Hi Max,

is the "smime.p7s" file attached to your previous mail supposed to
contain pure CRMF? If I `od -x` it, I am missing those "30 8X"s I am
used to see often as they are the start of longer sequences. Is this
the right (DER) encoding? I also would not expect it to start with
0x80 but with 0x30 which would start the outermost sequence. Anyway,
when I google for p7s, it's rather a "pkcs7-signature" than a
Certificate Request, so I might misunderstand that.

I am unable to interpret the ASN.1 dump you sent as I only learned to
read ASN.1 DER in hex while debugging using Wireshark. Could you
please send it as hexdump, so I can compare it with my validated CRMF
traces. If you'd like, I can also send you some CMP (including CRMF)
traces you can look at with Wireshark, just request them by PM so I
don't flood the mailinglist with them.

Best regards,
Martin



On 4/3/08, Massimiliano Pala wrote:
> Hi Martin,
>
> thanks for your suggestion After writing the email, I think that I fo=

und
> the correct way to do it. By using the following:
>
> ASN1_ITEM_TEMPLATE(CRMF_REQ) =3D
> ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
> requests, CRMF_CERT_REQ_MESSAGE)
> ASN1_ITEM_TEMPLATE_END(CRMF_REQ)
>
> I still can not load the request issued by NSS browser. Can you load it =

?
> Do you
> know what the format is ? I attach it to this email. I definitely do not
> understand
> what happens. In detail:
>
> 0-The ASN1 dump is as follows:
>
> 0:d=3D0 hl=3D4 l=3D 477 cons: SEQUENCE
> 4:d=3D1 hl=3D4 l=3D 473 cons: SEQUENCE
> 8:d=3D2 hl=3D4 l=3D 407 cons: SEQUENCE
> 12:d=3D3 hl=3D2 l=3D 4 prim: INTEGER :4D7A150A
> 18:d=3D3 hl=3D4 l=3D 355 cons: SEQUENCE
> 22:d=3D4 hl=3D2 l=3D 1 prim: cont [ 0 ]
> 25:d=3D4 hl=3D2 l=3D 89 cons: cont [ 5 ]
> 27:d=3D5 hl=3D2 l=3D 87 cons: SEQUENCE
>
> [...]
>
> 116:d=3D4 hl=3D3 l=3D 240 cons: cont [ 6 ]
> 119:d=3D5 hl=3D3 l=3D 168 cons: SEQUENCE
> 122:d=3D6 hl=3D2 l=3D 7 prim: OBJECT :dsaEncryption
> 131:d=3D6 hl=3D3 l=3D 156 cons: SEQUENCE
>
> [...]
>
> 359:d=3D4 hl=3D2 l=3D 16 cons: cont [ 9 ]
> 361:d=3D5 hl=3D2 l=3D 14 cons: SEQUENCE
> 363:d=3D6 hl=3D2 l=3D 3 prim: OBJECT :X509v3 Key Usage
> 368:d=3D6 hl=3D2 l=3D 1 prim: BOOLEAN :255
> 371:d=3D6 hl=3D2 l=3D 4 prim: OCTET STRING
>
> [...]
>
> 419:d=3D2 hl=3D2 l=3D 60 cons: cont [ 1 ]
> 421:d=3D3 hl=3D2 l=3D 9 cons: SEQUENCE
> 423:d=3D4 hl=3D2 l=3D 7 prim: OBJECT :dsaWithSHA1
> 432:d=3D3 hl=3D2 l=3D 47 prim: BIT STRING
>
>
> 2-There should be an INTEGER (certReqId) and a CertTemplate, but then if
> this is the case what heck is the prim [0] (which I suppose should be
> the serial number) empty (at 22) ?
>
> 3-Than the later [5] (at 25) is, correctly, a Name, I suppose. Is this
> a valid coding ? Am I totally wrong ?
>
> Instead of parsing the Name as the subject, my program interprets it as
> issuer (should be tagged as [3]), and I get the following error:
>
> 2896:error:0D0780AA:asn1 encoding
> routines:ASN1_ITEM_EX_D2I:illegal options on item
> template:tasn_dec.c:192:Type=3DX509_NAME_INTERNAL
> 2896:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:tasn_dec.c:737:Field=3Dissuer, Type=3DCERT_TEMPLATE
> 2896:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:tasn_dec.c:751:Field=3DcertTemplate,
> Type=3DCRMF_CERT_REQUEST
> 2896:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:tasn_dec.c:751:Field=3DcertReq,
> Type=3DCRMF_CERT_REQ_MESSAGE
> 2896:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:tasn_dec.c:712:
> 2896:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 libem_oth.c:83=

