Re: ASN1 <-> DER encoding with application tag
Hi Matt,
I found the initial definition is my best try to model the ANS1 structure as
probably described In the rfc2743
Problem is that the bytes of the innerContextToken is completely depended upon
the value of the OID from the mech. As long I understand the bytes of the
innerContextToken must not be in DER encoded format.
In my case it hust happens to be a DER encoded structure because the OID
Value is the OID of the spnego mechanism.
The encoded structure to realize is “just” the following if the OID () is
known
and the corresponding bytes for the innerContextToken (mechToken)
0x0a 0x06 0x06
I hope that’s understandable. I thought it would be nice to use the
functionality offered
By openssl to encode this data 8the next step would even be to decode such a
structure),
but I think it isn’t a real DER encoded ANS1 structure, but somehow only
relates to that.
Thus I think I have to “manually” encode the OID and innerContextToken.
Best regards
Max
From: openssl-users on behalf of Matt
Caswell
Date: Friday, 5. November 2021 at 11:41
To: openssl-users@openssl.org
Subject: Re: ASN1 <-> DER encoding with application tag
On 04/11/2021 17:39, Max Larsson wrote:
> But now I’m wondering how I can “cascade” using this method to influence
> the encoding
>
> to avoid the writing of the additional bytes after the OID gest encoded
> and before
>
> the innerToken is encoded:
>
> *….. *0x05 0x05 0x02 *0x04 0x76* 0xa0 0x74….(here are a lot of bytes
> omitted)
I think this is an entirely different problem.
0x04 corresponds to the universal tag for an OCTET STRING, and 0x76 is
the length of that OCTET STRING.
I assume what you want to see is 0xa0, which means a context specific
constructed type with tag 0, followed by data of length 0x74.
So, basically, it looks to me like your initial definition of the
GSSAPI_CONTEXTTOKEN object is wrong:
typedef struct ContextToken_st {
ASN1_OBJECT *mech;
ASN1_OCTET_STRING *innerContextToken;
} GSSAPI_CONTEXTTOKEN;
Since this clearly shows that the thing after the OID is an OCTET
STRING. So you really need to understand what the actual type is for
innerContextToken in order to correctly encode/decode it.
Matt
>
> Best regards
>
> Max
>
> *From: *openssl-users on behalf of
> Matt Caswell
> *Date: *Thursday, 4. November 2021 at 17:14
> *To: *openssl-users@openssl.org
> *Subject: *Re: ASN1 <-> DER encoding with application tag
>
>
>
> On 04/11/2021 13:58, Max Larsson wrote:
> > i2d_GSSAPI_CONTEXTTOKEN( negToken, );
> >
>
> You can tell i2d to encode using "application" tagging like this:
>
> ASN1_item_ex_i2d((const ASN1_VALUE **), ,
>ASN1_ITEM_rptr(GSSAPI_CONTEXTTOKEN), 0,
>ASN1_TFLG_APPLICATION);
>
> Matt
>
>
>
>
> > for( intlen = 0;len < bufferSize;len++ ) {
> >
> > if( ( len % 8) == 0)
> >
> > printf( " ");
> >
> > if( ( len % 16) == 0)
> >
> > printf( "\n\t\t");
> >
> > printf( " 0x%02x",(short)buffer[ len ] );
> >
> > }
> >
> > printf( "\n");
> >
> > . . .
> >
> > The code above output the following DER encoded structure (the
> > difference marled in bold):
> >
> > *0**x**3**0**0**x**81 0x80*0x060x060x2b0x060x010x050x050x02*0x04
> > 0x76*0xa00x74
> >
> > The google result, which I found seems to point into the direction to
> > use application tags to encode.
> >
> > But I haven’t found any example or how to how to achieve this with
> > openssl, can anyone give me sone hints?
