EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to identify a PKCS#7 binary signature data block ?

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
Posted: 02/16/2011 10:31:00
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 165


I have a rather complex application that uses CAPICOM for digitally signing files 8detached). The original reason for using CAPICOM was that the signature process must be performed from an 3rd party application module that was written in VB.

The specification have now changed and I must add support for the PKCS#7 signature block generated by a .NET application through the SignedCms class. At this time, I have no idea how the file will be stored on disk and the 3rd party is being particulary slow to answer queries (read: several month). so I had to write in the spec that I would handle the detached signature file in base64 encoding OR in "native" binary format.

So far, everything seems to be working fine: I have written methods to load the signature block either as straight binary or as base-64 encoded text and both are working fine. In order to finalize the work, however, I'd like to be able to identify when a file is in binary format (and also validate the result of the base64 decoding).

So the question becomes: is there some kind of marker or indicator in a file or memory block that indicates that it is a PKCS#7 message block ?

Thank you
Posted: 02/16/2011 10:50:08
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

I would simplify the task by checking whether the input is a beginning of ASN.1 message rather than checking it against full PKCS#7 conformance (as the latter is a non-trivial task and in fact requires you to perform full parsing of the input). The outermost PKCS#7 ASN.1 SEQUENCE tag is represented with one of the following sequences of bytes:

0x30 0x80 <data>
0x30 0x81 <Len> <data>
0x30 0x82 <LenMajor> <LenMinor> <data>
0x30 0x83 <Len3> <Len2> <Len1> <data>
0x30 0x84 <Len4> <Len3> <Len2> <Len1> <data>

So it makes sense to perform two comparisons, whether the first byte of the input is 0x30, and whether the second byte is in range of 0x80-0x84. This will give you the knowledge whether the input is a beginning of binary ASN.1 message.
Posted: 02/17/2011 02:07:08
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 165

Thank you: that is precisely what I was looking for. Excellent support as always :)



Topic viewed 2103 times



Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!