Convert ASN1_OCTET_STRING contents to ASN1 Sequence

[Chang Lee]

Does anyone know of a way to take an ASN1_OCTET_STRING that contains a DER encoded Sequence and extract the contents of the Sequence as an ASN1_STRING.  Essentially, I want to construct an ASN1 object of the Sequence.  I guess I could manually parse the Sequence (and deal with the different types of length encoding) but I figure there must be an easier way.

Thanks,

CLee

[Dominik Oepen]

You can use the macros in asn1t.h for parsing DER encoded data. Have a
look at the comment starting at line 132 (I'm using OpenSSL 1.0.0e) of
this header file. It explains how to declare an ASN1 SEQUENCE. You can
find plenty of examples using these macros within the OpenSSL source
(for example crypto/pkcs7/p7_asn1.c).

However, I'm not exactly sure whether or not the ASN1 subsystem is meant
to be used outside of OpenSSL. I couldn't find a lot of documentation
about it and learned how to use it by reading the source. Maybe one of
the OpenSSL developers could comment on this.

Best regards,
Dominik
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

[Chang Lee]

Thanks Dominik for the tip.  Actually, I have been poring over the OpenSSL code, though we're using the 0.9.8 branch, hoping to find a built-in primitive SEQUENCE to use but to no avail.  As you say, there are templates for primitives and I looked at how the PKCS7 was composed from those primitives but there are so many levels of indirection that it's time consuming to follow.  I guess using C to implement features that object oriented languages such as C++ expose declaratively makes things more complex.  I'll keep looking...

-CLee

[Dr. Stephen Henson]

On Thu, Sep 22, 2011, Dominik Oepen wrote:

>
> However, I'm not exactly sure whether or not the ASN1 subsystem is meant
> to be used outside of OpenSSL. I couldn't find a lot of documentation
> about it and learned how to use it by reading the source. Maybe one of
> the OpenSSL developers could comment on this.
>

It can be used outside OpenSSL and has a few features which workaround
platform limitaions: exporting variables as functions for example.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

[Dr. Stephen Henson]

On Thu, Sep 22, 2011, Chang Lee wrote:

> Thanks Dominik for the tip. Actually, I have been poring over the OpenSSL
> code, though we're using the 0.9.8 branch, hoping to find a built-in
> primitive SEQUENCE to use but to no avail. As you say, there are templates
> for primitives and I looked at how the PKCS7 was composed from those
> primitives but there are so many levels of indirection that it's time
> consuming to follow. I guess using C to implement features that object
> oriented languages such as C++ expose declaratively makes things more
> complex. I'll keep looking...
>

Can you be a bit more specific about what you are trying to do? Do you want to
parse a specific ASN1 structure or handle a general case?

[Michael S. Zick]

On Thu September 22 2011, Chang Lee wrote:
> Thanks Dominik for the tip. Actually, I have been poring over the OpenSSL
> code, though we're using the 0.9.8 branch, hoping to find a built-in
> primitive SEQUENCE to use but to no avail. As you say, there are templates
> for primitives and I looked at how the PKCS7 was composed from those
> primitives but there are so many levels of indirection that it's time
> consuming to follow.
>

Let the compiler help you, try the: "-E" option switch.

Mike

> I guess using C to implement features that object
> oriented languages such as C++ expose declaratively makes things more
> complex. I'll keep looking...
>

> -CLee
>
>
> On Thu, Sep 22, 2011 at 2:41 AM, Dominik Oepen <
> oe...@informatik.hu-berlin.de> wrote:
>
> > Am 21.09.2011 23:27, schrieb Chang Lee:
> > > Does anyone know of a way to take an ASN1_OCTET_STRING that contains a
> > > DER encoded Sequence and extract the contents of the Sequence as an
> > > ASN1_STRING. Essentially, I want to construct an ASN1 object of the
> > > Sequence. I guess I could manually parse the Sequence (and deal with
> > > the different types of length encoding) but I figure there must be an
> > > easier way.
> >
> > You can use the macros in asn1t.h for parsing DER encoded data. Have a
> > look at the comment starting at line 132 (I'm using OpenSSL 1.0.0e) of
> > this header file. It explains how to declare an ASN1 SEQUENCE. You can
> > find plenty of examples using these macros within the OpenSSL source
> > (for example crypto/pkcs7/p7_asn1.c).
> >

> > However, I'm not exactly sure whether or not the ASN1 subsystem is meant
> > to be used outside of OpenSSL. I couldn't find a lot of documentation
> > about it and learned how to use it by reading the source. Maybe one of
> > the OpenSSL developers could comment on this.
> >

> > Best regards,
> > Dominik

[Chang Lee]

I'm trying to parse the content of an ASN1_OCTET_STRING, which I know/expect to be a DER encoded SEQUENCE, into an object.  I need to do this because I'm trying to verify an Authenticode signature.  I need to generate a digest of the contents of the signedData sans the type & length bytes. Now generating the object via d2i_PKCS7 results in the p7->d.sign->contents->d.other->value.octet_string containing the contents of the ContentInfo.content [0] which is itself a SEQUENCE (SpcIndirectDataContent).  Unfortunately, Authenticode needs the digest of the content of SpcIndirectDataContent.  Therein lies the reason why I'm trying to 'peel' off one layer to get at the data.  I was initially hunting for a generic SEQUENCE object that I could parse the data but I couldn't find one.

I have attempted to create a SEQUENCE from the template but have yet to get it to work.  This is what I've tried:

///////HEADER FILE:

typedef struct authenticode_inner_content_st

{

ASN1_OCTET_STRING *pData;

} AUTHENTICODE_INNER_CONTENT;

DECLARE_ASN1_FUNCTIONS(AUTHENTICODE_INNER_CONTENT)

typedef struct authenticode_content_st

{

AUTHENTICODE_INNER_CONTENT *pInnerContent;

} AUTHENTICODE_CONTENT;

DECLARE_ASN1_FUNCTIONS(AUTHENTICODE_CONTENT)

///////CPP FILE:

ASN1_SEQUENCE(AUTHENTICODE_INNER_CONTENT) = {

ASN1_SIMPLE(AUTHENTICODE_INNER_CONTENT, pData, ASN1_OCTET_STRING)

}ASN1_SEQUENCE_END(AUTHENTICODE_INNER_CONTENT)

ASN1_SEQUENCE(AUTHENTICODE_CONTENT) = {

ASN1_SIMPLE(AUTHENTICODE_CONTENT, pInnerContent, AUTHENTICODE_INNER_CONTENT)

}ASN1_SEQUENCE_END(AUTHENTICODE_CONTENT)

IMPLEMENT_ASN1_FUNCTIONS(AUTHENTICODE_INNER_CONTENT)

IMPLEMENT_ASN1_FUNCTIONS(AUTHENTICODE_CONTENT)

...

ASN1_OCTET_STRING *content = p7->d.sign->contents->d.other->value.octet_string;

AUTHENTICODE_CONTENT *pAuthContent = d2i_AUTHENTICODE_CONTENT(NULL, (const unsigned char**)&content->data, content->length);

...

////////////////////////////////////////////

d2i_AUTHENTICODE_CONTENT(...) errors out.

-Clee

On Thu, Sep 22, 2011 at 10:07 AM, Dr. Stephen Henson <st...@openssl.org> wrote:

On Thu, Sep 22, 2011, Chang Lee wrote:

> Thanks Dominik for the tip.  Actually, I have been poring over the OpenSSL
> code, though we're using the 0.9.8 branch, hoping to find a built-in
> primitive SEQUENCE to use but to no avail.  As you say, there are templates
> for primitives and I looked at how the PKCS7 was composed from those
> primitives but there are so many levels of indirection that it's time

> consuming to follow.  I guess using C to implement features that object

> oriented languages such as C++ expose declaratively makes things more
> complex.  I'll keep looking...
>

Can you be a bit more specific about what you are trying to do? Do you want to
parse a specific ASN1 structure or handle a general case?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

______________________________________________________________________

[Dr. Stephen Henson]

On Thu, Sep 22, 2011, Chang Lee wrote:

> I'm trying to parse the content of an ASN1_OCTET_STRING, which I know/expect
> to be a DER encoded SEQUENCE, into an object. I need to do this because I'm
> trying to verify an Authenticode signature. I need to generate a digest of
> the contents of the signedData sans the type & length bytes. Now generating
> the object via d2i_PKCS7 results in the
> p7->d.sign->contents->d.other->value.octet_string containing the contents of
> the ContentInfo.content [0] which is itself a SEQUENCE
> (SpcIndirectDataContent). Unfortunately, Authenticode needs the digest of
> the content of SpcIndirectDataContent. Therein lies the reason why I'm
> trying to 'peel' off one layer to get at the data. I was initially hunting
> for a generic SEQUENCE object that I could parse the data but I couldn't
> find one.
> I have attempted to create a SEQUENCE from the template but have yet to get
> it to work. This is what I've tried:
>

Ah OK. So you've got the data into an ASN1_OCTET_STRING whose contents are a
SEQUENCE and you want the content octets of that SEQUENCE but without the
SEQUENCE tag+length octets?

Well there isn't anything which does that directly. You can get the DER buffer
using ASN1_STRING_length(os) and ASN1_STRING_data(os). That will give you the
SEQUENCE tag at the start and the content included.

If you want to skip over the tag+length octets of that buffer you need to do
some lower level stuff. If you use ASN1_get_object() it will tell you the
length of the sequence and skip the header. So the updated pointer will be
that start of the SEQUENCE contents and the length will be the length of that
content.

[Chang Lee]

Thanks for the info. I'll try to get it to work using ASN1_get_object().

Just for my edification, was my approach using the templates and macros not a viable option?

[Dr. Stephen Henson]

On Thu, Sep 22, 2011, Chang Lee wrote:

> Thanks for the info. I'll try to get it to work using ASN1_get_object().
> Just for my edification, was my approach using the templates and macros not
> a viable option?
>

Well it would work but you'd have to parse the whole structure which isn't
necessary if you just want to skip the SEQUENCE header. Even then when you
outputted the structure you'd get the SEQUENCE header again.

[Chang Lee]

ASN1_get_object() got the job done.  Thanks.

[Frank Morgner]

On Thursday, September 22 at 08:41AM, Dominik Oepen wrote:
>
> Am 21.09.2011 23:27, schrieb Chang Lee:
> > Does anyone know of a way to take an ASN1_OCTET_STRING that contains a
> > DER encoded Sequence and extract the contents of the Sequence as an
> > ASN1_STRING. Essentially, I want to construct an ASN1 object of the
> > Sequence. I guess I could manually parse the Sequence (and deal with
> > the different types of length encoding) but I figure there must be an
> > easier way.
>
> You can use the macros in asn1t.h for parsing DER encoded data. Have a
> look at the comment starting at line 132 (I'm using OpenSSL 1.0.0e) of
> this header file. It explains how to declare an ASN1 SEQUENCE. You can
> find plenty of examples using these macros within the OpenSSL source
> (for example crypto/pkcs7/p7_asn1.c).

An other approach would be to strip tag and length from the octet string
with ASN1_get_object. Then use ASN1_put_object to wrap the data into a
sequence.

Cheers, Frank.

[Chang Lee]

Nice tip.  I'll look into that.