Re: PKCS7_add_attribute
Dr. Stephen Henson wrote: On Thu, Sep 16, 2004, Antonio Ruiz Martnez wrote: I tried to put the sequence in an octet_string and with that way there is no problem but I would like to use the SEQUENCE directley if it is possible. I tried that test file and it chokes several asn1 parsing tools. It looks like the attribute is added OK and then things go badly amiss after it. This would be the case if you'd added the PKCS#7 structure along with some trailing data, for example if the length was wrong you passed to ASN1_STRING_set(). Could you send or post the octet string version: it is much easier to confirm that's the case with that. Thanks for your comments, here you're the octet string version.The content inside de octet string is the same the length of the file. This file is generated with the same code that use to the previous files the only difference is that for this version I'm using PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_OCTET_STRING,(void *)oct) instead of using PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)oct). Regards, Antonio. SignedP7TSP.p7 Description: Binary data
Re: PKCS7_add_attribute
On Mon, Sep 20, 2004, Antonio Ruiz Martínez wrote: Dr. Stephen Henson wrote: On Thu, Sep 16, 2004, Antonio Ruiz Martínez wrote: I tried to put the sequence in an octet_string and with that way there is no problem but I would like to use the SEQUENCE directley if it is possible. I tried that test file and it chokes several asn1 parsing tools. It looks like the attribute is added OK and then things go badly amiss after it. This would be the case if you'd added the PKCS#7 structure along with some trailing data, for example if the length was wrong you passed to ASN1_STRING_set(). Could you send or post the octet string version: it is much easier to confirm that's the case with that. Thanks for your comments, here you're the octet string version.The content inside de octet string is the same the length of the file. This file is generated with the same code that use to the previous files the only difference is that for this version I'm using PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_OCTET_STRING,(void *)oct) instead of using PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)oct). The length should be the length of the relevant ASN1 structure not the length of the file: unless you are sure the file only contains valid data. Your test file confirms my earlier hypothesis: there is trailing data which is not part of the PKCS#7 structure tagged on the end. In that example the PKCS#7 length is 1194 bytes but the actual amount of data is 1452 bytes. The non-ASN1 data on the end is what's choking the V_ASN1_SEQUENCE version. There are a couple of ways to workout the true length. One is to call d2i_PKCS7() on it and see how far the pointer is advanced, this will also syntax check the PKCS#7 structure too. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS7_add_attribute
On Sun, Sep 19, 2004, Dr. Stephen Henson wrote: On Thu, Sep 16, 2004, Antonio Ruiz Martínez wrote: I tried to put the sequence in an octet_string and with that way there is no problem but I would like to use the SEQUENCE directley if it is possible. I tried that test file and it chokes several asn1 parsing tools. It looks like the attribute is added OK and then things go badly amiss after it. This would be the case if you'd added the PKCS#7 structure along with some trailing data, for example if the length was wrong you passed to ASN1_STRING_set(). This appears to indeed be the case. dumpasn1 will partly display the structure but chokes later on. Here is the start of the attribute: 1186 A1 1345: [1] { 1190 30 1341: SEQUENCE { 1194 069: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 1205 31 1326: SET { 1209 30 1257: SEQUENCE { The last SET length field is noticeably larger than the following SEQUENCE. This suggests there's some extra invalid data after the SEQUENCE. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS7_add_attribute
