Hi Max,
is the "smime.p7s" file attached to your previous mail supposed to
contain pure CRMF? If I `od -x` it, I am missing those "30 8X"s I am
used to see often as they are the start of longer sequences. Is this
the right (DER) encoding? I also would not expect it to start with
0x80 but with 0x30 which would start the outermost sequence. Anyway,
when I google for p7s, it's rather a "pkcs7-signature" than a
Certificate Request, so I might misunderstand that.
I am unable to interpret the ASN.1 dump you sent as I only learned to
read ASN.1 DER in hex while debugging using Wireshark. Could you
please send it as hexdump, so I can compare it with my validated CRMF
traces. If you'd like, I can also send you some CMP (including CRMF)
traces you can look at with Wireshark, just request them by PM so I
don't flood the mailinglist with them.
Best regards,
Martin
On 4/3/08, Massimiliano Pala <[EMAIL PROTECTED]> wrote:
> Hi Martin,
>
> thanks for your suggestion :) After writing the email, I think that I found
> the correct way to do it. By using the following:
>
> ASN1_ITEM_TEMPLATE(CRMF_REQ) =
> ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
> requests, CRMF_CERT_REQ_MESSAGE)
> ASN1_ITEM_TEMPLATE_END(CRMF_REQ)
>
> I still can not load the request issued by NSS browser. Can you load it ?
> Do you
> know what the format is ? I attach it to this email. I definitely do not
> understand
> what happens. In detail:
>
> 0-The ASN1 dump is as follows:
>
> 0:d=0 hl=4 l= 477 cons: SEQUENCE
> 4:d=1 hl=4 l= 473 cons: SEQUENCE
> 8:d=2 hl=4 l= 407 cons: SEQUENCE
> 12:d=3 hl=2 l= 4 prim: INTEGER :4D7A150A
> 18:d=3 hl=4 l= 355 cons: SEQUENCE
> 22:d=4 hl=2 l= 1 prim: cont [ 0 ]
> 25:d=4 hl=2 l= 89 cons: cont [ 5 ]
> 27:d=5 hl=2 l= 87 cons: SEQUENCE
>
> [...]
>
> 116:d=4 hl=3 l= 240 cons: cont [ 6 ]
> 119:d=5 hl=3 l= 168 cons: SEQUENCE
> 122:d=6 hl=2 l= 7 prim: OBJECT :dsaEncryption
> 131:d=6 hl=3 l= 156 cons: SEQUENCE
>
> [...]
>
> 359:d=4 hl=2 l= 16 cons: cont [ 9 ]
> 361:d=5 hl=2 l= 14 cons: SEQUENCE
> 363:d=6 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
> 368:d=6 hl=2 l= 1 prim: BOOLEAN :255
> 371:d=6 hl=2 l= 4 prim: OCTET STRING
>
> [...]
>
> 419:d=2 hl=2 l= 60 cons: cont [ 1 ]
> 421:d=3 hl=2 l= 9 cons: SEQUENCE
> 423:d=4 hl=2 l= 7 prim: OBJECT :dsaWithSHA1
> 432:d=3 hl=2 l= 47 prim: BIT STRING
>
>
> 2-There should be an INTEGER (certReqId) and a CertTemplate, but then if
> this is the case what heck is the prim [0] (which I suppose should be
> the serial number) empty (at 22) ?
>
> 3-Than the later [5] (at 25) is, correctly, a Name, I suppose. Is this
> a valid coding ? Am I totally wrong ?
>
> Instead of parsing the Name as the subject, my program interprets it as
> issuer (should be tagged as [3]), and I get the following error:
>
> 2896:error:0D0780AA:asn1 encoding
> routines:ASN1_ITEM_EX_D2I:illegal options on item
> template:tasn_dec.c:192:Type=X509_NAME_INTERNAL
> 2896:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:tasn_dec.c:737:Field=issuer, Type=CERT_TEMPLATE
> 2896:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:tasn_dec.c:751:Field=certTemplate,
> Type=CRMF_CERT_REQUEST
> 2896:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:tasn_dec.c:751:Field=certReq,
> Type=CRMF_CERT_REQ_MESSAGE
> 2896:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:tasn_dec.c:712:
> 2896:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
>
> Any idea here ?
>
> Later,
> Max
>
>
>
> Martin Peylo wrote:
>
> > Hi Massimiliano,
> >
> > I don't know if that's the best solution, but it worked for me that way:
> >
> > in crmf.h:
> >
> > typedef struct crmf_certreqmsg_st
> > {
> > »·······CRMF_CERTREQUEST *certReq;
> > »·······CRMF_PROOFOFPOSSESION *popo; /* 0 */
> > »·······CRMF_ATTRIBUTETYPEANDVALUE *regInfo; /* 1 */
> > } CRMF_CERTREQMSG;
> > DECLARE_ASN1_FUNCTIONS(CRMF_CERTREQMSG)
> >
> > DECLARE_STACK_OF(CRMF_CERTREQMSG) /* CertReqMessages */
> > DECLARE_ASN1_SET_OF(CRMF_CERTREQMSG) /* CertReqMessages
> */
> >
> >
> > in crmf_asn.c:
> >
> > ASN1_SEQUENCE(CRMF_CERTREQMSG) = {
> > »·······ASN1_SIMPLE(CRMF_CERTREQMSG, certReq,
> CRMF_CERTREQUEST),
> > »·······ASN1_IMP_OPT(CRMF_CERTREQMSG, popo,
> CRMF_PROOFOFPOSSESION, 0),
> > »·······ASN1_IMP_SEQUENCE_OF_OPT(CRMF_CERTREQMSG,
> regInfo,
> > CRMF_ATTRIBUTETYPEANDVALUE, 1)
> > } ASN1_SEQUENCE_END(CRMF_CERTREQMSG)
> >
> > IMPLEMENT_ASN1_FUNCTIONS(CRMF_CERTREQMSG)
> >
> >
> > I needed it for CMP. In order to use the "CertReqMessages", I am doing:
> >
> > In cmp.h:
> > typedef struct cmp_pkibody_st
> > {
> > »·······int type;
> > »·······union{
> > »·······»·······STACK_OF(CRMF_CERTREQMSG) *ir; /* 0
> */
> > ...
> >
> > In cmp_asn.c:
> > ASN1_CHOICE(CMP_PKIBODY) = {
> > »·······ASN1_EXP_SEQUENCE_OF(CMP_PKIBODY, value.ir,
> CRMF_CERTREQMSG, 0),
> > ...
> >
> >
> > There might be other ways to do it - the OpenSSL ASN.1 documentation
> > seems to be not complete - but it works fine that way.
> >
> > As there are not many things to use CRMF for: what are you
> > implementing? Do you know my code to use CMP with OpenSSL? You can
> > obtain the full code including the snippets I pasted above from
> > <http://www.izac.de/cmp>.
> >
>
>
>
> --
>
> Best Regards,
>
> Massimiliano Pala
>
> --o------------------------------------------------------------------------
> Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
> [EMAIL PROTECTED]
>
> Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883
> PKI/Trust - Office 063 Work Phone: +1 (603) 646-9179
> --o------------------------------------------------------------------------
>
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
