Decode ASN.1 - PKCS#7 non-detached signature
Question
I am pretty new to ASN.1 format. I have a PKCS#7 signature which after doing an ASNdump looks like the one below. Can someone help me understand what each element below signifies? I could only identify 2 certificates in the signature but cannot confirm which one is used for what. Also appreciate if you could shed some light on how I am supposed to decode, verify this signature and decrypt the data.
0 904: SEQUENCE {
4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15 889: [0] {
19 885: SEQUENCE {
23 1: INTEGER 1
26 11: SET {
28 9: SEQUENCE {
30 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
37 0: NULL
: }
: }
39 404: SEQUENCE {
43 9: OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
54 389: [0] {
58 385: SEQUENCE {
62 1: INTEGER 0
65 348: SET {
69 344: SEQUENCE {
73 1: INTEGER 0
76 63: SEQUENCE {
78 43: SEQUENCE {
80 11: SET {
82 9: SEQUENCE {
84 3: OBJECT IDENTIFIER countryName (2 5 4 6)
89 2: PrintableString 'US'
: }
: }
93 12: SET {
95 10: SEQUENCE {
97 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
102 3: PrintableString 'ABC'
: }
: }
107 14: SET {
109 12: SEQUENCE {
111 3: OBJECT IDENTIFIER commonName (2 5 4 3)
116 5: PrintableString 'CA'
: }
: }
: }
123 16: INTEGER 0A 01 41 7E 00 74 01 51 8F 8F 74 7E 8F 4D A6 B5
: }
141 13: SEQUENCE {
143 9: OBJECT IDENTIFIER rsaOAEP (1 2 840 113549 1 1 7)
154 0: SEQUENCE {}
: }
156 257: BIT STRING
: C2 A1 7A FA B2 08 1C CC CA BB 46 96 FA 1D 84 6C
Truncated
: }
: }
417 28: SEQUENCE {
419 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
430 15: SEQUENCE {
432 7: OBJECT IDENTIFIER '1 2 840 10047 1 1'
441 4: SEQUENCE {
443 2: BIT STRING 6 unused bits
: '10'B (bit 1)
: }
: }
: }
: }
: }
: }
447 457: SET {
451 453: SEQUENCE {
455 1: INTEGER 1
458 63: SEQUENCE {
460 43: SEQUENCE {
462 11: SET {
464 9: SEQUENCE {
466 3: OBJECT IDENTIFIER countryName (2 5 4 6)
471 2: PrintableString 'US'
: }
: }
475 12: SET {
477 10: SEQUENCE {
479 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
484 3: PrintableString 'ABC'
: }
: }
489 14: SET {
491 12: SEQUENCE {
493 3: OBJECT IDENTIFIER commonName (2 5 4 3)
498 5: PrintableString 'CA'
: }
: }
: }
505 16: INTEGER 40 01 58 68 58 0E CD A1 CE 86 CD E8 C9 12 46 90
: }
523 9: SEQUENCE {
525 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
532 0: NULL
: }
534 97: [0] {
536 24: SEQUENCE {
538 9: OBJECT IDENTIFIER contentType (1 2 840 113549 1 9 3)
549 11: SET {
551 9: OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
: }
: }
562 32: SEQUENCE {
564 10: OBJECT IDENTIFIER '1 2 840 113549 1 9 37 3'
576 18: SET {
578 16: OCTET STRING 85 D5 DA CC C2 97 B5 78 F7 60 52 9F 24 9B 45 74
: }
: }
596 35: SEQUENCE {
598 9: OBJECT IDENTIFIER messageDigest (1 2 840 113549 1 9 4)
609 22: SET {
611 20: OCTET STRING
: DD 89 06 A7 B4 56 A8 EC F1 DB 9F 69 BA 30 F6 5D
: CB 25 91 98
: }
: }
: }
633 13: SEQUENCE {
635 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
646 0: NULL
: }
648 256: OCTET STRING
: 76 A2 36 CA 5B 8E 01 72 01 42 A7 1B 51 82 55 BD
: truncated ...
: }
: }
: }
: }
: }
1 answers
solution1
4 ACCPTED 2018-06-14 15:21:37
It's a SignedCms message (byte offset 4) wrapping an EnvelopedCms message. (byte offset 43).
The message was signed by a certificate with serial number 40 01 58 68 58 0E CD A1 CE 86 CD E8 C9 12 46 90 (byte offset 505) and issuer "CN=CA, O=ABC, C=US" (byte offset 460). It was signed with RSA-SHA1 (PKCS#1 v1.5 padding).
The signed payload (the EnvelopedCms) is confusing me, since byte offset 443 shows a BIT STRING where I don't expect one (and consequently don't see the data that should be in that position). What I can tell is that it was encrypted with a single target recipient, which is the holder of the certificate with serial number 0A 01 41 7E 00 74 01 51 8F 8F 74 7E 8F 4D A6 B5 (byte offset 123) from issuer "CN=CA, O=ABC, C=US" (byte offset 78).
--Edit: As for the requested fields:
- byte offset 648: That's the RSA-PKCS1-SHA1 signature from the signer.
- byte offset 156: This is where ktri.encryptedKey should be. But that should be an OCTET STRING, not a BIT STRING. This is the RSA encrypted version of the AES/3DES/whatever key.
- byte offset 578: That should be an encoded PKCS#9 Unstructured Name. But it doesn't seem legal from this parse output.
Bonus edit: byte offset 443 should be a SEQUENCE (0x30) starting with an OID (0x06), but it's a BIT STRING (0x03) with a 6 bit unused bits field. Seems like someone had a hex constant backwards somewhere.
As for how to read it... if you're in .NET and using C#:
SignedCms signedCms = new SignedCms();
signedCms.Decode(message);
// Throws on failure
signedCms.CheckSignature(true);
SignerInfoCollection signers = signedCms.SignerInfos;
if (signers.Count != 1 || signers[0].Certificate == null)
{
throw new InvalidOperationException("I don't know how to verify the signer trust");
}
// Exercise left to the reader
if (!IsSignerTrustedForThisMessage(signers[0].Certificate))
{
throw new CryptographicException();
}
EnvelopedCms envelopedCms = new EnvelopedCms();
envelopedCms.Decode(signedCms.ContentInfo.Content);
// If you know the expected certificate(s) for decryption
envelopedCms.Decrypt(candidateCertsWithPrivateKey);
// (which will search certificate stores if it can't find a match)
// otherwise `envelopedCms.Decrypt();` will -only- search the cert stores
// It's only the decrypted content after the call to Decrypt, of course.
byte[] decryptedMessage = envelopedCms.ContentInfo.Content;
For Win32 C you'd want the CryptMsg* APIs, and other platforms probably have ways of doing it without implementing the CMS RFC ( IETF RFC 5652 ) yourself.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.