Re: [openssl-users] CMS questions
On Fri, May 01, 2015, Richard Welty wrote: > > > On 2/24/15 10:10 AM, Dr. Stephen Henson wrote: > > So the embedded content type will be enveloped data? > > > > If so first you can check that type using CMS_get0_eContentType(). > > > > Then you can use CMS_get0_content() to retrieve the embedded content as a > > pointer to an OCTET STRING pointer. You should check that content is > not NULL > > and then retrieve the encoding of the content using ASN1_STRING_data and > > ASN1_STRING_length. > > > > Once you have those you can decode using d2i_CMS_ContentInfo(). > > > ok, i'm not understanding how i supply the private key for decrypting > the enveloped data in this scenario. > You get back a CMS_ContentInfo structure which you can then process using the appropriate CMS functions such as CMS_decrypt(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CMS questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 [resending from the correct email address; list moderator, if you see this first, just delete the one in the non-member queue] On 2/24/15 10:10 AM, Dr. Stephen Henson wrote: > So the embedded content type will be enveloped data? > > If so first you can check that type using CMS_get0_eContentType(). > > Then you can use CMS_get0_content() to retrieve the embedded content as a > pointer to an OCTET STRING pointer. You should check that content is not NULL > and then retrieve the encoding of the content using ASN1_STRING_data and > ASN1_STRING_length. > > Once you have those you can decode using d2i_CMS_ContentInfo(). > ok, i'm not understanding how i supply the private key for decrypting the enveloped data in this scenario. thanks, richard -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQ33EAAoJEBg+LdNh/YEcvwAP/16TWRrGEPlVTSR9KGdezeSm 4ViStqMGbS2QHAmMHEZhypJMjuMEeeXJARXybH2ymCg8F6ATVRge5z4LGvSQheKu 5XU/sgw6T9rTuMcLuKiUnwqiIeFuz3IgDlBEwNOdS5DHXqWbfnbE6C5q/4d1mp7O IttTQlsmPNE61+jiyffK4UYTG5wnHac58l7OYVrnS08ViIeCYC9vhNV9iFaQqekB 04r9eEs0NKzbfMGaiAVyZqkCJlFvfpH55cgPqHD4xu+yUDb4zAvA0N7tmYiGSPOa nhCr9gwKKCVZvSsbZ45OUNpwrDIqFdKwgonKOfNOl28LeuMMXssrm2PM5yXvuQwR YrP/vSj+4zuWtLg1J+vOciKb3LL+WOeJtMhHu9UDdLkQ2T7uPEdkSUSNn83P6YNu DPFeW807omn3A3VgZhBbzd283/jEMkQOXZmrXOrPZ/vz95lFk4fLsDL6JtuMDryd 0aZila+Fm9NSm5AdMfC2Maf9wK2QFR/lbb7+CVi7nLWzY6nJjcHGrYvXn5NupaNF bZ78+FOgbEJ5poktU+e68Iz1RhEGtSPuc6z8n8CA7F8NdFybsBzy16V16bAoBSdO gLYWaDpWT6t2IRUkdNLwyBaMNuCMnkhl7MDjYIzZgmYWPD04yH46I9esehr99hrg 39ihWLRHKM/CZVspAh4/ =DS0I -END PGP SIGNATURE- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CMS questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 4/30/15 6:32 PM, Richard Welty wrote: > 1) the documentation on d2i_CMS_ContentInfo() is a bit light on > details about the parameters. what should the first parameter be, a > certificate as with d2i_X509? ok, figured this one out for myself, should have read the d2i_X509 documentation more carefully. richard -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQrNNAAoJEBg+LdNh/YEcDggQALFImQPZ/MlvBbOnMvELkFxM eCwZxE+BnwVpMgRnsVaTM0z2r9hY44V1jGZrw+Xfj4YXkaAXs6iIarptdg+IL9dX bNi4haTy4QMF8Uu5mvWCSLcsIO/1obXnH5FE9Ri2QMK6Jysp4vPiC379sBQyGGRm o+gF3cnpYF0+VKQX858KjE8sChJMCHgfdDU3Z79S9iEdeUeZ0ILESLRQcy8OEywp iToW6FRQuaCK36bn+23ApxUUuQIkPGcqoDDvOPSXVuTMjYLSzfFzsTXfu42yY56G Rmxg9TFfPL6WdLJb/BQoBvA6u4HWo7pZdpFUymShhezTlM5jvVAHXeHq6PZjJx8J g7bpPH6mu17ILdJMQqVo3kWhGnQVZMuR12BY6qHaBvOWxJ7lAEYjjlu+pVtgWlp3 vRbWwGfApC36UziRJpmZIYgz1e7hUrB8Mqg78f3SPK1fcWKSYV1IkRnxM7Py+PnT ISXAi6VTRmg1rNc0cnfrhegcTcwUFJVyCTCKWR4i7NlUDSHSThcmMKW5muasjL11 cr4OPfDStI7okM4GpPADL09ZnRK7J+D+UYXZYq37XnokekqAZ1/Bjs5VDKKzlfv0 7lTMxLaZ5jeIwBM4KdTn4ThFVg5Huz1lsI7yP4J2kwkdA9RIcz2jmkhvS/8N5V/F HLbQJyfjWnFX5PlAUL5u =UfG4 -END PGP SIGNATURE- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CMS questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2/24/15 10:10 AM, Dr. Stephen Henson wrote: > On Tue, Feb 24, 2015, Richard Welty wrote: > >> On 2/24/15 9:21 AM, Dr. Stephen Henson wrote: >>> >>> Typically you'd write the signed content to a memory BIO and then decrypt >>> that. Precisely how you decrypt the enveloped data depends on the format. It >>> might be in MIME format in which case you'd pass it through the MIME parser. >>> Alternatively it could be enveloped data content type in which case you'd >>> decode it as BER form. >>> >>> There are shortcuts you can make if, for example, you know the signed content >>> is not detached and in BER form. >>> >> it will not be detached, and will be in BER form. shortcuts (as long as >> they're >> in a documented API) are welcome as this is in a path that should be fast. >> > > So the embedded content type will be enveloped data? > > If so first you can check that type using CMS_get0_eContentType(). > > Then you can use CMS_get0_content() to retrieve the embedded content as a > pointer to an OCTET STRING pointer. You should check that content is not NULL > and then retrieve the encoding of the content using ASN1_STRING_data and > ASN1_STRING_length. > > Once you have those you can decode using d2i_CMS_ContentInfo(). > > A couple of those functions are currently undocumented (that will be fixed) but > nothing in that involves using structure internals. > coming back to this after a bit of time; the project is finally getting fired up. there are two questions in front of me right now: 1) the documentation on d2i_CMS_ContentInfo() is a bit light on details about the parameters. what should the first parameter be, a certificate as with d2i_X509? 