[openssl-users] How to turn on certain elements in CMS objects

Stephan Mühlstrasser stm at pdflib.com
Fri Jul 1 14:55:31 UTC 2016


Hi,

this message is related to another question that I sent with subject 
"Unable to decrypt CMS object encrypted with EC prime256v1 certificate".

Below I have included the full ASN.1 dump of the CMS object generated by 
a third-party application.

The CMS object has two properties that I so far was not able to 
reproduce when creating CMS objects with OpenSSL:

First the AlgorithmIdentifier includes the EC curve name:

   40   19:               SEQUENCE {
   42    7:                 OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 
2 1)
   51    8:                 OBJECT IDENTIFIER ansiX9p256r1 (1 2 840 
10045 3 1 7)
          :                 }

In CMS objects created with OpenSSL with the same recipient certificate, 
the curve name is always omitted. Is it possible to make OpenSSL emit 
the curve name as well?

Second the following:

  129   10:           [1] {
  131    8:             OCTET STRING B1 04 4A FD FC 8B 70 6D
          :             }

If I match this correctly to RFC 5652, this is

ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL

inside the KeyAgreeRecipientInfo SEQUENCE (see 
https://tools.ietf.org/html/rfc5652#section-6.2.2).

Can OpenSSL emit this optional element? What is the purpose of the "ukm" 
field?

Thank you
Stephan

Full ASN.1 dump follows:

    0  360: SEQUENCE {
    4    9:   OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
   15  345:   [0] {
   19  341:     SEQUENCE {
   23    1:       INTEGER 2
   26  256:       SET {
   30  253:         [1] {
   33    1:           INTEGER 3
   36   91:           [0] {
   38   89:             [1] {
   40   19:               SEQUENCE {
   42    7:                 OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 
2 1)
   51    8:                 OBJECT IDENTIFIER ansiX9p256r1 (1 2 840 
10045 3 1 7)
          :                 }
   61   66:               BIT STRING
          :                 04 0E 81 BC 28 63 C8 5A 1E 09 7D 47 1F D3 24 92
          :                 15 6D 94 8A 8D 88 82 CC 65 1F FD 57 B4 B8 DD 77
          :                 97 AB E7 D0 1D 8E C1 FE F6 CB C4 C5 9D B7 7B DE
          :                 60 0E 84 F2 35 4E 19 42 EB B4 D9 F5 71 58 4F 53
          :                 89
          :               }
          :             }
  129   10:           [1] {
  131    8:             OCTET STRING B1 04 4A FD FC 8B 70 6D
          :             }
  141   21:           SEQUENCE {
  143    6:             OBJECT IDENTIFIER '1 3 132 1 11 1'
  151   11:             SEQUENCE {
  153    9:               OBJECT IDENTIFIER aes128-wrap (2 16 840 1 101 
3 4 1 5)
          :               }
          :             }
  164  120:           SEQUENCE {
  166  118:             SEQUENCE {
  168   90:               SEQUENCE {
  170   85:                 SEQUENCE {
  172   11:                   SET {
  174    9:                     SEQUENCE {
  176    3:                       OBJECT IDENTIFIER countryName (2 5 4 6)
  181    2:                       PrintableString 'DE'
          :                       }
          :                     }
  185   15:                   SET {
  187   13:                     SEQUENCE {
  189    3:                       OBJECT IDENTIFIER localityName (2 5 4 7)
  194    6:                       UTF8String 'Munich'
          :                       }
          :                     }
  202   20:                   SET {
  204   18:                     SEQUENCE {
  206    3:                       OBJECT IDENTIFIER organizationName (2 
5 4 10)
  211   11:                       UTF8String 'PDFlib GmbH'
          :                       }
          :                     }
  224   31:                   SET {
  226   29:                     SEQUENCE {
  228    3:                       OBJECT IDENTIFIER commonName (2 5 4 3)
  233   22:                       UTF8String 'PDFlib GmbH Demo CA G2'
          :                       }
          :                     }
          :                   }
  257    1:                 INTEGER 5
          :                 }
  260   24:               OCTET STRING
          :                 2E 27 CB 94 64 71 E7 05 96 51 08 34 67 92 34 D7
          :                 12 B1 69 8F 20 E9 F1 11
          :               }
          :             }
          :           }
          :         }
  286   76:       SEQUENCE {
  288    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
  299   29:         SEQUENCE {
  301    9:           OBJECT IDENTIFIER aes128-CBC (2 16 840 1 101 3 4 1 2)
  312   16:           OCTET STRING
          :             88 E4 52 8D 63 2F A9 A5 49 0E 8B FE 7D D0 93 F9
          :           }
  330   32:         [0]
          :           06 E8 97 3B AD 11 F8 49 41 C9 D6 C3 FD B4 22 4A
          :           89 DF AB 86 95 A7 D1 E0 C8 BF E5 8F 4D 79 7D D3
          :         }
          :       }
          :     }
          :   }



More information about the openssl-users mailing list