[openssl-users] Extract content of DER-encoded package by OID

Justin Mogannam jmogannam at arkhamtechnology.com
Wed Jul 19 22:17:04 UTC 2017

Hi Steve,
What you've described sounds exactly like what I want to do. Couple of
questions/concerns in regards to what you've just stated:

1) Is there a way to initialize a CMS_ContentInfo structure like there is a
way to initialize a BIO structure (such as with BIO_new()? ). I'm looking
through openssl/cms.h but I'm not seeing anything.

2) Once again, I'm looking in openssl/cms.h, and I could not find the
function prototype " d2i_CMS_ContentInfo". I even did a grep on the whole
directory. Is it located somewhere else? I have OpenSSL 1.0.1, which is
after 0.9.8 when the function was added to OpenSSL. 

3) In looking at the function prototype (via
CMS_ContentInfo *d2i_CMS_ContentInfo(CMS_ContentInfo **a, unsigned char
**pp, long length);
I'm assuming **pp is just a pointer to the array with the DER-encoded
certificate in it? I just want to make sure since some of the parameter
names are a little ambiguous in OpenSSL. 

I'm assuming once I'm able to get the DER-encoded certificate in a CMS
object, I can use the function you provided and the ones in cms.h to strip
off "layers" of the certificate to get the encryptedKeyPackage that I want
(which, of course as you mentioned, I'll be able to handle the rest from
there). Thank you very much for your response, as it was very helpful, and I
hope to get just as useful of a response back!

- Justin

-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
Dr. Stephen Henson
Sent: Wednesday, July 19, 2017 4:26 AM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Extract content of DER-encoded package by OID

On Tue, Jul 18, 2017, Justin Mogannam wrote:

> Hello,
> I have a signedData package that contains an encryptedKeyPackage 
> (specifically OID 2.16.840., aka 
> id-ct-KP-encryptedKeyPkg) that I want to extract from it. I am 
> somewhat able to extract the sequence that contains this data via the
OpenSSL command line:
> $ openssl asn1parse -in <my_pkg.der> -inform DER -strparse <hard-coded 
> offset I computed>
> However, I am looking for the OpenSSL calls to do the same thing, 
> ideally extract package contents by its OID without having to know the 
> offset (such that I can extract the data from any given package by that
particular OID).
> How would I go about doing this? I've been looking endlessly into 
> asn1.h and x509.h, and am able to somewhat parse the entire package 
> into a structure, but I could use some guidance as to how to further break
it down into parts.
> Thank you, and I hope to hear a response back soon. 

Well if this follows RFC6032 the outer part will be a ContentInfo structure
which you can parse using d2i_CMS_ContentInfo. From there you can use
various utility functions to analyse it.

For example CMS_get0_eContentType() to get the OID corresponding to the
encapsulated content type and CMS_get0_content() which (if I read the spec
correctly) should get you the EncryptedKeyPackage structure. After that
you'll have to parse it yourself because OpenSSL doesn't support that

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list