2) is there something roughly analogous for encryption? i need a fast-but-documented path for encrypting and signing data using BER on the server that will be decrypted client (and vice versa). thanks, richard -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQq2BAAoJEBg+LdNh/YEc/xwQAL2QH/aH1LUATeAmGmt2h7tk n4K5ghhrIwCOlrgqXNbSS7qEmrXdRgKPhTZkJVx/Y236hqJt/AqjyB0geCmDIuMi uOXzPXlWInj6jg9kjGq+jEMeG9Czu1i/DfSJjB01N6asEx8YKvNZUVnNqKj8fkBi iit0a5/61B26bd8oGVAFfM6gMJMBZRWqbPSFhjPyB2tMWMOfnZ7N08N66qz29/Xk vKiG1EEj6SRAPTFhzqzLzZphtShWDXeQP6pfrSRJ6AGiTfX2Gvn/7iwUiPUF3sLX 8ULskp3XyWeA/L71vLUNvo49XVdx/7lCj4o8nbCrI+/fgIREPAdI+AzvsxYv8wFH K/pSYZOL5ag+YiMBt9pfPCxhUebjz4KS9InoT4g15x8DuhosiB/6JWOFsKpHENxX 5TO/tRteopWmQ0PBCbrrBG58Gdg0t7OW6tBM0e13cYLTfUc93eOb7lJhuMOzzkqJ i6VF99Cosj8WcjZuh4hASVHe7h9pBOlabl8xHlSocbn91Q68RnwpQ12HoQMhjqze 1Za4yaQagcd8OnBoRc8gXCWUGNfLRYjEXdXaKt1AlFWQHa6h2ZcGwgoMukg+Fu1Z AyY7vaxIPa3wBR1eNhv15hrgwBmoWPzTgoupTbbiP4e5HnmcdWUcjnKvOd+kamQG SHhG4PeipRKHtJ1OzA5Q =vlyk -END PGP SIGNATURE- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CMS questions
On Tue, Feb 24, 2015, Richard Welty wrote: > On 2/24/15 9:21 AM, Dr. Stephen Henson wrote: > > > > Typically you'd write the signed content to a memory BIO and then decrypt > > that. Precisely how you decrypt the enveloped data depends on the format. It > > might be in MIME format in which case you'd pass it through the MIME parser. > > Alternatively it could be enveloped data content type in which case you'd > > decode it as BER form. > > > > There are shortcuts you can make if, for example, you know the signed > > content > > is not detached and in BER form. > > > it will not be detached, and will be in BER form. shortcuts (as long as > they're > in a documented API) are welcome as this is in a path that should be fast. > So the embedded content type will be enveloped data? If so first you can check that type using CMS_get0_eContentType(). Then you can use CMS_get0_content() to retrieve the embedded content as a pointer to an OCTET STRING pointer. You should check that content is not NULL and then retrieve the encoding of the content using ASN1_STRING_data and ASN1_STRING_length. Once you have those you can decode using d2i_CMS_ContentInfo(). A couple of those functions are currently undocumented (that will be fixed) but nothing in that involves using structure internals. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CMS questions
On 2/24/15 9:21 AM, Dr. Stephen Henson wrote: > > Typically you'd write the signed content to a memory BIO and then decrypt > that. Precisely how you decrypt the enveloped data depends on the format. It > might be in MIME format in which case you'd pass it through the MIME parser. > Alternatively it could be enveloped data content type in which case you'd > decode it as BER form. > > There are shortcuts you can make if, for example, you know the signed content > is not detached and in BER form. > it will not be detached, and will be in BER form. shortcuts (as long as they're in a documented API) are welcome as this is in a path that should be fast. thanks, richard -- rwe...@averillpark.net Averill Park Networking - GIS & IT Consulting OpenStreetMap - PostgreSQL - Linux Java - Web Applications - Search signature.asc Description: OpenPGP digital signature ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CMS questions
On Mon, Feb 23, 2015, Richard Welty wrote: > i'm starting on some work that needs to use CMS in an > application, and i'm having trouble getting my head > wrapped around how to handle the case of verifying > a signature and then decrypting the enveloped data > that has been signed. specifically, i'm not grasping > how to extract the encrypted data to pass to CMS_decrypt > after verification is done. do i need to use a BIO > filter for this or is there some other mechanism i'm not > seeing? > Typically you'd write the signed content to a memory BIO and then decrypt that. Precisely how you decrypt the enveloped data depends on the format. It might be in MIME format in which case you'd pass it through the MIME parser. Alternatively it could be enveloped data content type in which case you'd decode it as BER form. There are shortcuts you can make if, for example, you know the signed content is not detached and in BER form. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users