> >
> > Best regards
> >
> > Max Larsson
> >
> > Mit freundlichen Grüßen
> > Best regards
> >
> > Dipl.-Inform. Max Larsson
> > Geschäftsleitung
> >
> >
> >
> > phone: +49(0)6151/62908-75
> > fax:
> > email: max.lars...@facilityboss.biz
> <mailto:max.lars...@facilityboss.biz <mailto:max.lars...@facilityboss.biz>>
> > web: http://facilityboss.biz <http://facilityboss.biz>
> <http://facilityboss.biz <http://facilityboss.biz>>
> >
> >
> >
> > *facilityboss <http://facilityboss.biz <http://facilityboss.biz>>*
> > Bad Nauheimer Str. 4
> > 64289 Darmstadt
> > Germany
> >
> > Sitz der Gesellschaft: Darmstadt
> > Registergericht: Amtsgericht Darmstadt, HRB 86193
> > Geschäftsführer: Dipl.-Inform Max Lars Robert Larsson
> &g
Re: ASN1 <-> DER encoding with application tag
On 04/11/2021 17:39, Max Larsson wrote:
But now I’m wondering how I can “cascade” using this method to influence
the encoding
to avoid the writing of the additional bytes after the OID gest encoded
and before
the innerToken is encoded:
*….. *0x05 0x05 0x02 *0x04 0x76* 0xa0 0x74….(here are a lot of bytes
omitted)
I think this is an entirely different problem.
0x04 corresponds to the universal tag for an OCTET STRING, and 0x76 is
the length of that OCTET STRING.
I assume what you want to see is 0xa0, which means a context specific
constructed type with tag 0, followed by data of length 0x74.
So, basically, it looks to me like your initial definition of the
GSSAPI_CONTEXTTOKEN object is wrong:
typedef struct ContextToken_st {
ASN1_OBJECT *mech;
ASN1_OCTET_STRING *innerContextToken;
} GSSAPI_CONTEXTTOKEN;
Since this clearly shows that the thing after the OID is an OCTET
STRING. So you really need to understand what the actual type is for
innerContextToken in order to correctly encode/decode it.
Matt
Best regards
Max
*From: *openssl-users on behalf of
Matt Caswell
*Date: *Thursday, 4. November 2021 at 17:14
*To: *openssl-users@openssl.org
*Subject: *Re: ASN1 <-> DER encoding with application tag
On 04/11/2021 13:58, Max Larsson wrote:
> i2d_GSSAPI_CONTEXTTOKEN( negToken, );
>
You can tell i2d to encode using "application" tagging like this:
ASN1_item_ex_i2d((const ASN1_VALUE **), ,
ASN1_ITEM_rptr(GSSAPI_CONTEXTTOKEN), 0,
ASN1_TFLG_APPLICATION);
Matt
> for( intlen = 0;len < bufferSize;len++ ) {
>
> if( ( len % 8) == 0)
>
> printf( " ");
>
> if( ( len % 16) == 0)
>
> printf( "\n\t\t");
>
> printf( " 0x%02x",(short)buffer[ len ] );
>
> }
>
> printf( "\n");
>
> . . .
>
> The code above output the following DER encoded structure (the
> difference marled in bold):
>
> *0**x**3**0**0**x**81 0x80*0x060x060x2b0x060x010x050x050x02*0x04
> 0x76*0xa00x74
>
> The google result, which I found seems to point into the direction to
> use application tags to encode.
>
> But I haven’t found any example or how to how to achieve this with
> openssl, can anyone give me sone hints?
>
> Best regards
>
> Max Larsson
>
> Mit freundlichen Grüßen
> Best regards
>
> Dipl.-Inform. Max Larsson
> Geschäftsleitung
>
>
>
> phone: +49(0)6151/62908-75
> fax:
> email: max.lars...@facilityboss.biz
<mailto:max.lars...@facilityboss.biz <mailto:max.lars...@facilityboss.biz>>
> web: http://facilityboss.biz <http://facilityboss.biz>
<http://facilityboss.biz <http://facilityboss.biz>>
>
>
>
> *facilityboss <http://facilityboss.biz <http://facilityboss.biz>>*
> Bad Nauheimer Str. 4
> 64289 Darmstadt
> Germany
>
> Sitz der Gesellschaft: Darmstadt
> Registergericht: Amtsgericht Darmstadt, HRB 86193
> Geschäftsführer: Dipl.-Inform Max Lars Robert Larsson
>
>
>
> Diese E-Mail enthält unter Umständen vertrauliche und/oder rechtlich
> geschützte Informationen, die allein für den Adressaten bestimmt sind.
> Wenn Sie nicht der zutreffende Adressat sind oder diese E-Mail
> irrtümlich erhalten haben, ist jede Verwendung, Verbreitung, Kopie oder
> Bezugnahme auf den Inhalt dieser E-Mail verboten. Bitte informieren Sie
> uns über einen eventuellen Irrtum per Telefon, per Telefax oder E-Mail.
