On Tue, 06 Oct 2009, Wan-Teh Chang wrote:
On Tue, Oct 6, 2009 at 3:04 AM, Konstantin Andreev <andr...@swemel.ru> wrote:
One more question about decoding DER structures.
Some PKCS#11 mechanisms (namely, CKM_GOSTR3410 ) accept DER-encoded parameters,
which include DER tag-length prefix.
I dissect these parameters from some wrapping DER structure by
SEC_QuickDERDecodeItem. Unfortunately, I could not find an option to ask
decoder to put tag-length prefix together with item.
To handle this, I adjust decoded SECItems after decoding:
SECItem t;
t.len += 2;
t.data -= 2;
This works for now, because parameters are OIDS which fits in a 128-byte limit.
But this is unsafe.
Please, advice, how can I save DER tag-length in item safely ?
I suspect that the SEC_ASN1_ANY decoder modifier is what you want, and you should *not*
specify SEC_ASN1_INNER:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/util/quickder.c&rev=1.23&mark=779,781,783,785#779
There is a limitation of SEC_ASN1_ANY if SEC_ASN1_OPTIONAL is also specified --
in that case, it must be the last template in the template array. (See NSS
tech note 1.)
I've checked this. SEC_ASN1_ANY saves tag-length prefix, but ignores tag
number, thus matches anything.
If SEC_ASN1_ANY doesn't work for you, the only solution I have is to re-encode
the decoded SECItem.
I think it's better to manually check the tag numbers, catched by SEC_ASN1_ANY.
Thank you for useful information.
Best regards,
--
Konstantin Andreev, software engineer.
Swemel JSC
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
