Me again,

I got the hint (thanks Peter) that I used the wrong CLAs with od.
Sorry for that, it has been a while since I used it the last time.
Anyway, I guess the attachment still is a signature.

Max, could you paste the output of `od -t x1` of your CRMF file?

BR,
Martin



On 4/4/08, Martin Peylo wrote:
> Hi Max,
>
> is the "smime.p7s" file attached to your previous mail supposed to
> contain pure CRMF? If I `od -x` it, I am missing those "30 8X"s I am
> used to see often as they are the start of longer sequences. Is this
> the right (DER) encoding? I also would not expect it to start with
> 0x80 but with 0x30 which would start the outermost sequence. Anyway,
> when I google for p7s, it's rather a "pkcs7-signature" than a
> Certificate Request, so I might misunderstand that.
>
> I am unable to interpret the ASN.1 dump you sent as I only learned to
> read ASN.1 DER in hex while debugging using Wireshark. Could you
> please send it as hexdump, so I can compare it with my validated CRMF
> traces. If you'd like, I can also send you some CMP (including CRMF)
> traces you can look at with Wireshark, just request them by PM so I
> don't flood the mailinglist with them.
>
>
> Best regards,
> Martin
>
>
>
> On 4/3/08, Massimiliano Pala wrote:
>
> > Hi Martin,
> >
> > thanks for your suggestion After writing the email, I think that I=

found
> > the correct way to do it. By using the following:
> >
> > ASN1_ITEM_TEMPLATE(CRMF_REQ) =3D
> > ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
> > requests, CRMF_CERT_REQ_MESSAGE)
> > ASN1_ITEM_TEMPLATE_END(CRMF_REQ)
> >
> > I still can not load the request issued by NSS browser. Can you load =

it ?
> > Do you
> > know what the format is ? I attach it to this email. I definitely do =

not
> > understand
> > what happens. In detail:
> >
> > 0-The ASN1 dump is as follows:
> >
> > 0:d=3D0 hl=3D4 l=3D 477 cons: SEQUENCE
> > 4:d=3D1 hl=3D4 l=3D 473 cons: SEQUENCE
> > 8:d=3D2 hl=3D4 l=3D 407 cons: SEQUENCE
> > 12:d=3D3 hl=3D2 l=3D 4 prim: INTEGER :4D7A150A
> > 18:d=3D3 hl=3D4 l=3D 355 cons: SEQUENCE
> > 22:d=3D4 hl=3D2 l=3D 1 prim: cont [ 0 ]
> > 25:d=3D4 hl=3D2 l=3D 89 cons: cont [ 5 ]
> > 27:d=3D5 hl=3D2 l=3D 87 cons: SEQUENCE
> >
> > [...]
> >
> > 116:d=3D4 hl=3D3 l=3D 240 cons: cont [ 6 ]
> > 119:d=3D5 hl=3D3 l=3D 168 cons: SEQUENCE
> > 122:d=3D6 hl=3D2 l=3D 7 prim: OBJECT :dsaEncryption
> > 131:d=3D6 hl=3D3 l=3D 156 cons: SEQUENCE
> >
> > [...]
> >
> > 359:d=3D4 hl=3D2 l=3D 16 cons: cont [ 9 ]
> > 361:d=3D5 hl=3D2 l=3D 14 cons: SEQUENCE
> > 363:d=3D6 hl=3D2 l=3D 3 prim: OBJECT :X509v3 Key Usage
> > 368:d=3D6 hl=3D2 l=3D 1 prim: BOOLEAN :255
> > 371:d=3D6 hl=3D2 l=3D 4 prim: OCTET STRING
> >
> > [...]
> >
> > 419:d=3D2 hl=3D2 l=3D 60 cons: cont [ 1 ]
> > 421:d=3D3 hl=3D2 l=3D 9 cons: SEQUENCE
> > 423:d=3D4 hl=3D2 l=3D 7 prim: OBJECT :dsaWithSHA1
> > 432:d=3D3 hl=3D2 l=3D 47 prim: BIT STRING
> >
> >
> > 2-There should be an INTEGER (certReqId) and a CertTemplate, but then=

if
> > this is the case what heck is the prim [0] (which I suppose should b=

e
> > the serial number) empty (at 22) ?
> >
> > 3-Than the later [5] (at 25) is, correctly, a Name, I suppose. Is thi=

s
> > a valid coding ? Am I totally wrong ?
> >
> > Instead of parsing the Name as the subject, my program interprets it=

as
> > issuer (should be tagged as [3]), and I get the following error:
> >
> > 2896:error:0D0780AA:asn1 encoding
> > routines:ASN1_ITEM_EX_D2I:illegal options on item
> > template:tasn_dec.c:192:Type=3DX509_NAME_INTERNAL
> > 2896:error:0D08303A:asn1 encoding
> > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> > error:tasn_dec.c:737:Field=3Dissuer, Type=3DCERT_TEMPLATE
> > 2896:error:0D08303A:asn1 encoding
> > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> > error:tasn_dec.c:751:Field=3DcertTemplate,
> > Type=3DCRMF_CERT_REQUEST
> > 2896:error:0D08303A:asn1 encoding
> > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> > error:tasn_dec.c:751:Field=3DcertReq,
> > Type=3DCRMF_CERT_REQ_MESSAGE
> > 2896:error:0D08303A:asn1 encoding
> > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> > error:tasn_dec.c:712:
> > 2896:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 libem_oth.c=

