3 F5 C6 B6 D0 4B F9 90 81 8C 0D
 : CB 08 7F DF A9 1C 93 AE 57 E2 52 3E F9 F1 7E AE
 : B0 6C CC 53 4C 5A 08 A3 55 7B 3B A3 DC E0 AB 23
 : 5F 46 78 11 E7 E3 1A 53 F4 24 18 F9 98 16 A8 D7
 : 57 3B 4E 00 D1 5B 6E DB 9D ED BD 71 E7 91 FB B6
 : 96 6A E7 2C AB 10 B7 D6 1C BF 20 75 78 45 A2 A9
 : 6F DE 64 40 93 96 C9 7D 71 C8 4A CC 2E F3 F1 F8
 : [ Another 384 bytes skipped ]
 :   }
 : }
 :   }

I suspect that your OpenSSL declarations are missing the explicit
[0] tag.


On 18-08-2010 11:23, Alessandro Menti wrote:


Hi everyone,
I'm trying to write a CGI program to generate timestamps for the
Authenticode(TM) digital signature system.

I'm having trouble extracting the original ContentInfo from the timestamp
request (the ContentInfo is required to generate a valid reply). Since the
requests are Base64-encoded, I have set up a BIO that reads the request from
standard input and decodes it via the OpenSSL builtin Base64 filter; however,
it seems that the request is not parsed correctly.
Since I have adapted the ASN1 definitions from the osslsigncode project, is
it possible that the absence of the attributes member in the ASN1
definitions is causing the request not to be decoded correctly?

I attach a test program and a sample timestamp request for clarification.

Thanks for your help,
Alessandro Menti

- Test program -
#includestdio.h
#includestdlib.h
#includeopenssl/asn1.h
#includeopenssl/asn1t.h
#includeopenssl/bio.h
#includeopenssl/objects.h
#includeopenssl/pem.h
#includeopenssl/pkcs7.h

/*
The ASN.1 format of the timestamp request, according to MSDN (see
http://this), is:
   TimeStampRequest ::= SEQUENCE {
   countersignatureType OBJECT IDENTIFIER,
   attributes Attributes OPTIONAL,
   contentContentInfo
   }
The countersignatureType is the OID 1.3.6.1.4.1.311.3.2.1; the
attributes are not interpreted and the content is a ContentInfo
as defined by PKCS#7.

The definitions below have been adapted from the osslsigncode project
(http://sf.net/projects/osslsigncode/).
  */
typedef struct {
 ASN1_OBJECT *type;
 ASN1_OCTET_STRING *data;
} TimeStampContentInfo;

typedef struct {
 ASN1_OBJECT *countersignatureType;
 TimeStampContentInfo *content;
} TimeStampRequest;

ASN1_SEQUENCE(TimeStampContentInfo) = {
 ASN1_SIMPLE(TimeStampContentInfo, type, ASN1_OBJECT),
 ASN1_EXP_OPT(TimeStampContentInfo, data, ASN1_OCTET_STRING, 0)
} ASN1_SEQUENCE_END(TimeStampContentInfo)

DECLARE_ASN1_FUNCTIONS(TimeStampRequest)
ASN1_SEQUENCE(TimeStampRequest) = {
 ASN1_SIMPLE(TimeStampRequest, countersignatureType, ASN1_OBJECT),
 ASN1_SIMPLE(TimeStampRequest, content, TimeStampContentInfo)
} ASN1_SEQUENCE_END(TimeStampRequest)
IMPLEMENT_ASN1_FUNCTIONS(TimeStampRequest)

/* Function prototypes */
TimeStampRequest *d2i_TimeStampRequest_bio(BIO *bp, TimeStampRequest **tsr);

int main() {
 PKCS7_SIGNER_INFO *respSigner;
 BIO *dataFeedIn, *dataFilter;
 TimeStampRequest *request;
 OpenSSL_add_all_algorithms();
 dataFilter=BIO_new(BIO_f_base64());
 dataFeedIn=BIO_new_fp(stdin, BIO_NOCLOSE);
 dataFeedIn=BIO_push(dataFilter, dataFeedIn);
 request=d2i_TimeStampRequest_bio(dataFeedIn, NULL);
 /* If decoding was successful, request should be a pointer to a valid
TimeStampRequest structure; otherwise, it should be NULL */
 if (request==NULL)
 printf(Error\n);
 else
 printf(Success\n);
 return 0;
}

TimeStampRequest *d2i_TimeStampRequest_bio(BIO *bp, TimeStampRequest **tsr) {
 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(TimeStampRequest), bp, tsr);
}

- Sample timestamp request -

RE: Authenticode timestamp processing: error while parsing timestamp request

2010-08-18 Thread Alessandro Menti 

Thanks for your help, Jacob.

Where can I find your signing tools? A quick Google search
revealed no useful links.

Alternatively, can you suggest me how to complete the original
ASN.1 structures so as to add the explicit [0] tag? I have already
searched the official OpenSSL documentation for some clues, but I
have found nothing of interest (moreover, this is the first time
I use the OpenSSL library in one of my projects).

Thanks in advance,
Alessandro Menti

- Original structures -
typedef struct {
    ASN1_OBJECT *type;
    ASN1_OCTET_STRING *data;
} TimeStampContentInfo;

typedef struct {
    ASN1_OBJECT *countersignatureType;
    TimeStampContentInfo *content;
} TimeStampRequest;

ASN1_SEQUENCE(TimeStampContentInfo) = {
    ASN1_SIMPLE(TimeStampContentInfo, type, ASN1_OBJECT),
    ASN1_EXP_OPT(TimeStampContentInfo, data, ASN1_OCTET_STRING, 0)
} ASN1_SEQUENCE_END(TimeStampContentInfo)

DECLARE_ASN1_FUNCTIONS(TimeStampRequest)
ASN1_SEQUENCE(TimeStampRequest) = {
    ASN1_SIMPLE(TimeStampRequest, countersignatureType, ASN1_OBJECT),
    ASN1_SIMPLE(TimeStampRequest, content, TimeStampContentInfo)
} ASN1_SEQUENCE_END(TimeStampRequest)
IMPLEMENT_ASN1_FUNCTIONS(TimeStampRequest)
  
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org