>
> This e-mail may contain confidential and/or privileged information. If
> you are not the intended recipient, any disclosure, copying,
> distribution or reference on the contents of this e-mail is strictly
> prohibited. If you have received this e-mail in error please notify us
> by e-mail, facsimile or phone call.
>
Re: ASN1 <-> DER encoding with application tag
Hi Russ,
I have the 126 bytes, but as described I omitted them, because they are in my
opinion not helpful
for my problem, and would only clutter the email. I should probably have
written some ellipses
to indicate it better.
best regards
Max Larsson
From: Russ Housley
Date: Thursday, 4. November 2021 at 17:29
To: Max Larsson
Cc: openssl-users@openssl.org
Subject: Re: ASN1 <-> DER encoding with application tag
The data is not correct if it supposed to match RFC 2743.
The first byte is [APPLICATION 0]. That seems fine.
The second byte provides a length for the full SEQUENCE. It says there are 126
bytes, but you do not have that many.
Russ
On Nov 4, 2021, at 10:18 AM, Max Larsson
mailto:max.lars...@facilityboss.biz>> wrote:
Hi Russ,
do you mean that the DER data
0x60 0x7e 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0xa0 0x74
is wrong?
If so, that DER data have I captured with wireshark from an smb2 session setup
request.
and that’s even I try to decode with help of openssl. If the case is that that
data is wrongly,
is there a way to get decode with openssl anyway?
Max
From: Russ Housley mailto:hous...@vigilsec.com>>
Date: Thursday, 4. November 2021 at 15:08
To: Max Larsson
mailto:max.lars...@facilityboss.biz>>
Cc: openssl-users@openssl.org<mailto:openssl-users@openssl.org>
mailto:openssl-users@openssl.org>>
Subject: Re: ASN1 <-> DER encoding with application tag
RFC 2743 shows this structure:
MechType ::= OBJECT IDENTIFIER
-- data structure definitions
-- callers must be able to distinguish among
-- InitialContextToken, SubsequentContextToken,
-- PerMsgToken, and SealedMessage data elements
-- based on the usage in which they occur
InitialContextToken ::=
-- option indication (delegation, etc.) indicated within
-- mechanism-specific token
[APPLICATION 0] IMPLICIT SEQUENCE {
thisMech MechType,
innerContextToken ANY DEFINED BY thisMech
-- contents mechanism-specific
-- ASN.1 structure not required
}
The encoded data that you provided dies begin with the [APPLICATION 0] tag,
then it if followed by by the { 1 3 6 1 5 5 2 } object identifier.
Russ
On Nov 4, 2021, at 9:58 AM, Max Larsson
mailto:max.lars...@facilityboss.biz>> wrote:
Hi everyone,
I’m trying to decode and encode Der structure. In my case that are DER encoded
GSSAPI structure.
My DER encoded data looks like this (stripped the pending bytes):
0x60 0x7e 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0xa0 0x74
My ANS1 definition in my source look like this:
typedef struct ContextToken_st {
ASN1_OBJECT *mech;
ASN1_OCTET_STRING *innerContextToken;
} GSSAPI_CONTEXTTOKEN;
DECLARE_ASN1_FUNCTIONS( GSSAPI_CONTEXTTOKEN )
ASN1_SEQUENCE( GSSAPI_CONTEXTTOKEN ) = {
ASN1_SIMPLE( GSSAPI_CONTEXTTOKEN, mech, ASN1_OBJECT ),
ASN1_SIMPLE( GSSAPI_CONTEXTTOKEN, innerContextToken, ASN1_OCTET_STRING )
} ASN1_SEQUENCE_END( GSSAPI_CONTEXTTOKEN )
IMPLEMENT_ASN1_FUNCTIONS( GSSAPI_CONTEXTTOKEN )
Parsing the above DER data fails, so I decided to encode a own Der structure,
to see where the difference is with my setup:
. . .