:83:
> >
> > Any idea here ?
> >
> > Later,
> > Max
> >
> >
> >
> > Martin Peylo wrote:
> >
> > > Hi Massimiliano,
> > >
> > > I don't know if that's the best solution, but it worked for me that =

way:
> > >
> > > in crmf.h:
> > >
> > > typedef struct crmf_certreqmsg_st
> > > {
> > > =BB=B7=B7=B7=B7=B7=B7=B7CRMF_CERTREQUEST *certReq;
> > > =BB=B7=B7=B7=B7=B7=B7=B7CRMF_PROOFOFPOSSESION *popo; /* 0 */
> > > =BB=B7=B7=B7=B7=B7=B7=B7CRMF_ATTRIBUTETYPEANDVALUE *regInfo; /* 1 */
> > > } CRMF_CERTREQMSG;
> > > DECLARE_ASN1_FUNCTIONS(CRMF_CERTREQMSG)
> > >
> > > DECLARE_STACK_OF(CRMF_CERTREQMSG) /* CertReqMessages */
> > > DECLARE_ASN1_SET_OF(CRMF_CERTREQMSG) /* CertReqMessages

> > */
> > >
> > >
> > > in crmf_asn.c:
> > >
> > > ASN1_SEQUENCE(CRMF_CERTREQMSG) =3D {
> > > =BB=B7=B7=B7=B7=B7=B7=B7ASN1_SIMPLE(CRMF_CERTREQMS G, certReq,

> > CRMF_CERTREQUEST),
> > > =BB=B7=B7=B7=B7=B7=B7=B7ASN1_IMP_OPT(CRMF_CERTREQM SG, popo,

> > CRMF_PROOFOFPOSSESION, 0),
> > > =BB=B7=B7=B7=B7=B7=B7=B7ASN1_IMP_SEQUENCE_OF_OPT(C RMF_CERTREQMSG,

> > regInfo,
> > > CRMF_ATTRIBUTETYPEANDVALUE, 1)
> > > } ASN1_SEQUENCE_END(CRMF_CERTREQMSG)
> > >
> > > IMPLEMENT_ASN1_FUNCTIONS(CRMF_CERTREQMSG)
> > >
> > >
> > > I needed it for CMP. In order to use the "CertReqMessages", I am doi=

ng:
> > >
> > > In cmp.h:
> > > typedef struct cmp_pkibody_st
> > > {
> > > =BB=B7=B7=B7=B7=B7=B7=B7int type;
> > > =BB=B7=B7=B7=B7=B7=B7=B7union{
> > > =BB=B7=B7=B7=B7=B7=B7=B7=BB=B7=B7=B7=B7=B7=B7=B7ST ACK_OF(CRMF_CERTRE=

QMSG) *ir; /* 0
> > */
> > > ...
> > >
> > > In cmp_asn.c:
> > > ASN1_CHOICE(CMP_PKIBODY) =3D {
> > > =BB=B7=B7=B7=B7=B7=B7=B7ASN1_EXP_SEQUENCE_OF(CMP_P KIBODY, value.ir,

> > CRMF_CERTREQMSG, 0),
> > > ...
> > >
> > >
> > > There might be other ways to do it - the OpenSSL ASN.1 documentation
> > > seems to be not complete - but it works fine that way.
> > >
> > > As there are not many things to use CRMF for: what are you
> > > implementing? Do you know my code to use CMP with OpenSSL? You can
> > > obtain the full code including the snippets I pasted above from
> > > .
> > >

> >
> >
> >
> > --
> >
> > Best Regards,
> >
> > Massimiliano Pala
> >
> > --o-------------------------------------------------------------------=

-----
> > Massimiliano Pala [OpenCA Project Manager] pala@cs.dartmou=

th.edu
> > project.manager@openc=

a.org
> >
> > Dartmouth Computer Science Dept Home Phone: +1 (603) 39=

7-3883
> > PKI/Trust - Office 063 Work Phone: +1 (603) 64=

6-9179
> > --o-------------------------------------------------------------------=

-----
> >
> >
> >

>

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org