Bug #4030
closedext/openssl OpenSSL::ASN1::decode / to_der
Description
=begin
Hi all,
I have a PKCS#7 SignedData whose EncapContentInfo's content is BER-encoded using indefinite length. If I decode it and then encode it again, e.g. by
der_string = OpenSSL::ASN1::decode(File.read("signature_file")).to_der
File.open("out_Again", "w") do |out|
out.print(der_string)
end
then, the resulting file will no longer use the previous encoding, but actually DER-encode the content using definite length.
I think I spotted the reason for this in ext/openssl/ossl_asn1.c:
if(j & V_ASN1_CONSTRUCTED){
/* TODO: if j == 0x21 it is indefinite length object. */
if((j == 0x21) && (len == 0)){
long lastoff = off;
value = ossl_asn1_decode0(&p, length, &off, depth+1, 0, yield);
len = off - lastoff;
}
else value = ossl_asn1_decode0(&p, len, &off, depth+1, 0, yield);
}
Could the encoding be preserved? A simple way would be to cache the initial encoding and the information that infinite length tags were used?
I'd love to write a library for digital signatures in Ruby that supports CAdES (RFC5126) signatures. For these signatures, elements of the SignedData are hashed and on the basis of these hashes, timestamps are generated. For recalculating these hashes it's very important that the encoding is exactly the same as the initial one. Unfortunately, with the current implementation, this would only be possible if the initial signature is already DER-encoded, but it would fail for BER-encoded signatures.
Best regards,
Martin Boßlet
=end
Files