negToken = GSSAPI_CONTEXTTOKEN_new();
if( negToken != NULL ) {
negToken->mech = OBJ_txt2obj( "1.3.6.1.5.5.2",0 );
negToken->innerContextToken = ASN1_OCTET_STRING_new();
const unsigned char mechToken[] = "\xa0\x74\x30 // … stripped for
readability
const size_t mechTokenSize = sizeof( mechToken ) - 1;
printf( "Size of inner token: %zu\n",mechTokenSize );
ASN1_OCTET_STRING_set(
negToken->innerContextToken,mechToken,mechTokenSize );
buffer = NULL;
size_t bufferSize = i2d_GSSAPI_CONTEXTTOKEN( negToken,NULL );
printf( "Required buffer size for DER encoding of ASN1 structure:
%zu\n",bufferSize );
unsigned char *buffer = malloc( bufferSize );
unsigned char *p = buffer;
i2d_GSSAPI_CONTEXTTOKEN( negToken, );
for( int len = 0;len < bufferSize;len++ ) {
if( ( len % 8 ) == 0 )
printf( " " );
if( ( len % 16 ) == 0 )
printf( "\n\t\t" );
printf( " 0x%02x",(short)buffer[ len ] );
}
printf( "\n" );
. . .
The code above output the following DER encoded structure (the difference
marled in bold):
0x30 0x81 0x80 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0x04 0x76 0xa0 0x74
The google result, which I found seems to point into the direction to use
application tags to encode.
But I haven’t found any example or how to how to achieve this with openssl, can
anyone give me sone hints?
Best regards
Max Larsson
Mit freundlichen Grüßen
Best regards
Dipl.-Inform. Max Larsson
Geschäftsleitung
pho
Re: ASN1 <-> DER encoding with application tag
Hi Matt,
Your suggestion helped a lot for the initial application tag.
I must confess I haven’t jet googled the method ANS1_item_ex yet what exactly
it does
and how it behave and can be used.
But now I’m wondering how I can “cascade” using this method to influence the
encoding
to avoid the writing of the additional bytes after the OID gest encoded and
before
the innerToken is encoded:
….. 0x05 0x05 0x02 0x04 0x76 0xa0 0x74 ….(here are a lot of bytes omitted)
Best regards
Max
From: openssl-users on behalf of Matt
Caswell
Date: Thursday, 4. November 2021 at 17:14
To: openssl-users@openssl.org
Subject: Re: ASN1 <-> DER encoding with application tag
On 04/11/2021 13:58, Max Larsson wrote:
> i2d_GSSAPI_CONTEXTTOKEN( negToken, );
>
You can tell i2d to encode using "application" tagging like this:
ASN1_item_ex_i2d((const ASN1_VALUE **), ,
ASN1_ITEM_rptr(GSSAPI_CONTEXTTOKEN), 0,
ASN1_TFLG_APPLICATION);
Matt
> for( intlen = 0;len < bufferSize;len++ ) {
>
> if( ( len % 8) == 0)
>
> printf( " ");
>
> if( ( len % 16) == 0)
>
> printf( "\n\t\t");
>
> printf( " 0x%02x",(short)buffer[ len ] );
>
> }
>
> printf( "\n");
>
> . . .
>
> The code above output the following DER encoded structure (the
> difference marled in bold):
>
> *0**x**3**0**0**x**81 0x80*0x060x060x2b0x060x010x050x050x02*0x04
> 0x76*0xa00x74
>
> The google result, which I found seems to point into the direction to
> use application tags to encode.
>
> But I haven’t found any example or how to how to achieve this with
> openssl, can anyone give me sone hints?
>
> Best regards
>
> Max Larsson
>
> Mit freundlichen Grüßen
> Best regards
>
> Dipl.-Inform. Max Larsson
> Geschäftsleitung
>
>
>
> phone: +49(0)6151/62908-75
> fax:
> email: max.lars...@facilityboss.biz <mailto:max.lars...@facilityboss.biz>
> web: http://facilityboss.biz <http://facilityboss.biz>
>
>
>
> *facilityboss <http://facilityboss.biz>*
> Bad Nauheimer Str. 4
> 64289 Darmstadt
> Germany
>
> Sitz der Gesellschaft: Darmstadt
> Registergericht: Amtsgericht Darmstadt, HRB 86193
> Geschäftsführer: Dipl.-Inform Max Lars Robert Larsson
>
>
>
> Diese E-Mail enthält unter Umständen vertrauliche und/oder rechtlich
> geschützte Informationen, die allein für den Adressaten bestimmt sind.
> Wenn Sie nicht der zutreffende Adressat sind oder diese E-Mail
> irrtümlich erhalten haben, ist jede Verwendung, Verbreitung, Kopie oder
> Bezugnahme auf den Inhalt dieser E-Mail verboten. Bitte informieren Sie
> uns über einen eventuellen Irrtum per Telefon, per Telefax oder E-Mail.
