[openssl-users] Obtaining PKCS7 data length

Dr. Stephen Henson steve at openssl.org
Fri Sep 2 15:39:16 UTC 2016

On Tue, Aug 30, 2016, David wrote:

> Hi,
> I have some PKCS7 data which I can read like this with OpenSSL:
> $ openssl asn1parse -i -inform der -in data.dat
> 0:d=0  hl=4 l=16208 cons: SEQUENCE
> 4:d=1  hl=2 l=    9 prim:  OBJECT            :pkcs7-signedData
> .. more ..
> I can load it in code like so:
> // buf contains the raw data, len the length
> BIO *bio = BIO_new_mem_buf(buf, len);
> PKCS7 *pkcs7 = d2i_PKCS7_bio(bio, NULL);
> if (!pkcs7) {
>     // die
> }
> printf("Success!");
> This works fine and I can successfully obtain signer information etc.
> However I'd like to obtain the length value as parsed from the input
> data. In my example this was 16208, seen in the second line of the ASN1
> output.
> I noticed there is a length attribute to the PKCS7 structure (see
> include/openssl/pkcs7.h) but pkcs7->length is always zero when I print it.
> How can I obtain the length of the overall sequence which contains PKCS7
> signed data?  This is important because the length I already have may be
> longer than the actual PKCS7 data.

I'm curious: why do you want that information?

If you want the entire length of the parsed data you can use d2i_PKCS7() to
parse the buffer: the passed pointer is then incremented to immediately follow
the PKCS7 structure. You can then get the length by subtracting the
start of the buffer.

If you want the length of the intial SEQUENCE then this data is handled
automatically by the parser and isn't directly available. You can use an ASN.1
function such as ASN1_get_object() to obtain it. However this wont always be
what you want: if the PKCS#7 structure used indefinite length constructed
encoding then you wont get anything useful.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list