[PATCH] ASN.1 declaration error in pk7_asn1.c - Openssl

This is a discussion on [PATCH] ASN.1 declaration error in pk7_asn1.c - Openssl ; I think I've spotted a problem generating PKCS#7 DER-encoded output using OpenSSL 0.9.8e crypto/pkcs7/pk7_asn1.c has an ASN.1 definition for PKCS7_SIGNED as: > ASN1_NDEF_SEQUENCE(PKCS7_SIGNED) = { > ASN1_SIMPLE(PKCS7_SIGNED, version, ASN1_INTEGER), > ASN1_SET_OF(PKCS7_SIGNED, md_algs, X509_ALGOR), > ASN1_SIMPLE(PKCS7_SIGNED, contents, PKCS7), > --> ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNED, ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [PATCH] ASN.1 declaration error in pk7_asn1.c

  1. [PATCH] ASN.1 declaration error in pk7_asn1.c

    I think I've spotted a problem generating PKCS#7 DER-encoded output
    using OpenSSL 0.9.8e

    crypto/pkcs7/pk7_asn1.c has an ASN.1 definition for PKCS7_SIGNED as:

    > ASN1_NDEF_SEQUENCE(PKCS7_SIGNED) = {
    > ASN1_SIMPLE(PKCS7_SIGNED, version, ASN1_INTEGER),
    > ASN1_SET_OF(PKCS7_SIGNED, md_algs, X509_ALGOR),
    > ASN1_SIMPLE(PKCS7_SIGNED, contents, PKCS7),
    > --> ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
    > ASN1_IMP_SET_OF_OPT(PKCS7_SIGNED, crl, X509_CRL, 1),
    > ASN1_SET_OF(PKCS7_SIGNED, signer_info, PKCS7_SIGNER_INFO)
    > } ASN1_NDEF_SEQUENCE_END(PKCS7_SIGNED)


    RFC 2315 defines the associated ASN.1 type as
    > SignedData ::= SEQUENCE {
    > version Version,
    > digestAlgorithms DigestAlgorithmIdentifiers,
    > contentInfo ContentInfo,
    > --> certificates
    > [0] IMPLICIT ExtendedCertificatesAndCertificates
    > OPTIONAL,
    > crls
    > [1] IMPLICIT CertificateRevocationLists OPTIONAL,
    > signerInfos SignerInfos }

    and defines "ExtendedCertificatesAndCertificates" as
    > ExtendedCertificatesAndCertificates ::=
    > SET OF ExtendedCertificateOrCertificate



    I think this means that the definition in pk7_asn1.c for "cert" is wrong.
    ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
    should be
    ASN1_IMP_SET_OF_OPT(PKCS7_SIGNED, cert, X509, 0),

    Without this, if you populate a PKCS7_SIGNED structure with a list of
    certificates, they do not get DER-encoded properly (they are written in
    the order they appear in the STACK_OF(X509), like a SEQUENCE rather than
    sorted lexicographically, like a SET should be.)

    Is the analysis correct?






  2. [openssl.org #1687] [PATCH] ASN.1 declaration error in pk7_asn1.c

    I think I've spotted a problem generating PKCS#7 DER-encoded output
    using OpenSSL 0.9.8e

    crypto/pkcs7/pk7_asn1.c has an ASN.1 definition for PKCS7_SIGNED as:

    > ASN1_NDEF_SEQUENCE(PKCS7_SIGNED) = {
    > ASN1_SIMPLE(PKCS7_SIGNED, version, ASN1_INTEGER),
    > ASN1_SET_OF(PKCS7_SIGNED, md_algs, X509_ALGOR),
    > ASN1_SIMPLE(PKCS7_SIGNED, contents, PKCS7),
    > --> ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
    > ASN1_IMP_SET_OF_OPT(PKCS7_SIGNED, crl, X509_CRL, 1),
    > ASN1_SET_OF(PKCS7_SIGNED, signer_info, PKCS7_SIGNER_INFO)
    > } ASN1_NDEF_SEQUENCE_END(PKCS7_SIGNED)