>
> This e-mail may contain confidential and/or privileged information. If
> you are not the intended recipient, any disclosure, copying,
> distribution or reference on the contents of this e-mail is strictly
> prohibited. If you have received this e-mail in error please notify us
> by e-mail, facsimile or phone call.
>
Re: ASN1 <-> DER encoding with application tag
The data is not correct if it supposed to match RFC 2743.
The first byte is [APPLICATION 0]. That seems fine.
The second byte provides a length for the full SEQUENCE. It says there are 126
bytes, but you do not have that many.
Russ
> On Nov 4, 2021, at 10:18 AM, Max Larsson wrote:
>
> Hi Russ,
>
> do you mean that the DER data
>
> 0x60 0x7e 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0xa0 0x74
>
> is wrong?
>
> If so, that DER data have I captured with wireshark from an smb2 session
> setup request.
> and that’s even I try to decode with help of openssl. If the case is that
> that data is wrongly,
> is there a way to get decode with openssl anyway?
>
> Max
>
> From: Russ Housley mailto:hous...@vigilsec.com>>
> Date: Thursday, 4. November 2021 at 15:08
> To: Max Larsson <mailto:max.lars...@facilityboss.biz>>
> Cc: openssl-users@openssl.org <mailto:openssl-users@openssl.org>
> mailto:openssl-users@openssl.org>>
> Subject: Re: ASN1 <-> DER encoding with application tag
>
> RFC 2743 shows this structure:
> MechType ::= OBJECT IDENTIFIER
> -- data structure definitions
> -- callers must be able to distinguish among
> -- InitialContextToken, SubsequentContextToken,
> -- PerMsgToken, and SealedMessage data elements
> -- based on the usage in which they occur
>
> InitialContextToken ::=
> -- option indication (delegation, etc.) indicated within
> -- mechanism-specific token
> [APPLICATION 0] IMPLICIT SEQUENCE {
> thisMech MechType,
> innerContextToken ANY DEFINED BY thisMech
> -- contents mechanism-specific
> -- ASN.1 structure not required
> }
> The encoded data that you provided dies begin with the [APPLICATION 0] tag,
> then it if followed by by the { 1 3 6 1 5 5 2 } object identifier.
>
> Russ
>
>
> On Nov 4, 2021, at 9:58 AM, Max Larsson <mailto:max.lars...@facilityboss.biz>> wrote:
>
> Hi everyone,
>
> I’m trying to decode and encode Der structure. In my case that are DER
> encoded GSSAPI structure.
>
> My DER encoded data looks like this (stripped the pending bytes):
>
> 0x60 0x7e 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0xa0 0x74
>
> My ANS1 definition in my source look like this:
>
> typedef struct ContextToken_st {
> ASN1_OBJECT *mech;
> ASN1_OCTET_STRING *innerContextToken;
> } GSSAPI_CONTEXTTOKEN;
>
> DECLARE_ASN1_FUNCTIONS( GSSAPI_CONTEXTTOKEN )
>
> ASN1_SEQUENCE( GSSAPI_CONTEXTTOKEN ) = {
> ASN1_SIMPLE( GSSAPI_CONTEXTTOKEN, mech, ASN1_OBJECT ),
> ASN1_SIMPLE( GSSAPI_CONTEXTTOKEN, innerContextToken, ASN1_OCTET_STRING )
> } ASN1_SEQUENCE_END( GSSAPI_CONTEXTTOKEN )
>
> IMPLEMENT_ASN1_FUNCTIONS( GSSAPI_CONTEXTTOKEN )
>
> Parsing the above DER data fails, so I decided to encode a own Der structure,
> to see where the difference is with my setup:
>
> . . .
