EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to identify a PKCS#7 binary signature data block ?

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#15775
Posted: 02/16/2011 10:31:00
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Hello,

I have a rather complex application that uses CAPICOM for digitally signing files 8detached). The original reason for using CAPICOM was that the signature process must be performed from an 3rd party application module that was written in VB.

The specification have now changed and I must add support for the PKCS#7 signature block generated by a .NET application through the SignedCms class. At this time, I have no idea how the file will be stored on disk and the 3rd party is being particulary slow to answer queries (read: several month). so I had to write in the spec that I would handle the detached signature file in base64 encoding OR in "native" binary format.

So far, everything seems to be working fine: I have written methods to load the signature block either as straight binary or as base-64 encoded text and both are working fine. In order to finalize the work, however, I'd like to be able to identify when a file is in binary format (and also validate the result of the base64 decoding).

So the question becomes: is there some kind of marker or indicator in a file or memory block that indicates that it is a PKCS#7 message block ?

Thank you
#15776
Posted: 02/16/2011 10:50:08
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

I would simplify the task by checking whether the input is a beginning of ASN.1 message rather than checking it against full PKCS#7 conformance (as the latter is a non-trivial task and in fact requires you to perform full parsing of the input). The outermost PKCS#7 ASN.1 SEQUENCE tag is represented with one of the following sequences of bytes:

0x30 0x80 <data>
0x30 0x81 <Len> <data>
0x30 0x82 <LenMajor> <LenMinor> <data>
0x30 0x83 <Len3> <Len2> <Len1> <data>
0x30 0x84 <Len4> <Len3> <Len2> <Len1> <data>

So it makes sense to perform two comparisons, whether the first byte of the input is 0x30, and whether the second byte is in range of 0x80-0x84. This will give you the knowledge whether the input is a beginning of binary ASN.1 message.
#15777
Posted: 02/17/2011 02:07:08
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thank you: that is precisely what I was looking for. Excellent support as always :)

Reply

Statistics

Topic viewed 2115 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!