RE: How to deal with new OIDs
Hi all, Hi Dominik, in a project I maintain I have to deal with OIDs not contained within OpenSSL. In particular, I use OpenSSL to parse ASN1 encoded data containing OIDs (using the Macros from asn1t.h) and do switch-case statements on the resulting NIDs. Until now I used to patch OpenSSL (adding the OIDs to objects.txt and running the objects.pl script to generate the NIDs) to contain my OIDs but this approach is far from ideal. Do you need to work with OIDs and other DER for ASN.1 encoded data and are using a specific part of OpenSSL as DER encoder/decoder? In this case you might take a look to http://lionet.info/asn1c/compiler.html It is free (BSD), is exists since many years and there is a lot of documentations and examples, one deals with X.509. Just in case it helps. oki, Steffen From the webpage: The asn1c is a free, open source compiler of ASN.1 specifications into C source code. It supports a range of ASN.1 syntaxes, including ISO/IEC/ITU ASN.1 1988, '94, '97, 2002 and later amendments. The supported sets of encoding rules are * BER: ITU-T Rec. X.690 | ISO/IEC 8825-1 (2002) (BER/DER/CER) * PER: X.691|8825-2 (2002) (PER). * XER: X.693|8825-3 (2001) (BASIC-XER/CXER). The compiler was written specifically to address security concerns while providing streaming decoding capabilities. ---[ End of Message ]--- About Ingenico: Ingenico is a leading provider of payment, transaction and business solutions, with over 15 million terminals deployed in more than 125 countries. Over 3,000 employees worldwide support merchants, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to deal with new OIDs
On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote: On Wed, Sep 07, 2011, Dominik Oepen wrote: Are these OIDs are by chance the ones described in ticket 1794? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to deal with new OIDs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 08.09.2011 11:49, schrieb Peter Sylvester: On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote: On Wed, Sep 07, 2011, Dominik Oepen wrote: Are these OIDs are by chance the ones described in ticket 1794? Thanks for the hint, but I'm not using the SRP OIDs. I need two families of OIDs for my project: The OIDs for the elliptic curves defined in RFC 5639 and the OIDs used for the new german identity card, defined in the technical guidelines of the Federal Office for Information Security (BSI). I once submitted a patch for the RFC 5639 curves (http://rt.openssl.org/Ticket/Display.html?id=2239user=guestpass=guest) but there seemed to be no interest in it, even though a similar patch was subsequently submitted by somebody else (http://old.nabble.com/-openssl.org--2359---PATCH--td29927422.html). If there is any interest I can supply a patch for the BSI OIDs. They might also be of interest to people outside of Germany, since they have been incorporated by the ICAO in a technical guideline (http://www2.icao.int/en/MRTD/Downloads/Technical%20Reports/Technical%20Report.pdf). Best regards, Dominik -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5o0bEACgkQ8RP9uQqpDVTEDwCdFng351tAtDSc6HkxO41II/rb 3vsAoK9L0B+r6ZQsrnzL4+qec02CvcOK =MQTC -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to deal with new OIDs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Steffen, Am 08.09.2011 11:16, schrieb Steffen DETTMER: Hi all, Hi Dominik, in a project I maintain I have to deal with OIDs not contained within OpenSSL. In particular, I use OpenSSL to parse ASN1 encoded data containing OIDs (using the Macros from asn1t.h) and do switch-case statements on the resulting NIDs. Until now I used to patch OpenSSL (adding the OIDs to objects.txt and running the objects.pl script to generate the NIDs) to contain my OIDs but this approach is far from ideal. Do you need to work with OIDs and other DER for ASN.1 encoded data and are using a specific part of OpenSSL as DER encoder/decoder? That's exactly what I'm doing. In this case you might take a look to http://lionet.info/asn1c/compiler.html It is free (BSD), is exists since many years and there is a lot of documentations and examples, one deals with X.509. Just in case it helps. Thanks for the tip. The code is already written (and working) using OpenSSLs ASN1 macros. I just want to stop patching OpenSSL in order to deal with OIDs not contained within OpenSSL. Using a new tool would probably mean that I will have to rewrite quite a lot of code. That's why I will try Steve's suggestions first. If I fail I'll have a look at the ASN1 compiler you suggested. Again, thanks for the help, Dominik -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5o0/wACgkQ8RP9uQqpDVTe4ACfVb/yHExWm5tfVV+UXJMCefES +YkAn0VjUJesMHmUbUc2jG5f5FX8kC6A =drw6 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to deal with new OIDs
On 09/08/2011 04:31 PM, Dominik Oepen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 08.09.2011 11:49, schrieb Peter Sylvester: On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote: On Wed, Sep 07, 2011, Dominik Oepen wrote: Are these OIDs are by chance the ones described in ticket 1794? Actually I meant 2239. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to deal with new OIDs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 08.09.2011 16:41, schrieb Peter Sylvester: On 09/08/2011 04:31 PM, Dominik Oepen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 08.09.2011 11:49, schrieb Peter Sylvester: On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote: On Wed, Sep 07, 2011, Dominik Oepen wrote: Are these OIDs are by chance the ones described in ticket 1794? Actually I meant 2239. Yup, this is the RFC 5639 patch I was mentioning. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5o2d4ACgkQ8RP9uQqpDVTGfgCfa9y2/CCwqGt+uzuGHQO/sBDk +lcAoIDW5tobv+fi9mYmjQKqVoVbTxWz =yB89 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to deal with new OIDs
On Wed, Sep 07, 2011, Dominik Oepen wrote: Hi all, in a project I maintain I have to deal with OIDs not contained within OpenSSL. In particular, I use OpenSSL to parse ASN1 encoded data containing OIDs (using the Macros from asn1t.h) and do switch-case statements on the resulting NIDs. Until now I used to patch OpenSSL (adding the OIDs to objects.txt and running the objects.pl script to generate the NIDs) to contain my OIDs but this approach is far from ideal. I know that I can add new OIDs to OpenSSL internals table using the OBJ_create function. So I could add all my OIDs in a library initialization function and save the resulting NIDs in some global data structure. But, as the man page already mentions, I can't use these NIDs for switch-case statements and probably also not for the ASN1 macros. So I would like to ask if there are any best practices on how to deal with this kind of problem. I'm pretty sure that other people must have already encountered this problem, but I couldn't find any code or documentation on how to deal with it. That is problematical because if you change objects.txt you end up creating new NIDs which are pretty much guaranteed to be incomaptible with future version of OpenSSL that add new OIDs. The best you can do is to check if the OID exists using for example OBJ_txt2nid() and if not create it using OBJ_create(). Using dynamically created nids for any defined by structure isn't currently possible using the macros. I can see two options both a bit messy. One is to manualy encode the relevant field by using the catch all ASN1_TYPE structure. Another is to create the structures needed by the macros i.e an ASN1_ADB_TABLE_st but which is *not* const so you can write the relevant values dynamically at runtime. Looking through the macros that should only require that you redefine the ASN1_ADB macro. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
