Steve,
thank you for your valuable feedback !
... I still have another question about the PKCS#7 envelopedData ...
> That structure is the encryptedContent field of PKCS#7 envelopedData
content
> type.
>
> >From PKCS#7...
>
> EncryptedContentInfo ::= SEQUENCE {
> contentType ContentType,
> contentEncryptionAlgorithm
> ContentEncryptionAlgorithmIdentifier,
> encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL }
>
> EncryptedContent ::= OCTET STRING
>
This is exactly the PKCS#7 specification we use in our ASN.1 grammar, as
mentioned in RFC2315-Chap.10.1
> Note that encryptedContent has an IMPLICIT tag so the first
>
>> 350:d=4 hl=2 l=inf cons: cont [ 0 ]
>>
>
> is actually the outer OCTET STRING type. The following:
>
If the outer implicit tag is considered as the outer OCTET STRING type
... what would it be a correct encoding IYHO for using a BER-encoded
OCTET STRING with streaming output ?
Is the OPENSSL_ALLOW_NESTED_ASN1_STRINGS enable the only choice ?
Do you think it would help raising the maximum level of nesting up to 2
without impacting the "stack overflow" risk protection ?
P.S. We do not have the same problem with PKCS#7 SignedData, that
defines the explicit tag for its content:
ContentInfo ::= SEQUENCE {
contentType ContentType,
content
[0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
and the resulting ASN.1 parsed data is:
35:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
46:d=4 hl=2 l=inf cons: cont [ 0 ]
48:d=5 hl=2 l=inf cons: OCTET STRING
50:d=6 hl=2 l= 5 prim: OCTET STRING :ciao
57:d=6 hl=2 l= 0 prim: EOC
59:d=5 hl=2 l= 0 prim: EOC
61:d=4 hl=2 l= 0 prim: EOC
In this case, the first "cont[0]" is not considered by OpenSSL ASN.1
parser as a level of nesting ... everything is then correctly processed
without errors.
ASN1_item_ex_d2i(): p=136277491, len=1030, type=0 'PRIMITIVE', tag=6
'OBJECT'
asn1_d2i_ex_primitive(): p=136277491, plen=0, utype=6 'OBJECT',
inf=FALSE, cst=FALSE
ASN1_get_object(): p=136277493 + *plength=9 (inf=FALSE) tag=6 'OBJECT'>
omax=1030 + *pp=136277491 (136277502 > 136278521)
asn1_template_ex_d2i(): p=136277502
ASN1_get_object(): p=136277504 + *plength=0 (inf=TRUE) tag=0 'EOC'>
omax=1019 + *pp=136277502 (136277504 > 136278521)
ASN1_item_ex_d2i(): p=136277504, len=1017, type=0 'PRIMITIVE', tag=4
'OCTET STRING'
asn1_d2i_ex_primitive(): p=136277504, plen=9, utype=4 'OCTET STRING',
inf=FALSE, cst=FALSE
ASN1_get_object(): p=136277506 + *plength=0 (inf=TRUE) tag=4 'OCTET
STRING'> omax=1017 + *pp=136277504 (136277506 > 136278521)
-----
asn1_collect(): (*in)=136277506, len=1015, inf=TRUE
-----
ASN1_get_object(): p=136277508 + *plength=5 (inf=FALSE) tag=4 'OCTET
STRING'> omax=1015 + *pp=136277506 (136277513 > 136278521)
Thank you again for your help !
P.S. In am thinking about writing a new OpenSource project for making a
"bridge" between the GnuPG CLI (well known and supported by many Desktop
GUIs) and OpenSSL engine. I thought about calling this project "OpenSSL
CLI" (easy as GnuPG and powerful as OpenSSL), but I do need your
approval for using the "OpenSSL" in name prefix. What are your feeling
about that name ?
Luca.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