On Thu, Sep 16, 2004, Antonio Ruiz Martínez wrote: I tried to put the sequence in an octet_string and with that way there is no problem but I would like to use the SEQUENCE directley if it is possible. I tried that test file and it chokes several asn1 parsing tools. It looks like the attribute is added OK and then things go badly amiss after it. This would be the case if you'd added the PKCS#7 structure along with some trailing data, for example if the length was wrong you passed to ASN1_STRING_set(). Could you send or post the octet string version: it is much easier to confirm that's the case with that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS7_add_attribute
On Thu, Sep 16, 2004, Antonio Ruiz Martínez wrote: Hello! Dr. Stephen Henson wrote: My guess is that there's a problem with the generation of the encoding of the attribute: what code did you use for that? oct=ASN1_STRING_new(); if (!ASN1_STRING_set(oct,p72,lenP72)) { lReturn=-50; goto err; } p7=PKCS7_new(); if (p7==NULL) { lReturn=-20; goto err; } //add certificate and keys... ... //get the signer info... PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(char *)oct); //insert the date with PKCS7_dataInit and bio_write and PKCS7_dataFinal... //ENCODE in DER ... Any idea? Its the bit *before* that which is needed: the part that produces p72 and lenP72. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS7_add_attribute
Dr. Stephen Henson wrote: On Thu, Sep 16, 2004, Antonio Ruiz Martnez wrote: Hello! Dr. Stephen Henson wrote: My guess is that there's a problem with the generation of the encoding of the attribute: what code did you use for that? oct=ASN1_STRING_new(); if (!ASN1_STRING_set(oct,p72,lenP72)) { lReturn=-50; goto err; } p7=PKCS7_new(); if (p7==NULL) { lReturn=-20; goto err; } //add certificate and keys... ... //get the signer info... PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(char *)oct); //insert the date with PKCS7_dataInit and bio_write and PKCS7_dataFinal... //ENCODE in DER ... Any idea? Its the bit *before* that which is needed: the part that produces p72 and lenP72. The p72 is a PKCS7 that I read from a file as an array of bytes coded in DER. The PKCS7 is not generated in the same function, it is only read from a file because I'm simulating that I receive an PKCS7 that I want to insert in my PKCS7. The steps followed to generate the p72 the same as the steps followed to make this PKCS7 but without inserting any attribute and I got it from the code of the directory crypto/p7. This PKCS7 I can verify it without any problem. The code I'm using folows the following steps... p7_new=PKCS7_new(); PKCS7_set_type(p7_new,NID_pkcs7_signed); PKCS7_content_new(p7_new,NID_pkcs7_data); si=PKCS7_add_signature(p7_new,cert,privKey,EVP_md5()); PKCS7_add_certificate(p7_new,cert)) PKCS7_dataInit BIO_write BIO_flush PKCS7_dataFinal //Coding in der... p72= ... If you want I can send you the complete code. I also tried to do the following seq=d2i_PKCS7(NULL,p72,lenP72); ldP7=i2d_PKCS7(seq,NULL); dSP7=(unsigned char *)malloc((ldP7)*sizeof(unsigned char)); tmpderP7=dSP7; ldP7=i2d_PKCS7(p72,tmpderP7); oct=ASN1_STRING_new(); if (!ASN1_STRING_set(oct,dSP7,ldP7)) { } p7=PKCS7_new(); if (p7==NULL) { lReturn=-20; goto err; } //add certificate and keys... ... //get the signer info... PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(char *)oct); //insert the date with PKCS7_dataInit and bio_write and PKCS7_dataFinal... //ENCODE in DER ... But this code doesn't work either. Regards, Antonio.
