Re: openssl asn1parse -length

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 23/07/2018 16:56, Christian Böhme wrote:

Hello all,

I have been trying to find a way to ascertain that the contents of a file
is a DER-encoded ASN.1 structure such as

$ openssl version
OpenSSL 1.0.2g  1 Mar 2016

$ openssl asn1parse -in ciphertext.der -inform DER -offset 0 -i
     0:d=0  hl=4 l= 978 cons: SEQUENCE
     4:d=1  hl=2 l=   9 prim:  OBJECT            :pkcs7-envelopedData
    15:d=1  hl=4 l= 963 cons:  cont [ 0 ]
    19:d=2  hl=4 l= 959 cons:   SEQUENCE
    23:d=3  hl=2 l=   1 prim:    INTEGER           :03
    26:d=3  hl=3 l= 133 cons:    SET
    29:d=4  hl=3 l= 130 cons:     cont [ 3 ]
    32:d=5  hl=2 l=   1 prim:      INTEGER           :00
    35:d=5  hl=2 l=  27 cons:      cont [ 0 ]
    37:d=6  hl=2 l=   9 prim:       OBJECT            :PBKDF2
    48:d=6  hl=2 l=  14 cons:       SEQUENCE
    50:d=7  hl=2 l=   8 prim:        OCTET STRING      [HEX DUMP]:64C8DCE92BE6CF80
    60:d=7  hl=2 l=   2 prim:        INTEGER           :0800
    64:d=5  hl=2 l=  46 cons:      SEQUENCE
    66:d=6  hl=2 l=  11 prim:       OBJECT            :id-alg-PWRI-KEK
    79:d=6  hl=2 l=  31 cons:       SEQUENCE
    81:d=7  hl=2 l=  11 prim:        OBJECT            :camellia-256-cbc
    94:d=7  hl=2 l=  16 prim:        OCTET STRING      [HEX DUMP]:DC131C842F099909DF465439C1B06038
   112:d=5  hl=2 l=  48 prim:      OCTET STRING      [HEX DUMP]:7BEFFB307D05C8242A040B371EEA3C6F59F082C415057BF5A71F67437B92668CEED9C46B0F57B4E4A077B1651892D9D5
   162:d=3  hl=4 l= 816 cons:    SEQUENCE
   166:d=4  hl=2 l=   9 prim:     OBJECT            :pkcs7-data
   177:d=4  hl=2 l=  31 cons:     SEQUENCE
   179:d=5  hl=2 l=  11 prim:      OBJECT            :camellia-256-cbc
   192:d=5  hl=2 l=  16 prim:      OCTET STRING      [HEX DUMP]:995169EEF15C876E5F1A92DAF6A129D7
   210:d=4  hl=4 l= 768 prim:     cont [ 0 ]

Since the files to test are rather large, I'd be content with being able
to have only the first couple of bytes inspected.  It would appear that the
-length  option allows to do just that.  However, whatever argument specified,
I get this:

$ openssl asn1parse -in ciphertext.der -inform DER -offset 0 -length 4
Error in encoding
140548547200664:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:
$ openssl asn1parse -in ciphertext.der -inform DER -offset 0 -length 16
Error in encoding
140076397213336:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:147:
$ openssl asn1parse -in ciphertext.der -inform DER -offset 0 -length 32
Error in encoding
139879438956184:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:147:
$ openssl asn1parse -in ciphertext.der -inform DER -offset 0 -length 64
Error in encoding
139887577974424:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:147:
$ openssl asn1parse -in ciphertext.der -inform DER -offset 0 -length 128
Error in encoding
140008118994584:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:147:
$ openssl asn1parse -in ciphertext.der -inform DER -offset 0 -length 256
Error in encoding
140518349809304:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:147:
$ openssl asn1parse -in ciphertext.der -inform DER -offset 0 -length 512
Error in encoding
140042967262872:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:147:

etcpp.  The files to test are expected to be at least 512 bytes in size.

What's the expected behaviour of the  -length  option, BTW?


Best option is to download the documents that specify the DER
(or BER) ASN.1 Encoding, which is the X.690 (2015) ITU-T
"recommendation" which was a freely downloadable PDF last time
I checked.

Note: For clarity, DER is basically the BER but using the
simplest byte sequence for everything.  BER can usually be
converted to DER without knowing the data format specification
(such as RFC2315 for EnvelopedData).

From there, you can see that a DER (and BER) file is based on
the following structure, nested and/or repeated as necessary:

  TAG    An encoding of a data type number such as SEQUENCE
           or "OBJECT" (Actually an OID).
  Length Byte length of contents (Variable length length
           encoding, see X.690)
  Actual contents bytes according to TAG and specific data
           type such as pkcs7 or X.509 etc.  Binary encoding
           of each type is in X.690
  Repeat terminator if Length was the (BER only) indefinite
           code used when a program starts output before
           knowing the final length (See X.690)

For example, the one you show below is thus:
0x30 (TAG for SEQUENCE)
Some length value large enough to hold what follows, see X.690
  0x06 (TAG for OBJECT id)
  Any definite encoding of length = 9 bytes(127 possibilities)
  0x2A (The bytes of pkcs7-envelopedData=1.2.840.113549.1.7.3)
  0x86 .840
  0x48
  0x86 .113549
  0xF7
  0x0D
  0x01 .1
  0x07 .7
  0x03 .3
Rest not needed for identification of a pkcs7-envelopedData file.

Note that same length values can be encoded in more than one way
if the file is in BER format, as is often the case with PKCS#7
files.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux