DSA_verify(...) method FIPS compliant?
Hey all, I'm currently using FIPS capable OpenSSL 0.9.8r w/FOM 1.2.2 and I noticed that the DSA_verify() method returns 0 in FIPS mode because it fails the DSA_FLAG_NON_FIPS_ALLOW flag check. The documentation for DSA_FLAG_FIPS_METHOD in dsa.h states: /* If this flag is set the operations normally disabled in FIPS mode are * permitted it is then the applications responsibility to ensure that the * usage is compliant. */ I'm a little confused as to what ...applications responsiblilty to ensure that the usage is compliant. means exactly. Does this mean DSA_verify() is not FIPS compliant? If so, will moving to FOM 1.2.3 help? Cheers, -Chang Lee
Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence
Thanks Dominik for the tip. Actually, I have been poring over the OpenSSL code, though we're using the 0.9.8 branch, hoping to find a built-in primitive SEQUENCE to use but to no avail. As you say, there are templates for primitives and I looked at how the PKCS7 was composed from those primitives but there are so many levels of indirection that it's time consuming to follow. I guess using C to implement features that object oriented languages such as C++ expose declaratively makes things more complex. I'll keep looking... -CLee On Thu, Sep 22, 2011 at 2:41 AM, Dominik Oepen oe...@informatik.hu-berlin.de wrote: Am 21.09.2011 23:27, schrieb Chang Lee: Does anyone know of a way to take an ASN1_OCTET_STRING that contains a DER encoded Sequence and extract the contents of the Sequence as an ASN1_STRING. Essentially, I want to construct an ASN1 object of the Sequence. I guess I could manually parse the Sequence (and deal with the different types of length encoding) but I figure there must be an easier way. You can use the macros in asn1t.h for parsing DER encoded data. Have a look at the comment starting at line 132 (I'm using OpenSSL 1.0.0e) of this header file. It explains how to declare an ASN1 SEQUENCE. You can find plenty of examples using these macros within the OpenSSL source (for example crypto/pkcs7/p7_asn1.c). However, I'm not exactly sure whether or not the ASN1 subsystem is meant to be used outside of OpenSSL. I couldn't find a lot of documentation about it and learned how to use it by reading the source. Maybe one of the OpenSSL developers could comment on this. Best regards, Dominik __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence
I'm trying to parse the content of an ASN1_OCTET_STRING, which I know/expect to be a DER encoded SEQUENCE, into an object. I need to do this because I'm trying to verify an Authenticode signature. I need to generate a digest of the contents of the signedData sans the type length bytes. Now generating the object via d2i_PKCS7 results in the p7-d.sign-contents-d.other-value.octet_string containing the contents of the ContentInfo.content [0] which is itself a SEQUENCE (SpcIndirectDataContent). Unfortunately, Authenticode needs the digest of the content of SpcIndirectDataContent. Therein lies the reason why I'm trying to 'peel' off one layer to get at the data. I was initially hunting for a generic SEQUENCE object that I could parse the data but I couldn't find one. I have attempted to create a SEQUENCE from the template but have yet to get it to work. This is what I've tried: ///HEADER FILE: typedef struct authenticode_inner_content_st { ASN1_OCTET_STRING *pData; } AUTHENTICODE_INNER_CONTENT; DECLARE_ASN1_FUNCTIONS(AUTHENTICODE_INNER_CONTENT) typedef struct authenticode_content_st { AUTHENTICODE_INNER_CONTENT *pInnerContent; } AUTHENTICODE_CONTENT; DECLARE_ASN1_FUNCTIONS(AUTHENTICODE_CONTENT) ///CPP FILE: ASN1_SEQUENCE(AUTHENTICODE_INNER_CONTENT) = { ASN1_SIMPLE(AUTHENTICODE_INNER_CONTENT, pData, ASN1_OCTET_STRING) }ASN1_SEQUENCE_END(AUTHENTICODE_INNER_CONTENT) ASN1_SEQUENCE(AUTHENTICODE_CONTENT) = { ASN1_SIMPLE(AUTHENTICODE_CONTENT, pInnerContent, AUTHENTICODE_INNER_CONTENT) }ASN1_SEQUENCE_END(AUTHENTICODE_CONTENT) IMPLEMENT_ASN1_FUNCTIONS(AUTHENTICODE_INNER_CONTENT) IMPLEMENT_ASN1_FUNCTIONS(AUTHENTICODE_CONTENT) ... ASN1_OCTET_STRING *content = p7-d.sign-contents-d.other-value.octet_string; AUTHENTICODE_CONTENT *pAuthContent = d2i_AUTHENTICODE_CONTENT(NULL, (const unsigned char**)content-data, content-length); ... d2i_AUTHENTICODE_CONTENT(...) errors out. -Clee On Thu, Sep 22, 2011 at 10:07 AM, Dr. Stephen Henson st...