> negToken = GSSAPI_CONTEXTTOKEN_new();
> if( negToken != NULL ) {
> negToken->mech = OBJ_txt2obj( "1.3.6.1.5.5.2",0 );
> negToken->innerContextToken = ASN1_OCTET_STRING_new();
>
> const unsigned char mechToken[] = "\xa0\x74\x30 // … stripped for
> readability
>
> const size_t mechTokenSize = sizeof( mechToken ) - 1;
> printf( "Size of inner token: %zu\n",mechTokenSize );
> ASN1_OCTET_STRING_set(
> negToken->innerContextToken,mechToken,mechTokenSize );
>
> buffer = NULL;
> size_t bufferSize = i2d_GSSAPI_CONTEXTTOKEN( negToken,NULL );
>
> printf( "Required buffer size for DER encoding of ASN1 structure:
> %zu\n",bufferSize );
>
> unsigned char *buffer = malloc( bufferSize );
> unsigned char *p = buffer;
> i2d_GSSAPI_CONTEXTTOKEN( negToken, );
>
> for( int len = 0;len < bufferSize;len++ ) {
> if( ( len % 8 ) == 0 )
> printf( " " );
> if( ( len % 16 ) == 0 )
> printf( "\n\t\t" );
> printf( " 0x%02x",(short)buffer[ len ] );
> }
> printf( "\n" );
> . . .
>
> The code above output the following DER encoded structure (the difference
> marled in bold):
>
> 0x30 0x81 0x80 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0x04 0x76 0xa0 0x74
>
> The google result, which I found seems to point into the direction to use
> application tags to encode.
>
> But I haven’t found any example or how to how to achieve this with openssl,
> can anyone
Re: ASN1 <-> DER encoding with application tag
On 04/11/2021 13:58, Max Larsson wrote:
i2d_GSSAPI_CONTEXTTOKEN( negToken, );
You can tell i2d to encode using "application" tagging like this:
ASN1_item_ex_i2d((const ASN1_VALUE **), ,
ASN1_ITEM_rptr(GSSAPI_CONTEXTTOKEN), 0,
ASN1_TFLG_APPLICATION);
Matt
for( intlen = 0;len < bufferSize;len++ ) {
if( ( len % 8) == 0)
printf( " ");
if( ( len % 16) == 0)
printf( "\n\t\t");
printf( " 0x%02x",(short)buffer[ len ] );
}
printf( "\n");
. . .
The code above output the following DER encoded structure (the
difference marled in bold):
*0**x**3**0**0**x**81 0x80*0x060x060x2b0x060x010x050x050x02*0x04
0x76*0xa00x74
The google result, which I found seems to point into the direction to
use application tags to encode.
But I haven’t found any example or how to how to achieve this with
openssl, can anyone give me sone hints?
Best regards
Max Larsson
Mit freundlichen Grüßen
Best regards
Dipl.-Inform. Max Larsson
Geschäftsleitung
phone: +49(0)6151/62908-75
fax:
email: max.lars...@facilityboss.biz
web: http://facilityboss.biz
*facilityboss *
Bad Nauheimer Str. 4
64289 Darmstadt
Germany
Sitz der Gesellschaft: Darmstadt
Registergericht: Amtsgericht Darmstadt, HRB 86193
Geschäftsführer: Dipl.-Inform Max Lars Robert Larsson
Diese E-Mail enthält unter Umständen vertrauliche und/oder rechtlich
geschützte Informationen, die allein für den Adressaten bestimmt sind.
Wenn Sie nicht der zutreffende Adressat sind oder diese E-Mail
irrtümlich erhalten haben, ist jede Verwendung, Verbreitung, Kopie oder
Bezugnahme auf den Inhalt dieser E-Mail verboten. Bitte informieren Sie
uns über einen eventuellen Irrtum per Telefon, per Telefax oder E-Mail.
This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient, any disclosure, copying,
distribution or reference on the contents of this e-mail is strictly
prohibited. If you have received this e-mail in error please notify us
by e-mail, facsimile or phone call.
Re: ASN1 <-> DER encoding with application tag
Hi Russ,
do you mean that the DER data
0x60 0x7e 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0xa0 0x74
is wrong?
If so, that DER data have I captured with wireshark from an smb2 session setup
request.
and that’s even I try to decode with help of openssl. If the case is that that
data is wrongly,
is there a way to get decode with openssl anyway?
Max
From: Russ Housley
Date: Thursday, 4. November 2021 at 15:08
To: Max Larsson
Cc: openssl-users@openssl.org
Subject: Re: ASN1 <-> DER encoding with application tag
RFC 2743 shows this structure:
MechType ::= OBJECT IDENTIFIER
-- data structure definitions
-- callers must be able to distinguish among
-- InitialContextToken, SubsequentContextToken,
-- PerMsgToken, and SealedMessage data elements
-- based on the usage in which they occur
InitialContextToken ::=
-- option indication (delegation, etc.) indicated within
-- mechanism-specific token
[APPLICATION 0] IMPLICIT SEQUENCE {
thisMech MechType,
innerContextToken ANY DEFINED BY thisMech
-- contents mechanism-specific
-- ASN.1 structure not required
}
The encoded data that you provided dies begin with the [APPLICATION 0] tag,
then it if followed by by the { 1 3 6 1 5 5 2 } object identifier.
Russ
On Nov 4, 2021, at 9:58 AM, Max Larsson
mailto:max.lars...@facilityboss.biz>> wrote:
Hi everyone,
I’m trying to decode and encode Der structure. In my case that are DER encoded
GSSAPI structure.
My DER encoded data looks like this (stripped the pending bytes):
0x60 0x7e 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0xa0 0x74
My ANS1 definition in my source look like this:
typedef struct ContextToken_st {
ASN1_OBJECT *mech;
ASN1_OCTET_STRING *innerContextToken;
} GSSAPI_CONTEXTTOKEN;
DECLARE_ASN1_FUNCTIONS( GSSAPI_CONTEXTTOKEN )
ASN1_SEQUENCE( GSSAPI_CONTEXTTOKEN ) = {
ASN1_SIMPLE( GSSAPI_CONTEXTTOKEN, mech, ASN1_OBJECT ),
ASN1_SIMPLE( GSSAPI_CONTEXTTOKEN, innerContextToken, ASN1_OCTET_STRING )
} ASN1_SEQUENCE_END( GSSAPI_CONTEXTTOKEN )
IMPLEMENT_ASN1_FUNCTIONS( GSSAPI_CONTEXTTOKEN )
Parsing the above DER data fails, so I decided to encode a own Der structure,
to see where the difference is with my setup:
. . .
negToken = GSSAPI_CONTEXTTOKEN_new();
if( negToken != NULL ) {
negToken->mech = OBJ_txt2obj( "1.3.6.1.5.5.2",0 );
negToken->innerContextToken = ASN1_OCTET_STRING_new();
const unsigned char mechToken[] = "\xa0\x74\x30 // … stripped for
readability
const size_t mechTokenSize = sizeof( mechToken ) - 1;
printf( "Size of inner token: %zu\n",mechTokenSize );
ASN1_OCTET_STRING_set(
negToken->innerContextToken,mechToken,mechTokenSize );
buffer = NULL;
size_t bufferSize = i2d_GSSAPI_CONTEXTTOKEN( negToken,NULL );
printf( "Required buffer size for DER encoding of ASN1 structure:
%zu\n",bufferSize );
unsigned char *buffer = malloc( bufferSize );
unsigned char *p = buffer;
i2d_GSSAPI_CONTEXTTOKEN( negToken, );
for( int len = 0;len < bufferSize;len++ ) {
if( ( len % 8 ) == 0 )
printf( " " );
if( ( len % 16 ) == 0 )
printf( "\n\t\t" );
printf( " 0x%02x",(short)buffer[ len ] );
}
printf( "\n" );
. . .
The code above output the following DER encoded structure (the difference
marled in bold):
0x30 0x81 0x80 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0x04 0x76 0xa0 0x74
The google result, which I found seems to point into the direction to use
application tags to encode.
But I haven’t found any example or how to how to achieve this with openssl, can
anyone give me sone hints?
Best regards
Max Larsson
Mit freundlichen Grüßen
Best regards
Dipl.-Inform. Max Larsson
Geschäftsleitung
phone: +49(0)6151/62908-75
fax:
email: max.lars...@facilityboss.biz<mailto:max.lars...@facilityboss.biz>
web: http://facilityboss.biz<http://facilityboss.biz/>
[facilityboss]<http://facilityboss.biz/>
Bad Nauheimer Str. 4
64289 Darmstadt
Germany
Sitz der Gesellschaft: Darmstadt
Registergericht: Amtsgericht Darmstadt, HRB 86193
Geschäftsführer: Dipl.-Inform Max Lars Robert Larsson
Diese E-Mail enthält unter Umständen vertrauliche und/oder rechtlich geschützte
Informationen, die allein für den Adressaten bestimmt sind. Wenn Sie nicht der
zutreffende Adressat sind oder diese E-Mail irrtümlich erhalten haben, ist jede
Verwendung, Verbreitung, Kopie oder Bezugnahme auf den Inhalt dieser E-Mail
verboten. Bitte informieren Sie uns über einen eventuellen Irrtum per Telefon,
per Telefax oder E-Mail.