PKCS7_add_attribute
Hello! I've looking at the PKCS7_add_attribute function and I would like to insert a signed PKCS7 as an attribute. The header of the function is: PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,void *value); I suppose that nid should be the NID_pkcs7_signed but I don't know which values should be in atrtype (may it be V_ASN1_SEQUENCE ?) and in value (der coding of the PKCS7? or the SEQUENCE of the PKCS7, in this case, how can I get the sequence from the PKCS7?). Could you help me, please? Regards, Antonio. -- -- Antonio Ruiz Martínez Faculty of Computer Science-University of Murcia 30071 Murcia - Spain e-mail: [EMAIL PROTECTED] or arm [at] dif [dot] um [dot] es -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS7_add_attribute
Hello! Dr. Stephen Henson wrote: On Wed, Sep 15, 2004, Antonio Ruiz Martnez wrote: Hello! I've looking at the PKCS7_add_attribute function and I would like to insert a signed PKCS7 as an attribute. The header of the function is: PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,void *value); I suppose that nid should be the NID_pkcs7_signed but I don't know which values should be in atrtype (may it be V_ASN1_SEQUENCE ?) and in value (der coding of the PKCS7? or the SEQUENCE of the PKCS7, in this case, how can I get the sequence from the PKCS7?). Could you help me, please? Regards, Antonio. The NID is whatever OID is defined by whatever standard defines the syntax. If there isn't a standard you might want to create a private OID and document its meaning somewhere. The meaning of atrtype and value are based on the ASN1_TYPE structure. For a sequence atrtype is indeed V_ASN1_SEQUENCE and value is an ASN1_STRING structure containing the encoding of the SEQUENCE. Thanks for your answer, it has been very useful when I use an octect string but not when but I have got a problem when I'm using a sequence. I think I am not doing something properly because I don't get the desired result. I've tried the following options: 1) ASN1_OCTET_STRING *oct=NULL; oct=ASN1_STRING_new(); ASN1_STRING_set(oct,p7_2,lenp7_2) where p7_2 - coding in DER of a signed PKCS#7 PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)oct); i2d_PKC7 . This way when I try to decode the result of the coding I get an error, It seems the structure is not correct. However, if I try with PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_OCTET_STRING,(void *)oct) it works but I've an attribute which is an octet string that contains a DER coded PKCS7 but I would like that the attribute was directly the PKCS7 2) p7_2=d2i_PKCS7(NULL,tsp,lenTSP); PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)p7_2); i2d_PKC7 . This way I can decode the encoded PKCS7 but the PKCS7 is not inserted properly as an attribute. How can I solve the problem? Could you help me another time, please? Thanks in advance, Regards, Antonio.
Re: PKCS7_add_attribute
-- X-Sun-Data-Type: text X-Sun-Data-Description: text X-Sun-Data-Name: text X-Sun-Charset: us-ascii X-Sun-Content-Lines: 12 To add an PKCS7 as an attribute, one possibiliy is to use from PKCS9 version 2: pKCS7PDU ATTRIBUTE ::= { WITH SYNTAX Contentinfo ID pkcs-9-at-pkcs7PDU } which ends up in an OID pkcs-9 25 5 as far as I see. -- X-Sun-Data-Type: html X-Sun-Encoding-Info: 7bit X-Sun-Charset: us-ascii X-Sun-Content-Lines: 83 !DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN html head meta content=text/html;charset=ISO-8859-1 http-equiv=Content-Type title/title /head body bgcolor=#ff text=#00 Hello!br br Dr. Stephen Henson wrote:br blockquote cite=[EMAIL PROTECTED] type=cite pre wrap=On Wed, Sep 15, 2004, Antonio Ruiz Martiacute;nez wrote: /pre blockquote type=cite pre wrap=Hello! I've looking at the PKCS7_add_attribute function and I would like to insert a signed PKCS7 as an attribute. The header of the function is: PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,void *value); I suppose that nid should be the NID_pkcs7_signed but I don't know which values should be in atrtype (may it be V_ASN1_SEQUENCE ?) and in value (der coding of the PKCS7? or the SEQUENCE of the PKCS7, in this case, how can I get the sequence from the PKCS7?). Could you help