How to get algorithm field from signed PE PKCS#7 block











up vote
3
down vote

favorite












I've got PKCS#7 content extracted from PE file.



The first part before the certificate chain (goes from the beginning up to the cert: label), contains info about the file integrity.



In particular, the hash that matches the file hash and the algorithm that use to generate this hash (worth FA0FE65F973A5709DC04EE18ABEF353EBEFEA669 and sha1 correspondingly on the example listed below).



I'm using openssl and I'd like to extract the hash algorithm type from the X509 format. I tried something like printing md_algs struct from debugger, and hopefully find the field algorithm worth 1.3.14.3.2.26 but that's what I saw..



p *(Pkcs7->d.sign->md_algs)
(stack_st_X509_ALGOR) $6 = {
stack = {
num = 1
data = 0x00000001024457f0
sorted = 0
num_alloc = 4
comp = 0x0000000000000000
}
}


Where can I see the algorithm field ?



P.s. here's the relevant part of the pkcs7 struct :



PKCS7: 
type: pkcs7-signedData (1.2.840.113549.1.7.2)
d.sign:
version: 1
md_algs:
algorithm: sha1 (1.3.14.3.2.26)
parameter: NULL
contents:
type: undefined (1.3.6.1.4.1.311.2.1.4)
d.other: SEQUENCE:
0:d=0 hl=2 l= 60 cons: SEQUENCE
2:d=1 hl=2 l= 23 cons: SEQUENCE
4:d=2 hl=2 l= 10 prim: OBJECT :1.3.6.1.4.1.311.2.1.15
16:d=2 hl=2 l= 9 cons: SEQUENCE
18:d=3 hl=2 l= 1 prim: BIT STRING
21:d=3 hl=2 l= 4 cons: cont [ 0 ]
23:d=4 hl=2 l= 2 cons: cont [ 2 ]
25:d=5 hl=2 l= 0 prim: cont [ 0 ]
27:d=1 hl=2 l= 33 cons: SEQUENCE
29:d=2 hl=2 l= 9 cons: SEQUENCE
31:d=3 hl=2 l= 5 prim: OBJECT :sha1
38:d=3 hl=2 l= 0 prim: NULL
40:d=2 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:FA0FE65F973A5709DC04EE18ABEF353EBEFEA669
cert:
cert_info:
...


thanks










share|improve this question


























    up vote
    3
    down vote

    favorite












    I've got PKCS#7 content extracted from PE file.



    The first part before the certificate chain (goes from the beginning up to the cert: label), contains info about the file integrity.



    In particular, the hash that matches the file hash and the algorithm that use to generate this hash (worth FA0FE65F973A5709DC04EE18ABEF353EBEFEA669 and sha1 correspondingly on the example listed below).



    I'm using openssl and I'd like to extract the hash algorithm type from the X509 format. I tried something like printing md_algs struct from debugger, and hopefully find the field algorithm worth 1.3.14.3.2.26 but that's what I saw..



    p *(Pkcs7->d.sign->md_algs)
    (stack_st_X509_ALGOR) $6 = {
    stack = {
    num = 1
    data = 0x00000001024457f0
    sorted = 0
    num_alloc = 4
    comp = 0x0000000000000000
    }
    }


    Where can I see the algorithm field ?



    P.s. here's the relevant part of the pkcs7 struct :



    PKCS7: 
    type: pkcs7-signedData (1.2.840.113549.1.7.2)
    d.sign:
    version: 1
    md_algs:
    algorithm: sha1 (1.3.14.3.2.26)
    parameter: NULL
    contents:
    type: undefined (1.3.6.1.4.1.311.2.1.4)
    d.other: SEQUENCE:
    0:d=0 hl=2 l= 60 cons: SEQUENCE
    2:d=1 hl=2 l= 23 cons: SEQUENCE
    4:d=2 hl=2 l= 10 prim: OBJECT :1.3.6.1.4.1.311.2.1.15
    16:d=2 hl=2 l= 9 cons: SEQUENCE
    18:d=3 hl=2 l= 1 prim: BIT STRING
    21:d=3 hl=2 l= 4 cons: cont [ 0 ]
    23:d=4 hl=2 l= 2 cons: cont [ 2 ]
    25:d=5 hl=2 l= 0 prim: cont [ 0 ]
    27:d=1 hl=2 l= 33 cons: SEQUENCE
    29:d=2 hl=2 l= 9 cons: SEQUENCE
    31:d=3 hl=2 l= 5 prim: OBJECT :sha1
    38:d=3 hl=2 l= 0 prim: NULL
    40:d=2 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:FA0FE65F973A5709DC04EE18ABEF353EBEFEA669
    cert:
    cert_info:
    ...


    thanks










    share|improve this question
























      up vote
      3
      down vote

      favorite









      up vote
      3
      down vote

      favorite











      I've got PKCS#7 content extracted from PE file.



      The first part before the certificate chain (goes from the beginning up to the cert: label), contains info about the file integrity.



      In particular, the hash that matches the file hash and the algorithm that use to generate this hash (worth FA0FE65F973A5709DC04EE18ABEF353EBEFEA669 and sha1 correspondingly on the example listed below).



      I'm using openssl and I'd like to extract the hash algorithm type from the X509 format. I tried something like printing md_algs struct from debugger, and hopefully find the field algorithm worth 1.3.14.3.2.26 but that's what I saw..



      p *(Pkcs7->d.sign->md_algs)
      (stack_st_X509_ALGOR) $6 = {
      stack = {
      num = 1
      data = 0x00000001024457f0
      sorted = 0
      num_alloc = 4
      comp = 0x0000000000000000
      }
      }


      Where can I see the algorithm field ?



      P.s. here's the relevant part of the pkcs7 struct :



      PKCS7: 
      type: pkcs7-signedData (1.2.840.113549.1.7.2)
      d.sign:
      version: 1
      md_algs:
      algorithm: sha1 (1.3.14.3.2.26)
      parameter: NULL
      contents:
      type: undefined (1.3.6.1.4.1.311.2.1.4)
      d.other: SEQUENCE:
      0:d=0 hl=2 l= 60 cons: SEQUENCE
      2:d=1 hl=2 l= 23 cons: SEQUENCE
      4:d=2 hl=2 l= 10 prim: OBJECT :1.3.6.1.4.1.311.2.1.15
      16:d=2 hl=2 l= 9 cons: SEQUENCE
      18:d=3 hl=2 l= 1 prim: BIT STRING
      21:d=3 hl=2 l= 4 cons: cont [ 0 ]
      23:d=4 hl=2 l= 2 cons: cont [ 2 ]
      25:d=5 hl=2 l= 0 prim: cont [ 0 ]
      27:d=1 hl=2 l= 33 cons: SEQUENCE
      29:d=2 hl=2 l= 9 cons: SEQUENCE
      31:d=3 hl=2 l= 5 prim: OBJECT :sha1
      38:d=3 hl=2 l= 0 prim: NULL
      40:d=2 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:FA0FE65F973A5709DC04EE18ABEF353EBEFEA669
      cert:
      cert_info:
      ...


      thanks










      share|improve this question













      I've got PKCS#7 content extracted from PE file.



      The first part before the certificate chain (goes from the beginning up to the cert: label), contains info about the file integrity.



      In particular, the hash that matches the file hash and the algorithm that use to generate this hash (worth FA0FE65F973A5709DC04EE18ABEF353EBEFEA669 and sha1 correspondingly on the example listed below).



      I'm using openssl and I'd like to extract the hash algorithm type from the X509 format. I tried something like printing md_algs struct from debugger, and hopefully find the field algorithm worth 1.3.14.3.2.26 but that's what I saw..



      p *(Pkcs7->d.sign->md_algs)
      (stack_st_X509_ALGOR) $6 = {
      stack = {
      num = 1
      data = 0x00000001024457f0
      sorted = 0
      num_alloc = 4
      comp = 0x0000000000000000
      }
      }


      Where can I see the algorithm field ?