This e-mail may contain confidential and/or privileged information. If yo
Re: ASN1 <-> DER encoding with application tag
RFC 2743 shows this structure:
MechType ::= OBJECT IDENTIFIER
-- data structure definitions
-- callers must be able to distinguish among
-- InitialContextToken, SubsequentContextToken,
-- PerMsgToken, and SealedMessage data elements
-- based on the usage in which they occur
InitialContextToken ::=
-- option indication (delegation, etc.) indicated within
-- mechanism-specific token
[APPLICATION 0] IMPLICIT SEQUENCE {
thisMech MechType,
innerContextToken ANY DEFINED BY thisMech
-- contents mechanism-specific
-- ASN.1 structure not required
}
The encoded data that you provided dies begin with the [APPLICATION 0] tag,
then it if followed by by the { 1 3 6 1 5 5 2 } object identifier.
Russ
> On Nov 4, 2021, at 9:58 AM, Max Larsson wrote:
>
> Hi everyone,
>
> I’m trying to decode and encode Der structure. In my case that are DER
> encoded GSSAPI structure.
>
> My DER encoded data looks like this (stripped the pending bytes):
>
> 0x60 0x7e 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0xa0 0x74
>
> My ANS1 definition in my source look like this:
>
> typedef struct ContextToken_st {
> ASN1_OBJECT *mech;
> ASN1_OCTET_STRING *innerContextToken;
> } GSSAPI_CONTEXTTOKEN;
>
> DECLARE_ASN1_FUNCTIONS( GSSAPI_CONTEXTTOKEN )
>
> ASN1_SEQUENCE( GSSAPI_CONTEXTTOKEN ) = {
> ASN1_SIMPLE( GSSAPI_CONTEXTTOKEN, mech, ASN1_OBJECT ),
> ASN1_SIMPLE( GSSAPI_CONTEXTTOKEN, innerContextToken, ASN1_OCTET_STRING )
> } ASN1_SEQUENCE_END( GSSAPI_CONTEXTTOKEN )
>
> IMPLEMENT_ASN1_FUNCTIONS( GSSAPI_CONTEXTTOKEN )
>
> Parsing the above DER data fails, so I decided to encode a own Der structure,
> to see where the difference is with my setup:
>
> . . .
> negToken = GSSAPI_CONTEXTTOKEN_new();
> if( negToken != NULL ) {
> negToken->mech = OBJ_txt2obj( "1.3.6.1.5.5.2",0 );
> negToken->innerContextToken = ASN1_OCTET_STRING_new();
>
> const unsigned char mechToken[] = "\xa0\x74\x30 // … stripped for
> readability
>
> const size_t mechTokenSize = sizeof( mechToken ) - 1;
> printf( "Size of inner token: %zu\n",mechTokenSize );
> ASN1_OCTET_STRING_set(
> negToken->innerContextToken,mechToken,mechTokenSize );
>
> buffer = NULL;
> size_t bufferSize = i2d_GSSAPI_CONTEXTTOKEN( negToken,NULL );
>
> printf( "Required buffer size for DER encoding of ASN1 structure:
> %zu\n",bufferSize );
>
> unsigned char *buffer = malloc( bufferSize );
> unsigned char *p = buffer;
> i2d_GSSAPI_CONTEXTTOKEN( negToken, );
>
> for( int len = 0;len < bufferSize;len++ ) {
> if( ( len % 8 ) == 0 )
> printf( " " );
> if( ( len % 16 ) == 0 )
> printf( "\n\t\t" );
> printf( " 0x%02x",(short)buffer[ len ] );
> }
> printf( "\n" );
> . . .
>
> The code above output the following DER encoded structure (the difference
> marled in bold):
>
> 0x30 0x81 0x80 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0x04 0x76 0xa0 0x74
>
> The google result, which I found seems to point into the direction to use
> application tags to encode.
>
> But I haven’t found any example or how to how to achieve this with openssl,
> can anyone give me sone hints?
>
>
> Best regards
>
> Max Larsson
> Mit freundlichen Grüßen
> Best regards
>
> Dipl.-Inform. Max Larsson
> Geschäftsleitung
>
> phone: +49(0)6151/62908-75
> fax:
> email: max.lars...@facilityboss.biz
> web: http://facilityboss.biz