    RFC 2315 defines the associated ASN.1 type as
    > SignedData ::= SEQUENCE {
    > version Version,
    > digestAlgorithms DigestAlgorithmIdentifiers,
    > contentInfo ContentInfo,
    > --> certificates
    > [0] IMPLICIT ExtendedCertificatesAndCertificates
    > OPTIONAL,
    > crls
    > [1] IMPLICIT CertificateRevocationLists OPTIONAL,
    > signerInfos SignerInfos }

    and defines "ExtendedCertificatesAndCertificates" as
    > ExtendedCertificatesAndCertificates ::=
    > SET OF ExtendedCertificateOrCertificate



    I think this means that the definition in pk7_asn1.c for "cert" is wrong.
    ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
    should be
    ASN1_IMP_SET_OF_OPT(PKCS7_SIGNED, cert, X509, 0),

    Without this, if you populate a PKCS7_SIGNED structure with a list of
    certificates, they do not get DER-encoded properly (they are written in
    the order they appear in the STACK_OF(X509), like a SEQUENCE rather than
    sorted lexicographically, like a SET should be.)

    Is the analysis correct?







  3. [openssl.org #1687] [PATCH] ASN.1 declaration error in pk7_asn1.c

    > [Peter.Edwards@vordel.com - Mon Jun 02 10:49:53 2008]:
    >
    > I think I've spotted a problem generating PKCS#7 DER-encoded output
    > using OpenSSL 0.9.8e
    >
    > crypto/pkcs7/pk7_asn1.c has an ASN.1 definition for PKCS7_SIGNED as:
    >
    > > ASN1_NDEF_SEQUENCE(PKCS7_SIGNED) = {
    > > ASN1_SIMPLE(PKCS7_SIGNED, version, ASN1_INTEGER),
    > > ASN1_SET_OF(PKCS7_SIGNED, md_algs, X509_ALGOR),
    > > ASN1_SIMPLE(PKCS7_SIGNED, contents, PKCS7),
    > > --> ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
    > > ASN1_IMP_SET_OF_OPT(PKCS7_SIGNED, crl, X509_CRL, 1),
    > > ASN1_SET_OF(PKCS7_SIGNED, signer_info, PKCS7_SIGNER_INFO)
    > > } ASN1_NDEF_SEQUENCE_END(PKCS7_SIGNED)

    >
    > RFC 2315 defines the associated ASN.1 type as
    > > SignedData ::= SEQUENCE {
    > > version Version,
    > > digestAlgorithms DigestAlgorithmIdentifiers,
    > > contentInfo ContentInfo,
    > > --> certificates
    > > [0] IMPLICIT ExtendedCertificatesAndCertificates
    > > OPTIONAL,
    > > crls
    > > [1] IMPLICIT CertificateRevocationLists OPTIONAL,
    > > signerInfos SignerInfos }

    > and defines "ExtendedCertificatesAndCertificates" as
    > > ExtendedCertificatesAndCertificates ::=
    > > SET OF ExtendedCertificateOrCertificate

    >
    >
    > I think this means that the definition in pk7_asn1.c for "cert" is wrong.
    > ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
    > should be
    > ASN1_IMP_SET_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
    >
    > Without this, if you populate a PKCS7_SIGNED structure with a list of
    > certificates, they do not get DER-encoded properly (they are written in
    > the order they appear in the STACK_OF(X509), like a SEQUENCE rather than
    > sorted lexicographically, like a SET should be.)
    >
    > Is the analysis correct?
    >


    It is but there is a reason for it...

    The PKCS7_SIGNED structure does not have to be DER and is often BER when
    for example indefinite length constructed forms which OpenSSL 0.9.9-dev
    can generate.

    There are also some software packages which rely on the order of the
    certificates, the first certificate is given a special meaning.


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    Development Mailing List openssl-dev@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread