Re: ASN1 <-> DER encoding with application tag

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Russ,

 

I have the 126 bytes, but as described I omitted them, because they are in my opinion not helpful

for my problem, and would only clutter the email. I should probably have written some ellipses

to indicate it better.

 

best regards

 

Max Larsson

 

From: Russ Housley <housley@xxxxxxxxxxxx>
Date: Thursday, 4. November 2021 at 17:29
To: Max Larsson <max.larsson@xxxxxxxxxxxxxxxx>
Cc: openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx>
Subject: Re: ASN1 <-> DER encoding with application tag

The data is not correct if it supposed to match RFC 2743.

 

The first byte is [APPLICATION 0].  That seems fine.

 

The second byte provides a length for the full SEQUENCE.  It says there are 126 bytes, but you do not have that many.

 

Russ

 

 



On Nov 4, 2021, at 10:18 AM, Max Larsson <max.larsson@xxxxxxxxxxxxxxxx> wrote:

 

Hi Russ,

 

do you mean that the DER data

 

0x60 0x7e 0x06 0x06 0x20x06 0x01 0x05 0x05 0x02 0xa0 0x74

 

is wrong?

 

If so, that DER data have I captured with wireshark from an smb2 session setup request.

and that’s even I try to decode with help of openssl. If the case is that that data is wrongly,

is there a way to get decode with openssl anyway?

 

Max

 

From: Russ Housley <housley@xxxxxxxxxxxx>
Date: Thursday, 4. November 2021 at 15:08
To: Max Larsson <
max.larsson@xxxxxxxxxxxxxxxx>
Cc: 
openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx>
Subject: Re: ASN1 <-> DER encoding with application tag

RFC 2743 shows this structure:

      MechType ::= OBJECT IDENTIFIER
      -- data structure definitions
      -- callers must be able to distinguish among
      -- InitialContextToken, SubsequentContextToken,
      -- PerMsgToken, and SealedMessage data elements
      -- based on the usage in which they occur
 
      InitialContextToken ::=
      -- option indication (delegation, etc.) indicated within
      -- mechanism-specific token
      [APPLICATION 0] IMPLICIT SEQUENCE {
              thisMech MechType,
              innerContextToken ANY DEFINED BY thisMech
                 -- contents mechanism-specific
                 -- ASN.1 structure not required
              }

The encoded data that you provided dies begin with the [APPLICATION 0] tag, then it if followed by by the { 1 3 6 1 5 5 2 } object identifier.

 

Russ




On Nov 4, 2021, at 9:58 AM, Max Larsson <max.larsson@xxxxxxxxxxxxxxxx> wrote:

 

Hi everyone,

 

I’m trying to decode and encode Der structure. In my case that are DER encoded GSSAPI structure.

 

My DER encoded data looks like this (stripped the pending bytes):

 

0x60 0x7e 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0xa0 0x74

 

My ANS1 definition in my source look like this:

 

typedef struct ContextToken_st {

    ASN1_OBJECT *mech;

    ASN1_OCTET_STRING *innerContextToken;

} GSSAPI_CONTEXTTOKEN;

 

DECLARE_ASN1_FUNCTIONS( GSSAPI_CONTEXTTOKEN )

 

ASN1_SEQUENCE( GSSAPI_CONTEXTTOKEN ) = {

    ASN1_SIMPLE( GSSAPI_CONTEXTTOKEN, mech, ASN1_OBJECT ),

    ASN1_SIMPLE( GSSAPI_CONTEXTTOKEN, innerContextToken, ASN1_OCTET_STRING  )

} ASN1_SEQUENCE_END( GSSAPI_CONTEXTTOKEN )  

 

IMPLEMENT_ASN1_FUNCTIONS( GSSAPI_CONTEXTTOKEN )

 

Parsing the above DER data fails, so I decided to encode a own Der structure, to see where the difference is with my setup:

 

    . . .

    negToken = GSSAPI_CONTEXTTOKEN_new();

    if( negToken != NULL ) {

        negToken->mech = OBJ_txt2obj( "1.3.6.1.5.5.2",0 );

        negToken->innerContextToken = ASN1_OCTET_STRING_new();

 

        const unsigned char mechToken[] = "\xa0\x74\x30 // … stripped for readability

 

        const size_t mechTokenSize = sizeof( mechToken ) - 1;

        printf( "Size of inner token: %zu\n",mechTokenSize );

        ASN1_OCTET_STRING_set( negToken->innerContextToken,mechToken,mechTokenSize );

 

        buffer = NULL;

        size_t bufferSize = i2d_GSSAPI_CONTEXTTOKEN( negToken,NULL );

 

        printf( "Required buffer size for DER encoding of ASN1 structure: %zu\n",bufferSize );

 

        unsigned char *buffer = malloc( bufferSize );

        unsigned char *p = buffer;

        i2d_GSSAPI_CONTEXTTOKEN( negToken,&p );

 

        for( int len = 0;len < bufferSize;len++ ) {

            if( ( len % 8 ) == 0 )

                printf( "  " );

            if( ( len % 16 ) == 0 )

                printf( "\n\t\t" );

            printf( " 0x%02x",(short)buffer[ len ] );

        }

        printf( "\n" );

    . . .

 

The code above output the following DER encoded structure (the difference marled in bold):

 

0x30 0x81 0x80 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0x04 0x76 0xa0 0x74

 

The google result, which I found seems to point into the direction to use application tags to encode.

 

But I haven’t found any example or how to how to achieve this with openssl, can anyone give me sone hints?

 

 

Best regards

 

Max Larsson

Mit freundlichen Grüßen
Best regards

Dipl.-Inform. Max Larsson
Geschäftsleitung


phone: +49(0)6151/62908-75
fax: 
email: 
max.larsson@xxxxxxxxxxxxxxxx
web: 
http://facilityboss.biz

facilityboss
Bad Nauheimer Str. 4
64289 Darmstadt
Germany

Sitz der Gesellschaft: Darmstadt
Registergericht: Amtsgericht Darmstadt, HRB 86193
Geschäftsführer: Dipl.-Inform Max Lars Robert Larsson

 


Diese E-Mail enthält unter Umständen vertrauliche und/oder rechtlich geschützte Informationen, die allein für den Adressaten bestimmt sind. Wenn Sie nicht der zutreffende Adressat sind oder diese E-Mail irrtümlich erhalten haben, ist jede Verwendung, Verbreitung, Kopie oder Bezugnahme auf den Inhalt dieser E-Mail verboten. Bitte informieren Sie uns über einen eventuellen Irrtum per Telefon, per Telefax oder E-Mail.

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reference on the contents of this e-mail is strictly prohibited. If you have received this e-mail in error please notify us by e-mail, facsimile or phone call.

 


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux