<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class="">Bonjour,</div>
<div apple-content-edited="true" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class=""><br class="">
</div>
</div>
</div>
<div>
<blockquote type="cite" class="">
<div class="">Le 9 févr. 2016 à 10:15, Stephan Mühlstrasser <<a href="mailto:stm@pdflib.com" class="">stm@pdflib.com</a>> a écrit :</div>
<br class="Apple-interchange-newline">
<div class="">Hi,<br class="">
<br class="">
I'm trying to decrypt a DER-encoded CMS object (created by Adobe Acrobat) with OpenSSL 1.0.2d:<br class="">
<br class="">
$ openssl cms -decrypt -in recipient.bin -inform DER -inkey atssecp521r1.key -recip atssecp521r1.pem<br class="">
Error reading S/MIME message<br class="">
140735227593552:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1198:<br class="">
140735227593552:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:762:<br class="">
140735227593552:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=version, Type=CMS_KeyAgreeRecipientInfo<br class="">
140735227593552:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:685:<br class="">
140735227593552:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:336:Field=d.kari, Type=CMS_RecipientInfo<br class="">
140735227593552:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:666:Field=recipientInfos, Type=CMS_EnvelopedData<br class="">
140735227593552:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:<br class="">
140735227593552:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 error:tasn_dec.c:557:Field=d.envelopedData, Type=CMS_ContentInfo<br class="">
<br class="">
The full dumpasn1 output of the file "recipient.bin" is below at the end of the message. Is this a correct CMS object?<br class="">
<br class="">
If I compare this to the structure of a CMS object that was generated by OpenSSL itself, there's a difference in the structure of the RecipientInfos object. If I understand it correctly, this is the start of the RecipientInfos object (starting at line 6 of
the dumpasn1 output):<br class="">
<br class="">
SET {<br class="">
[1] {<br class="">
SEQUENCE {<br class="">
INTEGER 3<br class="">
…</div>
</blockquote>
<div><br class="">
</div>
<div>This is the expression of an EXPLICIT tag.</div>
<br class="">
<blockquote type="cite" class="">
<div class="">I can match this to the following rules in RFC 5652:<br class="">
<br class="">
RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo<br class="">
<br class="">
RecipientInfo ::= CHOICE {<br class="">
ktri KeyTransRecipientInfo,<br class="">
kari [1] KeyAgreeRecipientInfo,<br class="">
kekri [2] KEKRecipientInfo,<br class="">
pwri [3] PasswordRecipientinfo,<br class="">
ori [4] OtherRecipientInfo }<br class="">
<br class="">
KeyAgreeRecipientInfo ::= SEQUENCE {<br class="">
version CMSVersion, -- always set to 3<br class="">
originator [0] EXPLICIT OriginatorIdentifierOrKey,<br class="">
ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,<br class="">
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,<br class="">
recipientEncryptedKeys RecipientEncryptedKeys }<br class="">
</div>
</blockquote>
<div><br class="">
</div>
<div>
<div>See RFC5652 section 12.1.</div>
</div>
<div>These data types are defined in a module with IMPLICIT TAGS (it was changed between PKCS#7v1.5 and RFC2630), so kari, kekri, pwri, and ori elements are associated to an IMPLICIT tag.</div>
<div><br class="">
</div>
<div>Additional definition to read the dump.</div>
<div><br class="">
</div>
<div>
<div>
<div>OriginatorIdentifierOrKey ::= CHOICE {</div>
<div> issuerAndSerialNumber IssuerAndSerialNumber,</div>
<div> subjectKeyIdentifier [0] SubjectKeyIdentifier,</div>
<div> originatorKey [1] OriginatorPublicKey }</div>
<div><br class="">
</div>
<div>
<div>OriginatorPublicKey ::= SEQUENCE {</div>
<div> algorithm AlgorithmIdentifier,</div>
<div> publicKey BIT STRING }</div>
<div class=""><br class="">
</div>
</div>
</div>
</div>
<div><br class="">
</div>
<blockquote type="cite" class="">
<div class="">If I dump a CMS object that was created with OpenSSL's CMS tool with the same certificate as the problematic one, the structure of the RecipientInfos object looks like this:<br class="">
<br class="">
SET {<br class="">
[1] {<br class="">
INTEGER 3<br class="">
…<br class="">
</div>
</blockquote>
<br class="">
<blockquote type="cite" class="">
<div class="">So the "SEQUENCE" element of the KeyAgreeRecipientInfo is not present here.<br class="">
</div>
</blockquote>
<div><br class="">
</div>
<div>This is the correct behavior of an IMPLICIT tag.</div>
<br class="">
<blockquote type="cite" class="">
<div class="">Another issue in the Acrobat-generated CMS object is the top-level CMSVersion in the EnvelopedData object being 0. I believe this is wrong and should be 2, but apparently OpenSSL doesn't care.<br class="">
<br class="">
Full output of dumpasn1 for "recipient.bin" file:<br class="">
<br class="">
SEQUENCE {<br class="">
OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)<br class="">
[0] {<br class="">
SEQUENCE {<br class="">
INTEGER 0<br class="">
SET {<br class="">
[1] {<br class="">
SEQUENCE {<br class="">
</div>
</blockquote>
<div><br class="">
</div>
<div>This is wrong, the SEQUENCE is to be hidden by the [1] tag.</div>
<br class="">
<blockquote type="cite" class="">
<div class=""> INTEGER 3<br class="">
[0] {<br class="">
</div>
</blockquote>
<div><br class="">
</div>
The [0] introduces the originator element, of type OriginatorIdentifierOrKey, it’s EXPLICIT.</div>
<div><br class="">
<blockquote type="cite" class="">
<div class=""> [1] {</div>
</blockquote>
<blockquote type="cite" class="">
<div class=""> SEQUENCE {<br class="">
</div>
</blockquote>
<div><br class="">
</div>
<div>Also wrong, the [1] here should be IMPLICIT and hide the SEQUENCE tag of the OriginatorPublicKey structure.</div>
<div><br class="">
</div>
<blockquote type="cite" class="">
<div class=""> SEQUENCE {<br class="">
OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)<br class="">
OBJECT IDENTIFIER secp521r1 (1 3 132 0 35)<br class="">
}<br class="">
BIT STRING<br class="">
04 01 91 BE 01 63 00 79 C2 D2 95 0F 9D 03 A4 34<br class="">
5A 9C 2F 98 4A 13 D4 59 C6 EA 6C 4B 6D 7D 2B DC<br class="">
1C 08 16 86 EF F0 C2 3D AE A4 AF A3 7C 7E 15 80<br class="">
55 18 06 2C E9 09 19 3A 3A 78 DD 93 F1 33 B1 1E<br class="">
9A 76 7C 01 1E 8B B6 B0 FE 5E BA FD 04 EE F3 84<br class="">
3D 47 61 22 D2 A3 AC 1C D4 B8 66 57 94 B1 74 83<br class="">
B1 4E 7F 2F 64 7F 4F 64 40 6A 1D 02 38 5F FE DF<br class="">
93 7B 14 6D 5A BF 75 AC 77 CB 47 2B 16 F0 9D C7<br class="">
[ Another 5 bytes skipped ]<br class="">
}<br class="">
}<br class="">
}<br class="">
</div>
</blockquote>
<div><br class="">
</div>
<div>
<div>I haven’t checked the rest.</div>
</div>
</div>
<br class="">
<div class=""><br class="">
</div>
</body>
</html>