[openssl-users] Extract content of DER-encoded package by OID

Dr. Stephen Henson steve at openssl.org
Wed Jul 19 11:25:54 UTC 2017

On Tue, Jul 18, 2017, Justin Mogannam wrote:

> Hello, 
> I have a signedData package that contains an encryptedKeyPackage
> (specifically OID 2.16.840., aka id-ct-KP-encryptedKeyPkg)
> that I want to extract from it. I am somewhat able to extract the sequence
> that contains this data via the OpenSSL command line: 
> $ openssl asn1parse -in <my_pkg.der> -inform DER -strparse <hard-coded
> offset I computed>
> However, I am looking for the OpenSSL calls to do the same thing, ideally
> extract package contents by its OID without having to know the offset (such
> that I can extract the data from any given package by that particular OID).
> How would I go about doing this? I've been looking endlessly into asn1.h and
> x509.h, and am able to somewhat parse the entire package into a structure,
> but I could use some guidance as to how to further break it down into parts.
> Thank you, and I hope to hear a response back soon. 

Well if this follows RFC6032 the outer part will be a ContentInfo structure
which you can parse using d2i_CMS_ContentInfo. From there you can use various
utility functions to analyse it.

For example CMS_get0_eContentType() to get the OID corresponding to the
encapsulated content type and CMS_get0_content() which (if I read the spec
correctly) should get you the EncryptedKeyPackage structure. After that you'll
have to parse it yourself because OpenSSL doesn't support that atructure.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list