Hi Russ,
do you mean that the DER data
0x60 0x7e 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0xa0 0x74
is wrong?
If so, that DER data have I captured with wireshark from an smb2 session setup
request.
and that’s even I try to decode with help of openssl. If the case is that that
data is wrongly,
is there a way to get decode with openssl anyway?
Max
From: Russ Housley <hous...@vigilsec.com>
Date: Thursday, 4. November 2021 at 15:08
To: Max Larsson <max.lars...@facilityboss.biz>
Cc: openssl-users@openssl.org <openssl-users@openssl.org>
Subject: Re: ASN1 <-> DER encoding with application tag
RFC 2743 shows this structure:
MechType ::= OBJECT IDENTIFIER
-- data structure definitions
-- callers must be able to distinguish among
-- InitialContextToken, SubsequentContextToken,
-- PerMsgToken, and SealedMessage data elements
-- based on the usage in which they occur
InitialContextToken ::=
-- option indication (delegation, etc.) indicated within
-- mechanism-specific token
[APPLICATION 0] IMPLICIT SEQUENCE {
thisMech MechType,
innerContextToken ANY DEFINED BY thisMech
-- contents mechanism-specific
-- ASN.1 structure not required
}
The encoded data that you provided dies begin with the [APPLICATION 0] tag,
then it if followed by by the { 1 3 6 1 5 5 2 } object identifier.
Russ
On Nov 4, 2021, at 9:58 AM, Max Larsson
<max.lars...@facilityboss.biz<mailto:max.lars...@facilityboss.biz>> wrote:
Hi everyone,
I’m trying to decode and encode Der structure. In my case that are DER encoded
GSSAPI structure.
My DER encoded data looks like this (stripped the pending bytes):
0x60 0x7e 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0xa0 0x74
My ANS1 definition in my source look like this:
typedef struct ContextToken_st {
ASN1_OBJECT *mech;
ASN1_OCTET_STRING *innerContextToken;
} GSSAPI_CONTEXTTOKEN;
DECLARE_ASN1_FUNCTIONS( GSSAPI_CONTEXTTOKEN )
ASN1_SEQUENCE( GSSAPI_CONTEXTTOKEN ) = {
ASN1_SIMPLE( GSSAPI_CONTEXTTOKEN, mech, ASN1_OBJECT ),
ASN1_SIMPLE( GSSAPI_CONTEXTTOKEN, innerContextToken, ASN1_OCTET_STRING )
} ASN1_SEQUENCE_END( GSSAPI_CONTEXTTOKEN )
IMPLEMENT_ASN1_FUNCTIONS( GSSAPI_CONTEXTTOKEN )
Parsing the above DER data fails, so I decided to encode a own Der structure,
to see where the difference is with my setup:
. . .
negToken = GSSAPI_CONTEXTTOKEN_new();
if( negToken != NULL ) {
negToken->mech = OBJ_txt2obj( "1.3.6.1.5.5.2",0 );
negToken->innerContextToken = ASN1_OCTET_STRING_new();
const unsigned char mechToken[] = "\xa0\x74\x30 // … stripped for
readability
const size_t mechTokenSize = sizeof( mechToken ) - 1;
printf( "Size of inner token: %zu\n",mechTokenSize );
ASN1_OCTET_STRING_set(
negToken->innerContextToken,mechToken,mechTokenSize );
buffer = NULL;
size_t bufferSize = i2d_GSSAPI_CONTEXTTOKEN( negToken,NULL );
printf( "Required buffer size for DER encoding of ASN1 structure:
%zu\n",bufferSize );
unsigned char *buffer = malloc( bufferSize );
unsigned char *p = buffer;
i2d_GSSAPI_CONTEXTTOKEN( negToken,&p );
for( int len = 0;len < bufferSize;len++ ) {
if( ( len % 8 ) == 0 )
printf( " " );
if( ( len % 16 ) == 0 )
printf( "\n\t\t" );
printf( " 0x%02x",(short)buffer[ len ] );
}
printf( "\n" );
. . .
The code above output the following DER encoded structure (the difference
marled in bold):
0x30 0x81 0x80 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0x04 0x76 0xa0 0x74
The google result, which I found seems to point into the direction to use
application tags to encode.
But I haven’t found any example or how to how to achieve this with openssl, can
anyone give me sone hints?
Best regards
Max Larsson
Mit freundlichen Grüßen
Best regards
Dipl.-Inform. Max Larsson
Geschäftsleitung
________________________________
phone: +49(0)6151/62908-75
fax:
email: max.lars...@facilityboss.biz<mailto:max.lars...@facilityboss.biz>
web: http://facilityboss.biz<http://facilityboss.biz/>
[facilityboss]<http://facilityboss.biz/>
Bad Nauheimer Str. 4
64289 Darmstadt
Germany
Sitz der Gesellschaft: Darmstadt
Registergericht: Amtsgericht Darmstadt, HRB 86193
Geschäftsführer: Dipl.-Inform Max Lars Robert Larsson
________________________________
Diese E-Mail enthält unter Umständen vertrauliche und/oder rechtlich geschützte
Informationen, die allein für den Adressaten bestimmt sind. Wenn Sie nicht der
zutreffende Adressat sind oder diese E-Mail irrtümlich erhalten haben, ist jede
Verwendung, Verbreitung, Kopie oder Bezugnahme auf den Inhalt dieser E-Mail
verboten. Bitte informieren Sie uns über einen eventuellen Irrtum per Telefon,
per Telefax oder E-Mail.
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient, any disclosure, copying, distribution or reference
on the contents of this e-mail is strictly prohibited. If you have received
this e-mail in error please notify us by e-mail, facsimile or phone call.
