[openssl-users] How to turn on certain elements in CMS objects
Stephan Mühlstrasser
stm at pdflib.com
Fri Jul 1 14:55:31 UTC 2016
Hi,
this message is related to another question that I sent with subject
"Unable to decrypt CMS object encrypted with EC prime256v1 certificate".
Below I have included the full ASN.1 dump of the CMS object generated by
a third-party application.
The CMS object has two properties that I so far was not able to
reproduce when creating CMS objects with OpenSSL:
First the AlgorithmIdentifier includes the EC curve name:
40 19: SEQUENCE {
42 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045
2 1)
51 8: OBJECT IDENTIFIER ansiX9p256r1 (1 2 840
10045 3 1 7)
: }
In CMS objects created with OpenSSL with the same recipient certificate,
the curve name is always omitted. Is it possible to make OpenSSL emit
the curve name as well?
Second the following:
129 10: [1] {
131 8: OCTET STRING B1 04 4A FD FC 8B 70 6D
: }
If I match this correctly to RFC 5652, this is
ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL
inside the KeyAgreeRecipientInfo SEQUENCE (see
https://tools.ietf.org/html/rfc5652#section-6.2.2).
Can OpenSSL emit this optional element? What is the purpose of the "ukm"
field?
Thank you
Stephan
Full ASN.1 dump follows:
0 360: SEQUENCE {
4 9: OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
15 345: [0] {
19 341: SEQUENCE {
23 1: INTEGER 2
26 256: SET {
30 253: [1] {
33 1: INTEGER 3
36 91: [0] {
38 89: [1] {
40 19: SEQUENCE {
42 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045
2 1)
51 8: OBJECT IDENTIFIER ansiX9p256r1 (1 2 840
10045 3 1 7)
: }
61 66: BIT STRING
: 04 0E 81 BC 28 63 C8 5A 1E 09 7D 47 1F D3 24 92
: 15 6D 94 8A 8D 88 82 CC 65 1F FD 57 B4 B8 DD 77
: 97 AB E7 D0 1D 8E C1 FE F6 CB C4 C5 9D B7 7B DE
: 60 0E 84 F2 35 4E 19 42 EB B4 D9 F5 71 58 4F 53
: 89
: }
: }
129 10: [1] {
131 8: OCTET STRING B1 04 4A FD FC 8B 70 6D
: }
141 21: SEQUENCE {
143 6: OBJECT IDENTIFIER '1 3 132 1 11 1'
151 11: SEQUENCE {
153 9: OBJECT IDENTIFIER aes128-wrap (2 16 840 1 101
3 4 1 5)
: }
: }
164 120: SEQUENCE {
166 118: SEQUENCE {
168 90: SEQUENCE {
170 85: SEQUENCE {
172 11: SET {
174 9: SEQUENCE {
176 3: OBJECT IDENTIFIER countryName (2 5 4 6)
181 2: PrintableString 'DE'
: }
: }
185 15: SET {
187 13: SEQUENCE {
189 3: OBJECT IDENTIFIER localityName (2 5 4 7)
194 6: UTF8String 'Munich'
: }
: }
202 20: SET {
204 18: SEQUENCE {
206 3: OBJECT IDENTIFIER organizationName (2
5 4 10)
211 11: UTF8String 'PDFlib GmbH'
: }
: }
224 31: SET {
226 29: SEQUENCE {
228 3: OBJECT IDENTIFIER commonName (2 5 4 3)
233 22: UTF8String 'PDFlib GmbH Demo CA G2'
: }
: }
: }
257 1: INTEGER 5
: }
260 24: OCTET STRING
: 2E 27 CB 94 64 71 E7 05 96 51 08 34 67 92 34 D7
: 12 B1 69 8F 20 E9 F1 11
: }
: }
: }
: }
286 76: SEQUENCE {
288 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
299 29: SEQUENCE {
301 9: OBJECT IDENTIFIER aes128-CBC (2 16 840 1 101 3 4 1 2)
312 16: OCTET STRING
: 88 E4 52 8D 63 2F A9 A5 49 0E 8B FE 7D D0 93 F9
: }
330 32: [0]
: 06 E8 97 3B AD 11 F8 49 41 C9 D6 C3 FD B4 22 4A
: 89 DF AB 86 95 A7 D1 E0 C8 BF E5 8F 4D 79 7D D3
: }
: }
: }
: }
More information about the openssl-users
mailing list