me, please? Regards, Antonio. /pre /blockquote pre wrap=!The NID is whatever OID is defined by whatever standard defines the syntax. If there isn't a standard you might want to create a private OID and document its meaning somewhere. The meaning of atrtype and value are based on the ASN1_TYPE structure. For a sequence atrtype is indeed V_ASN1_SEQUENCE and value is an ASN1_STRING structure containing the encoding of the SEQUENCE. /pre /blockquote Thanks for your answer, it has been very useful when I use an octect string but not when but I have got a problem when I'm using a sequence. I thinknbsp; I am not doing something properly because I don't get the desired result.br I've tried the following options:br br 1) br ASN1_OCTET_STRING *oct=NULL;br oct=ASN1_STRING_new();br ASN1_STRING_set(oct,p7_2,lenp7_2)br where p7_2 -gt; coding in DER of a signed PKCS#7br PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)oct);br i2d_PKC7 .br br This way when I try to decode the result of the coding I get an error, It seems the structure is not correct.br However, if I try with PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_OCTET_STRING,(void *)oct) it works but I've an attribute which is an octet string that contains a DER coded PKCS7 but I would like that the attribute was directly the PKCS7br br 2) br p7_2=d2i_PKCS7(NULL,amp;tsp,lenTSP);br PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)p7_2);br i2d_PKC7 .br br This way I can decode the encoded PKCS7 but the PKCS7 is not inserted properly as an attribute. br br How can I solve the problem?br Could you help me another time, please?br Thanks in advance,br Regards,br Antonio.br br /body /html __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS7_add_attribute
On Wed, Sep 15, 2004, Antonio Ruiz Martínez wrote: Thanks for your answer, it has been very useful when I use an octect string but not when but I have got a problem when I'm using a sequence. I think I am not doing something properly because I don't get the desired result. I've tried the following options: 1) ASN1_OCTET_STRING *oct=NULL; oct=ASN1_STRING_new(); ASN1_STRING_set(oct,p7_2,lenp7_2) where p7_2 - coding in DER of a signed PKCS#7 PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)oct); i2d_PKC7 . This way when I try to decode the result of the coding I get an error, It seems the structure is not correct. However, if I try with PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_OCTET_STRING,(void *)oct) it works but I've an attribute which is an octet string that contains a DER coded PKCS7 but I would like that the attribute was directly the PKCS7 2) p7_2=d2i_PKCS7(NULL,tsp,lenTSP); PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)p7_2); i2d_PKC7 . This way I can decode the encoded PKCS7 but the PKCS7 is not inserted properly as an attribute. How can I solve the problem? Could you help me another time, please? What errors are you getting and what makes you think it isn't inserted properly as an attribute? How are you trying to decode it. The technique I described is precisely that used to encode and decode the S/MIME capabilities attribute. See crypto/pkcs7/pk7_attr.c which I also wrote BTW :-) And I notice that the decoding in there isn't quite right: it should check the type is really V_ASN1_SEQUENCE and reject if it isn't. I'll have to fix that... Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS7_add_attribute
Dr. Stephen Henson wrote: On Wed, Sep 15, 2004, Antonio Ruiz Martnez wrote: Thanks for your answer, it has been very useful when I use an octect string but not when but I have got a problem when I'm using a sequence. I think I am not doing something properly because I don't get the desired result. I've tried the following options: 1) ASN1_OCTET_STRING *oct=NULL; oct=ASN1_STRING_new(); ASN1_STRING_set(oct,p7_2,lenp7_2) where p7_2 - coding in DER of a signed PKCS#7 PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)oct); i2d_PKC7 . This way when I try to decode the result of the coding I get an error, It seems the structure is not correct. However, if I try with PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_OCTET_STRING,(void *)oct) it works but I've an attribute which is an