Hi Steve, What you've described sounds exactly like what I want to do. Couple of questions/concerns in regards to what you've just stated: 1) Is there a way to initialize a CMS_ContentInfo structure like there is a way to initialize a BIO structure (such as with BIO_new()? ). I'm looking through openssl/cms.h but I'm not seeing anything. 2) Once again, I'm looking in openssl/cms.h, and I could not find the function prototype " d2i_CMS_ContentInfo". I even did a grep on the whole directory. Is it located somewhere else? I have OpenSSL 1.0.1, which is after 0.9.8 when the function was added to OpenSSL. 3) In looking at the function prototype (via https://www.openssl.org/docs/man1.0.2/crypto/d2i_CMS_ContentInfo.html): CMS_ContentInfo *d2i_CMS_ContentInfo(CMS_ContentInfo **a, unsigned char **pp, long length); I'm assuming **pp is just a pointer to the array with the DER-encoded certificate in it? I just want to make sure since some of the parameter names are a little ambiguous in OpenSSL. I'm assuming once I'm able to get the DER-encoded certificate in a CMS object, I can use the function you provided and the ones in cms.h to strip off "layers" of the certificate to get the encryptedKeyPackage that I want (which, of course as you mentioned, I'll be able to handle the rest from there). Thank you very much for your response, as it was very helpful, and I hope to get just as useful of a response back! - Justin -----Original Message----- From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Dr. Stephen Henson Sent: Wednesday, July 19, 2017 4:26 AM To: openssl-users@xxxxxxxxxxx Subject: Re: Extract content of DER-encoded package by OID On Tue, Jul 18, 2017, Justin Mogannam wrote: > Hello, > I have a signedData package that contains an encryptedKeyPackage > (specifically OID 2.16.840.1.101.2.1.2.78.2, aka > id-ct-KP-encryptedKeyPkg) that I want to extract from it. I am > somewhat able to extract the sequence that contains this data via the OpenSSL command line: > > $ openssl asn1parse -in <my_pkg.der> -inform DER -strparse <hard-coded > offset I computed> > > However, I am looking for the OpenSSL calls to do the same thing, > ideally extract package contents by its OID without having to know the > offset (such that I can extract the data from any given package by that particular OID). > How would I go about doing this? I've been looking endlessly into > asn1.h and x509.h, and am able to somewhat parse the entire package > into a structure, but I could use some guidance as to how to further break it down into parts. > Thank you, and I hope to hear a response back soon. > Well if this follows RFC6032 the outer part will be a ContentInfo structure which you can parse using d2i_CMS_ContentInfo. From there you can use various utility functions to analyse it. For example CMS_get0_eContentType() to get the OID corresponding to the encapsulated content type and CMS_get0_content() which (if I read the spec correctly) should get you the EncryptedKeyPackage structure. After that you'll have to parse it yourself because OpenSSL doesn't support that atructure. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