@openssl.orgwrote: On Thu, Sep 22, 2011, Chang Lee wrote: Thanks Dominik for the tip. Actually, I have been poring over the OpenSSL code, though we're using the 0.9.8 branch, hoping to find a built-in primitive SEQUENCE to use but to no avail. As you say, there are templates for primitives and I looked at how the PKCS7 was composed from those primitives but there are so many levels of indirection that it's time consuming to follow. I guess using C to implement features that object oriented languages such as C++ expose declaratively makes things more complex. I'll keep looking... Can you be a bit more specific about what you are trying to do? Do you want to parse a specific ASN1 structure or handle a general case? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence
Thanks for the info. I'll try to get it to work using ASN1_get_object(). Just for my edification, was my approach using the templates and macros not a viable option? On Thu, Sep 22, 2011 at 12:22 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Thu, Sep 22, 2011, Chang Lee wrote: I'm trying to parse the content of an ASN1_OCTET_STRING, which I know/expect to be a DER encoded SEQUENCE, into an object. I need to do this because I'm trying to verify an Authenticode signature. I need to generate a digest of the contents of the signedData sans the type length bytes. Now generating the object via d2i_PKCS7 results in the p7-d.sign-contents-d.other-value.octet_string containing the contents of the ContentInfo.content [0] which is itself a SEQUENCE (SpcIndirectDataContent). Unfortunately, Authenticode needs the digest of the content of SpcIndirectDataContent. Therein lies the reason why I'm trying to 'peel' off one layer to get at the data. I was initially hunting for a generic SEQUENCE object that I could parse the data but I couldn't find one. I have attempted to create a SEQUENCE from the template but have yet to get it to work. This is what I've tried: Ah OK. So you've got the data into an ASN1_OCTET_STRING whose contents are a SEQUENCE and you want the content octets of that SEQUENCE but without the SEQUENCE tag+length octets? Well there isn't anything which does that directly. You can get the DER buffer using ASN1_STRING_length(os) and ASN1_STRING_data(os). That will give you the SEQUENCE tag at the start and the content included. If you want to skip over the tag+length octets of that buffer you need to do some lower level stuff. If you use ASN1_get_object() it will tell you the length of the sequence and skip the header. So the updated pointer will be that start of the SEQUENCE contents and the length will be the length of that content. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence
ASN1_get_object() got the job done. Thanks. On Thu, Sep 22, 2011 at 1:34 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Thu, Sep 22, 2011, Chang Lee wrote: Thanks for the info. I'll try to get it to work using ASN1_get_object(). Just for my edification, was my approach using the templates and macros not a viable option? Well it would work but you'd have to parse the whole structure which isn't necessary if you just want to skip the SEQUENCE header. Even then when you outputted the structure you'd get the SEQUENCE header again. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Convert ASN1_OCTET_STRING contents to ASN1 Sequence
Nice tip. I'll look into that. On Thu, Sep 22, 2011 at 4:19 AM, Frank Morgner frankmorg...@gmx.de wrote: On Thursday, September 22 at 08:41AM, Dominik Oepen wrote: Am 21.09.2011 23:27, schrieb Chang Lee: Does anyone know of a way to take an ASN1_OCTET_STRING that contains a DER encoded Sequence and extract the contents of the Sequence as an ASN1_STRING. Essentially, I want to construct an ASN1 object of the Sequence. I guess I could manually parse the Sequence (and deal with the different types of length encoding) but I figure there must be an easier way. You can use the macros in asn1t.h for parsing DER encoded data. Have a look at the comment starting at line 132 (I'm using OpenSSL 1.0.0e) of this header file. It explains how to declare an ASN1 SEQUENCE. You can find plenty of examples using these macros within the OpenSSL source (for example crypto/pkcs7/p7_asn1.c). An other approach would be to strip tag and length from the octet string with ASN1_get_object. Then use ASN1_put_object to wrap the data into a sequence. Cheers, Frank.
Convert ASN1_OCTET_STRING contents to ASN1 Sequence
Does anyone know of a way to take an ASN1_OCTET_STRING that contains a DER encoded Sequence and extract the contents of the Sequence as an ASN1_STRING. Essentially, I want to construct an ASN1 object of the Sequence. I guess I could manually parse the Sequence (and deal with the different types of length encoding) but I figure there must be an easier way. Thanks, CLee
PKCS7_verify() implementation incomplete?
Has anyone been able to use PKCS7_verify(...) to verify a SignedData signature with authenticated attributes? I've looked through the code and it seems PKCS7_signatureVerify() checks for the existence of authenticated attributes and calls PKCS7_digest_from_attributes() which, along with the embedded comment /* mdc is the digest ctx that we want, unless there are attributes, * in which case the digest is the signed attributes */, gave the impression that it computed the digest of the attributes. Looking at the code, PKCS7_digest_from_attributes() just returns the MessageDigest attribute. This implementation would be wrong. Is this a bug or do have I stayed up too long looking at this code. I'm using 0.9.8r. -Chang Lee
Re: PKCS7_verify() implementation incomplete?
I appreciate the timely response. So it is as I suspected then. PKSC_signatureVerify() is not digesting all of the authenticated attribute value SET, only the messagedigest. Will this be scheduled to be fixed? I believe there is also a bug in the PKCS7_get_octet_string() static function in pk7_doit.c (at least when called from the NID_pkcs7_signed case in PKCS7_dataInit()). The (p7-d.other-type == V_ASN1_OCTET_STRING) causes PKCS7_get_octet_string() to fail when a content value is anything other than an OCTET STRING or PKCS #7 Data. It could be a SEQUENCE, etc... It just needs to be interpreted as an OCTET STRING. -Chang On Mon, Aug 15, 2011 at 12:27 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Mon, Aug 15, 2011, Chang Lee wrote: Has anyone been able to use PKCS7_verify(...) to verify a SignedData signature with authenticated attributes? I've looked through the code and it seems PKCS7_signatureVerify() checks for the existence of authenticated attributes and calls PKCS7_digest_from_attributes() which, along with the embedded comment /* mdc is the digest ctx that we want, unless there are attributes, * in which case the digest is the signed attributes */, gave the impression that it computed the digest of the attributes. Looking at the code, PKCS7_digest_from_attributes() just returns the MessageDigest attribute. This implementation would be wrong. Is this a bug or do have I stayed up too long looking at this code. I'm using 0.9.8r. The way things work (though the PKCS#7 standard isn't very clear in places) is that if you have authenticated attributes the message digest of the content is contained in a message digest attribute. The digital signature of the PKCS#7 structure is on the encoding of those attributes. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS7_verify() implementation incomplete?
Ok. Thanks for the clarification. I went over the code again and I now see why it's failing. The calculated messagedigest doen't match the messagedigest in the signature. It seems OpenSSL peels off only the [0] EXPLICT tag of ContentInfo.content but leaves the type length field on the inner content. The PKCS#7 reference states: 9.3 Message-digesting process The message-digesting process computes a message digest on either the content being signed or the content together with the signer's authenticated attributes. In either case, the initial input to the message-digesting process is the value of the content being signed. Specifically, the initial input is the contents octets of the DER encoding of the contentfield of the ContentInfo value to which the signing process is applied. Only the contents octets of the DER encoding of that field are digested, not the identifier octets or the length octets. This is a bit vague as it could be interpreted to mean to either to skip over the T V of the [0] tag or to skip over the T V of the [0] content. CMS on the other hand states: 5.4. Message Digest Calculation Process The message digest calculation process computes a message digest on either the content being signed or the content together with the signed attributes. In either case, the initial input to the message digest calculation process is the value of the encapsulated content being signed. Specifically, the initial input is the encapContentInfo eContent OCTET STRING to which the signing process is applied. Only the octets comprising the value of the eContent OCTET STRING are input to the message digest algorithm, not the tag or the length octets. This is less ambiguous since it states that the T V of the content of the [0] tag should be excluded from the calculation. This method of calculation produces the correct results with my signature which was extracted from a commercial product. I have also manually verified this as well. Would you agree with my conclusion or am I missing something? -Chang On Mon, Aug 15, 2011 at 2:03 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Mon, Aug 15, 2011, Chang Lee wrote: I appreciate the timely response. So it is as I suspected then. PKSC_signatureVerify() is not digesting all of the authenticated attribute value SET, only the messagedigest. Will this be scheduled to be fixed? No it is digesting the whole SET. The function ASN1_item_i2d() generates the encoding of the authenticated attributes and EVP_Verify*() verifies their digital signature. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org