[openssl-users] Extract content of DER-encoded package by OID

Wed Jul 19 22:17:04 UTC 2017

Hi Steve,
What you've described sounds exactly like what I want to do. Couple of
questions/concerns in regards to what you've just stated:

1) Is there a way to initialize a CMS_ContentInfo structure like there is a
way to initialize a BIO structure (such as with BIO_new()? ). I'm looking
through openssl/cms.h but I'm not seeing anything.

2) Once again, I'm looking in openssl/cms.h, and I could not find the
function prototype " d2i_CMS_ContentInfo". I even did a grep on the whole
directory. Is it located somewhere else? I have OpenSSL 1.0.1, which is
after 0.9.8 when the function was added to OpenSSL. 

3) In looking at the function prototype (via
https://www.openssl.org/docs/man1.0.2/crypto/d2i_CMS_ContentInfo.html):
CMS_ContentInfo *d2i_CMS_ContentInfo(CMS_ContentInfo **a, unsigned char
**pp, long length);
I'm assuming **pp is just a pointer to the array with the DER-encoded
certificate in it? I just want to make sure since some of the parameter
names are a little ambiguous in OpenSSL. 

I'm assuming once I'm able to get the DER-encoded certificate in a CMS
object, I can use the function you provided and the ones in cms.h to strip
off "layers" of the certificate to get the encryptedKeyPackage that I want
(which, of course as you mentioned, I'll be able to handle the rest from
there). Thank you very much for your response, as it was very helpful, and I
hope to get just as useful of a response back!

- Justin

-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
Dr. Stephen Henson
Sent: Wednesday, July 19, 2017 4:26 AM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Extract content of DER-encoded package by OID

On Tue, Jul 18, 2017, Justin Mogannam wrote:

> Hello,
> I have a signedData package that contains an encryptedKeyPackage 
> (specifically OID 2.16.840.1.101.2.1.2.78.2, aka 
> id-ct-KP-encryptedKeyPkg) that I want to extract from it. I am 
> somewhat able to extract the sequence that contains this data via the
OpenSSL command line:
> 
> $ openssl asn1parse -in <my_pkg.der> -inform DER -strparse <hard-coded 
> offset I computed>
> 
> However, I am looking for the OpenSSL calls to do the same thing, 
> ideally extract package contents by its OID without having to know the 
> offset (such that I can extract the data from any given package by that
particular OID).
> How would I go about doing this? I've been looking endlessly into 
> asn1.h and x509.h, and am able to somewhat parse the entire package 
> into a structure, but I could use some guidance as to how to further break
it down into parts.
> Thank you, and I hope to hear a response back soon. 
> 

Well if this follows RFC6032 the outer part will be a ContentInfo structure
which you can parse using d2i_CMS_ContentInfo. From there you can use
various utility functions to analyse it.

For example CMS_get0_eContentType() to get the OID corresponding to the
encapsulated content type and CMS_get0_content() which (if I read the spec
correctly) should get you the EncryptedKeyPackage structure. After that
you'll have to parse it yourself because OpenSSL doesn't support that
atructure.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users