octet string that contains a DER coded PKCS7 but I would like that the attribute was directly the PKCS7 2) p7_2=d2i_PKCS7(NULL,tsp,lenTSP); PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)p7_2); i2d_PKC7 . This way I can decode the encoded PKCS7 but the PKCS7 is not inserted properly as an attribute. How can I solve the problem? Could you help me another time, please? What errors are you getting and what makes you think it isn't inserted properly as an attribute? Thanks for your comments!!! I'm using the first solution 1), as you told me, that is... oct=ASN1_STRING_new(); if (!ASN1_STRING_set(oct,pkcs7inDER,lenPKCS7inDER)) { lReturn=-50; goto err; } p7=PKCS7_new(); if (p7==NULL) { lReturn=-20; goto err; } .. si=sk_PKCS7_SIGNER_INFO_value(p7-d.sign-signer_info,0); if (si==NULL) { lReturn=-4; goto err; } PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(char *)oct); And I'm getting a file that attach you. This file I can't decode it. How are you trying to decode it. d2i_PKCS7... The technique I described is precisely that used to encode and decode the S/MIME capabilities attribute. See crypto/pkcs7/pk7_attr.c which I also wrote BTW :-) I've been looking at that code... And I'm doing the same, I think... Have you got any idea? Regards, Antonio. test.der Description: application/x509-ca-cert
Re: PKCS7_add_attribute
You may try a routine like the following by replacing all occurences of ESS_SIGNING_CERTIFICATE by PKCS7 and change the nid to the PKCS9 V2 defined one. Or to consider to (mis)use id-aa-timeStampToken OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) aa(2) 14 } The difference I see is that the i2d is done before setting the attribute. int ESS_add_attrib_signcert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERTIFICATE *sc) { ASN1_STRING *seq; unsigned char *p, *pp ; int len; len = i2d_ESS_SIGNING_CERTIFICATE(sc, NULL); if (!(pp = (unsigned char *) OPENSSL_malloc(len))) { ESSerr(ESS_F_ADD_ATTRIB_SIGNCERT,ERR_R_MALLOC_FAILURE); return 0; } p = pp; i2d_ESS_SIGNING_CERTIFICATE(sc, p); if(!(seq = ASN1_STRING_new())) { OPENSSL_free(pp); ESSerr(ESS_F_ADD_ATTRIB_SIGNCERT,ERR_R_MALLOC_FAILURE); return 0; } if(!ASN1_STRING_set (seq, pp, len)) { ASN1_STRING_free(seq); OPENSSL_free(pp); ESSerr(ESS_F_ADD_ATTRIB_SIGNCERT,ERR_R_MALLOC_FAILURE); return 0; } OPENSSL_free(pp); return PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificate, V_ASN1_SEQUENCE, seq); } __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS7_add_attribute
Hello! Peter Sylvester wrote: You may try a routine like the following by replacing all occurences of ESS_SIGNING_CERTIFICATE by PKCS7 and change the nid to the PKCS9 V2 defined one. Or to consider to (mis)use id-aa-timeStampToken OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) aa(2) 14 } Ok you're right, I thought to use that identifier when I have the timeStampToken but at this moment I only want to make some test so as to know if it is possible to use it. The difference I see is that the i2d is done before setting the attribute. Ok I agree with you, that is the only difference with my code and it is the only thing that I can see different. Thanks for your help. Regards, Antonio. int ESS_add_attrib_signcert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERTIFICATE *sc) { ASN1_STRING *seq; unsigned char *p, *pp ; int len; len = i2d_ESS_SIGNING_CERTIFICATE(sc, NULL); if (!(pp = (unsigned char *) OPENSSL_malloc(len))) { ESSerr(ESS_F_ADD_ATTRIB_SIGNCERT,ERR_R_MALLOC_FAILURE); return 0; } p = pp; i2d_ESS_SIGNING_CERTIFICATE(sc, p); if(!(seq = ASN1_STRING_new())) { OPENSSL_free(pp); ESSerr(ESS_F_ADD_ATTRIB_SIGNCERT,ERR_R_MALLOC_FAILURE); return 0; } if(!ASN1_STRING_set (seq, pp, len)) { ASN1_STRING_free(seq); OPENSSL_free(pp); ESSerr(ESS_F_ADD_ATTRIB_SIGNCERT,ERR_R_MALLOC_FAILURE); return 0; } OPENSSL_free(pp); return PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificate, V_ASN1_SEQUENCE, seq); } __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- -- Antonio Ruiz Martínez Faculty of Computer Science-University of Murcia 30071 Murcia - Spain e-mail: [EMAIL PROTECTED] or arm [at] dif [dot] um [dot] es -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]