:
>
> Any idea here ?
>
> Later,
> Max
>
>
>
> Martin Peylo wrote:
>
> > Hi Massimiliano,
> >
> > I don't know if that's the best solution, but it worked for me that way=

:
> >
> > in crmf.h:
> >
> > typedef struct crmf_certreqmsg_st
> > {
> > =BB=B7=B7=B7=B7=B7=B7=B7CRMF_CERTREQUEST *certReq;
> > =BB=B7=B7=B7=B7=B7=B7=B7CRMF_PROOFOFPOSSESION *popo; /* 0 */
> > =BB=B7=B7=B7=B7=B7=B7=B7CRMF_ATTRIBUTETYPEANDVALUE *regInfo; /* 1 */
> > } CRMF_CERTREQMSG;
> > DECLARE_ASN1_FUNCTIONS(CRMF_CERTREQMSG)
> >
> > DECLARE_STACK_OF(CRMF_CERTREQMSG) /* CertReqMessages */
> > DECLARE_ASN1_SET_OF(CRMF_CERTREQMSG) /* CertReqMessages

> */
> >
> >
> > in crmf_asn.c:
> >
> > ASN1_SEQUENCE(CRMF_CERTREQMSG) =3D {
> > =BB=B7=B7=B7=B7=B7=B7=B7ASN1_SIMPLE(CRMF_CERTREQMS G, certReq,

> CRMF_CERTREQUEST),
> > =BB=B7=B7=B7=B7=B7=B7=B7ASN1_IMP_OPT(CRMF_CERTREQM SG, popo,

> CRMF_PROOFOFPOSSESION, 0),
> > =BB=B7=B7=B7=B7=B7=B7=B7ASN1_IMP_SEQUENCE_OF_OPT(C RMF_CERTREQMSG,

> regInfo,
> > CRMF_ATTRIBUTETYPEANDVALUE, 1)
> > } ASN1_SEQUENCE_END(CRMF_CERTREQMSG)
> >
> > IMPLEMENT_ASN1_FUNCTIONS(CRMF_CERTREQMSG)
> >
> >
> > I needed it for CMP. In order to use the "CertReqMessages", I am doing:
> >
> > In cmp.h:
> > typedef struct cmp_pkibody_st
> > {
> > =BB=B7=B7=B7=B7=B7=B7=B7int type;
> > =BB=B7=B7=B7=B7=B7=B7=B7union{
> > =BB=B7=B7=B7=B7=B7=B7=B7=BB=B7=B7=B7=B7=B7=B7=B7ST ACK_OF(CRMF_CERTREQMS=

G) *ir; /* 0
> */
> > ...
> >
> > In cmp_asn.c:
> > ASN1_CHOICE(CMP_PKIBODY) =3D {
> > =BB=B7=B7=B7=B7=B7=B7=B7ASN1_EXP_SEQUENCE_OF(CMP_P KIBODY, value.ir,

> CRMF_CERTREQMSG, 0),
> > ...
> >
> >
> > There might be other ways to do it - the OpenSSL ASN.1 documentation
> > seems to be not complete - but it works fine that way.
> >
> > As there are not many things to use CRMF for: what are you
> > implementing? Do you know my code to use CMP with OpenSSL? You can
> > obtain the full code including the snippets I pasted above from
> > .
> >

>
>
>
> --
>
> Best Regards,
>
> Massimiliano Pala
>
> --o----------------------------------------------------------------------=

--
> Massimiliano Pala [OpenCA Project Manager] pala@cs.dartmouth.=

edu
> project.manager@openca.o=

rg
>
> Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3=

883
> PKI/Trust - Office 063 Work Phone: +1 (603) 646-9=

179
> --o----------------------------------------------------------------------=

--
>
>
>

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org