On Tue, Feb 23, 2016, Stephan M?hlstrasser wrote:
> I tried again to map the structure of the CMS object to the
> definitions in RFC 5652 (comments added with a '%'):
>
> 1: SEQUENCE {
> 2: OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
> % ContentType
> 3: [0] { % eContent
> 4: SEQUENCE {
> 5: INTEGER 0 % CMSVersion
> % no OriginatorInfo
> 6: SET { % RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo
> 7: SEQUENCE {
> % SEQUENCE tag should not be present because of implicit tagging?
Yes, because it is using the key agreement choice type it should be
tagged [1] IMPLICIT but it is not which is why OpenSSL thinks it is key
transport.
> 8: INTEGER 3
> % version 3 only applicable to KeyAgreeRecipientInfo
> 9: [0] {
Assume this is KeyAgreeRecipientInfo.. the above tag would indicate the
"originator" field.
> 10: SEQUENCE {
Here it is wrong again. The untagged form is "IssuerAndSerialNumber" which
the fields below certainly aren't. It looks like originatorKey which should be
tagged [1] IMPLICIT.
> 11: SEQUENCE {
> 12: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)
> 13: OBJECT IDENTIFIER secp521r1 (1 3 132 0 35)
> 14: }
>
So yes it's pretty broken.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