      P.s. here's the relevant part of the pkcs7 struct :



      PKCS7: 
      type: pkcs7-signedData (1.2.840.113549.1.7.2)
      d.sign:
      version: 1
      md_algs:
      algorithm: sha1 (1.3.14.3.2.26)
      parameter: NULL
      contents:
      type: undefined (1.3.6.1.4.1.311.2.1.4)
      d.other: SEQUENCE:
      0:d=0 hl=2 l= 60 cons: SEQUENCE
      2:d=1 hl=2 l= 23 cons: SEQUENCE
      4:d=2 hl=2 l= 10 prim: OBJECT :1.3.6.1.4.1.311.2.1.15
      16:d=2 hl=2 l= 9 cons: SEQUENCE
      18:d=3 hl=2 l= 1 prim: BIT STRING
      21:d=3 hl=2 l= 4 cons: cont [ 0 ]
      23:d=4 hl=2 l= 2 cons: cont [ 2 ]
      25:d=5 hl=2 l= 0 prim: cont [ 0 ]
      27:d=1 hl=2 l= 33 cons: SEQUENCE
      29:d=2 hl=2 l= 9 cons: SEQUENCE
      31:d=3 hl=2 l= 5 prim: OBJECT :sha1
      38:d=3 hl=2 l= 0 prim: NULL
      40:d=2 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:FA0FE65F973A5709DC04EE18ABEF353EBEFEA669
      cert:
      cert_info:
      ...


      thanks







      encryption openssl sha pkcs#7 asn1






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 8 at 9:56









      Zohar81

      2,0161731




      2,0161731
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          3
          down vote



          accepted










          Defined in pkcs7.h, the md_algs attribute that you are inspecting is a stack of X509_ALGOR instances:



          typedef struct pkcs7_signed_st {
          ASN1_INTEGER *version; /* version 1 */
          STACK_OF(X509_ALGOR) *md_algs; /* md used */
          STACK_OF(X509) *cert; /* [ 0 ] */
          STACK_OF(X509_CRL) *crl; /* [ 1 ] */
          STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
          struct pkcs7_st *contents;
          } PKCS7_SIGNED;


          It can be safely accessed via the OpenSSL Stack API, for example using the function sk_X509_ALGOR_value() to inspect its element(s).



          X509_ALGOR itself is defined in x509.h:



          struct X509_algor_st {
          ASN1_OBJECT *algorithm;
          ASN1_TYPE *parameter;
          } /* X509_ALGOR */ ;


          The information you are looking for is stored in the property algorithm, which you can inspect using, for example, OBJ_obj2txt().



          Tying it together, to get a textual representation of the first algorithm in the stack, you could do something like this:



          char tbuf[20];
          X509_ALGOR *algor = sk_X509_ALGOR_value(Pkcs7->d.sign->md_algs, 0);
          int res = OBJ_obj2txt(tbuf, sizeof tbuf, algor->algorithm, 0);


          After that, tbuf should contain a value like "sha1" and res contains the length of that string. For programmatic purposes, a function like OBJ_obj2nid() is probably more useful.





          The debugger did not give you this information because the data field in the stack element is not strongly typed. You would have to cast it yourself to indicate that it is an array of pointers to X509_ALGOR structs. The OpenSSL Stack API provides you a set of macros that do the casting for you and access the array that way. And then, the ASN1_OBJECT that you end up with is hard to inspect or interpret in the debugger since it is just a bunch of bytes representing an object id in ASN.1 format.






          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














             

            draft saved


            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53205272%2fhow-to-get-algorithm-field-from-signed-pe-pkcs7-block%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            3
            down vote



            accepted










            Defined in pkcs7.h, the md_algs attribute that you are inspecting is a stack of X509_ALGOR instances:



            typedef struct pkcs7_signed_st {
            ASN1_INTEGER *version; /* version 1 */
            STACK_OF(X509_ALGOR) *md_algs; /* md used */
            STACK_OF(X509) *cert; /* [ 0 ] */
            STACK_OF(X509_CRL) *crl; /* [ 1 ] */
            STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
            struct pkcs7_st *contents;
            } PKCS7_SIGNED;


            It can be safely accessed via the OpenSSL Stack API, for example using the function sk_X509_ALGOR_value() to inspect its element(s).



            X509_ALGOR itself is defined in x509.h:



            struct X509_algor_st {
            ASN1_OBJECT *algorithm;
            ASN1_TYPE *parameter;
            } /* X509_ALGOR */ ;


            The information you are looking for is stored in the property algorithm, which you can inspect using, for example, OBJ_obj2txt().



            Tying it together, to get a textual representation of the first algorithm in the stack, you could do something like this:



            char tbuf[20];
            X509_ALGOR *algor = sk_X509_ALGOR_value(Pkcs7->d.sign->md_algs, 0);
            int res = OBJ_obj2txt(tbuf, sizeof tbuf, algor->algorithm, 0);


            After that, tbuf should contain a value like "sha1" and res contains the length of that string. For programmatic purposes, a function like OBJ_obj2nid() is probably more useful.





            The debugger did not give you this information because the data field in the stack element is not strongly typed. You would have to cast it yourself to indicate that it is an array of pointers to X509_ALGOR structs. The OpenSSL Stack API provides you a set of macros that do the casting for you and access the array that way. And then, the ASN1_OBJECT that you end up with is hard to inspect or interpret in the debugger since it is just a bunch of bytes representing an object id in ASN.1 format.






            share|improve this answer



























              up vote
              3
              down vote



              accepted










              Defined in pkcs7.h, the md_algs attribute that you are inspecting is a stack of X509_ALGOR instances:



              typedef struct pkcs7_signed_st {
              ASN1_INTEGER *version; /* version 1 */
              STACK_OF(X509_ALGOR) *md_algs; /* md used */
              STACK_OF(X509) *cert; /* [ 0 ] */
              STACK_OF(X509_CRL) *crl; /* [ 1 ] */
              STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
              struct pkcs7_st *contents;
              } PKCS7_SIGNED;


              It can be safely accessed via the OpenSSL Stack API, for example using the function sk_X509_ALGOR_value() to inspect its element(s).



              X509_ALGOR itself is defined in x509.h:



              struct X509_algor_st {
              ASN1_OBJECT *algorithm;
              ASN1_TYPE *parameter;
              } /* X509_ALGOR */ ;


              The information you are looking for is stored in the property algorithm, which you can inspect using, for example, OBJ_obj2txt().



              Tying it together, to get a textual representation of the first algorithm in the stack, you could do something like this:



              char tbuf[20];
              X509_ALGOR *algor = sk_X509_ALGOR_value(Pkcs7->d.sign->md_algs, 0);
              int res = OBJ_obj2txt(tbuf, sizeof tbuf, algor->algorithm, 0);


              After that, tbuf should contain a value like "sha1" and res contains the length of that string. For programmatic purposes, a function like OBJ_obj2nid() is probably more useful.





              The debugger did not give you this information because the data field in the stack element is not strongly typed. You would have to cast it yourself to indicate that it is an array of pointers to X509_ALGOR structs. The OpenSSL Stack API provides you a set of macros that do the casting for you and access the array that way. And then, the ASN1_OBJECT that you end up with is hard to inspect or interpret in the debugger since it is just a bunch of bytes representing an object id in ASN.1 format.






              share|improve this answer

























                up vote
                3
                down vote



                accepted







                up vote
                3
                down vote



                accepted






                Defined in pkcs7.h, the md_algs attribute that you are inspecting is a stack of X509_ALGOR instances:



                typedef struct pkcs7_signed_st {
                ASN1_INTEGER *version; /* version 1 */
                STACK_OF(X509_ALGOR) *md_algs; /* md used */
                STACK_OF(X509) *cert; /* [ 0 ] */
                STACK_OF(X509_CRL) *crl; /* [ 1 ] */
                STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
                struct pkcs7_st *contents;
                } PKCS7_SIGNED;


                It can be safely accessed via the OpenSSL Stack API, for example using the function sk_X509_ALGOR_value() to inspect its element(s).



                X509_ALGOR itself is defined in x509.h:



                struct X509_algor_st {
                ASN1_OBJECT *algorithm;
                ASN1_TYPE *parameter;
                } /* X509_ALGOR */ ;


                The information you are looking for is stored in the property algorithm, which you can inspect using, for example, OBJ_obj2txt().



                Tying it together, to get a textual representation of the first algorithm in the stack, you could do something like this:



                char tbuf[20];
                X509_ALGOR *algor = sk_X509_ALGOR_value(Pkcs7->d.sign->md_algs, 0);
                int res = OBJ_obj2txt(tbuf, sizeof tbuf, algor->algorithm, 0);


                After that, tbuf should contain a value like "sha1" and res contains the length of that string. For programmatic purposes, a function like OBJ_obj2nid() is probably more useful.





                The debugger did not give you this information because the data field in the stack element is not strongly typed. You would have to cast it yourself to indicate that it is an array of pointers to X509_ALGOR structs. The OpenSSL Stack API provides you a set of macros that do the casting for you and access the array that way. And then, the ASN1_OBJECT that you end up with is hard to inspect or interpret in the debugger since it is just a bunch of bytes representing an object id in ASN.1 format.






                share|improve this answer














                Defined in pkcs7.h, the md_algs attribute that you are inspecting is a stack of X509_ALGOR instances:



                typedef struct pkcs7_signed_st {
                ASN1_INTEGER *version; /* version 1 */
                STACK_OF(X509_ALGOR) *md_algs; /* md used */
                STACK_OF(X509) *cert; /* [ 0 ] */
                STACK_OF(X509_CRL) *crl; /* [ 1 ] */
                STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
                struct pkcs7_st *contents;
                } PKCS7_SIGNED;


                It can be safely accessed via the OpenSSL Stack API, for example using the function sk_X509_ALGOR_value() to inspect its element(s).



                X509_ALGOR itself is defined in x509.h:



                struct X509_algor_st {
                ASN1_OBJECT *algorithm;
                ASN1_TYPE *parameter;
                } /* X509_ALGOR */ ;


                The information you are looking for is stored in the property algorithm, which you can inspect using, for example, OBJ_obj2txt().



                Tying it together, to get a textual representation of the first algorithm in the stack, you could do something like this:



                char tbuf[20];
                X509_ALGOR *algor = sk_X509_ALGOR_value(Pkcs7->d.sign->md_algs, 0);
                int res = OBJ_obj2txt(tbuf, sizeof tbuf, algor->algorithm, 0);


                After that, tbuf should contain a value like "sha1" and res contains the length of that string. For programmatic purposes, a function like OBJ_obj2nid() is probably more useful.





                The debugger did not give you this information because the data field in the stack element is not strongly typed. You would have to cast it yourself to indicate that it is an array of pointers to X509_ALGOR structs. The OpenSSL Stack API provides you a set of macros that do the casting for you and access the array that way. And then, the ASN1_OBJECT that you end up with is hard to inspect or interpret in the debugger since it is just a bunch of bytes representing an object id in ASN.1 format.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Nov 8 at 19:18

























                answered Nov 8 at 16:50









                Reinier Torenbeek

                8,95222845




                8,95222845






























                     

                    draft saved


                    draft discarded



















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53205272%2fhow-to-get-algorithm-field-from-signed-pe-pkcs7-block%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Guess what letter conforming each word

                    Port of Spain

                    Run scheduled task as local user group (not BUILTIN)