000015066 - MES: Getting PKCS #12 attributes such as friendly name

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015066
Applies ToRSA BSAFE Micro Edition Suite
MES
IssueMES: Getting PKCS #12 attributes such as friendly name
Resolution

The ASN.1 samples in samples\source\asn1 show how to use the ASN.1 APIs in MES.

Start at the beginning of the PKCS #12 data and parse down to the SafeBag attributes level.

1. The top level list has 3 elements:

PFX ::= SEQUENCE {
     version INTEGER {v3(3)}(v3,...),   -- 1.1
     authSafe ContentInfo,              -- 1.2
     macData     MacData OPTIONAL       -- 1.3
}


1.2 Go down one level (using R_ASN1_LIST_down()) and look inside the second element, authSafe, which is a PKCS #7 ContentInfo:

ContentInfo ::= SEQUENCE {
  contentType ContentType,              -- 1.2.1
  content                               -- 1.2.2
    [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }


1.2.1 According to PKCS #12:
============================
4.1  The AuthenticatedSafe type
As mentioned, the contentType field of authSafe shall be of type data or signedData. The
content field of the  authSafe shall, either directly (data case) or indirectly (signedData
case) contain a BER-encoded value of type AuthenticatedSafe.
============================

I looked at one of my PKCS #12 files and content type is PKCS #7 Data, so I'll use that as an example.  You want to check that 1.2.1 is equal to the OBJECT IDENTIFIER for PKCS #7 Data (06 09 2A 86 48 86 F7 0D 01 07 01).  If so, then continue to the next element (using R_ASN1_LIST_next()).


1.2.2 will be an OCTET STRING because

  Data ::= OCTET STRING


That OCTET STRING is constructed, so go down one level to get to the

AuthenticatedSafe ::= SEQUENCE OF ContentInfo -- 1.2.2.1
-- Data if unencrypted
-- EncryptedData if password-encrypted
-- EnvelopedData if public key-encrypted

The first element in that SEQUENCE OF is a ContentInfo:

ContentInfo ::= SEQUENCE { -- 1.2.2.1.1
  contentType ContentType,              -- 1.2.2.1.1.1
  content                               -- 1.2.2.1.1.2
    [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }


According to PKCS #12:
============================
An AuthenticatedSafe contains a sequence of  ContentInfo values. The content field of
these ContentInfo values contains either plaintext, encrypted or enveloped data.  In the
case of encrypted or enveloped data, the plaintext of the data holds the BER-encoding of
an instance of SafeContents.
============================


Like 1.2.1, check that 1.2.2.1.1.1 is equal to the OBJECT IDENTIFIER for PKCS #7 Data (06 09 2A 86 48 86 F7 0D 01 07 01).  If so, then continue.


Like 1.2.2, 1.2.2.1.1.2 will be an OCTET STRING because

  Data ::= OCTET STRING


That OCTET STRING is constructed, so go down one level to get to the
  SafeContents ::= SEQUENCE OF SafeBag  -- 1.2.2.1.1.2.1


Go down one level and get to the first SafeBag in the SEQUENCE OF.

SafeBag ::= SEQUENCE { -- 1.2.2.1.1.2.1.1
   bagId      BAG-TYPE.&id ({PKCS12BagSet}) -- 1.2.2.1.1.2.1.1.1
   bagValue   [0] EXPLICIT BAG-TYPE.&Type({PKCS12BagSet}{@bagId}), -- 1.2.2.1.1.2.1.1.2
   bagAttributes  SET OF PKCS12Attribute OPTIONAL -- 1.2.2.1.1.2.1.1.3
}

Go down one level and the third element is the bagAttributes. -- 1.2.2.1.1.2.1.1.3

Go down one level to the first PKCS12Attribute in the SET OF:

PKCS12Attribute ::= SEQUENCE { -- 1.2.2.1.1.2.1.1.3.1
   attrId ATTRIBUTE.&id ({PKCS12AttrSet}), -- 1.2.2.1.1.2.1.1.3.1.1
   attrValues SET OF ATTRIBUTE.&Type ({PKCS12AttrSet}{@attrId}) -- 1.2.2.1.1.2.1.1.3.1.2
} -- This type is compatible with the X.500 type ?Attribute?


Go down one level to the first element and check that the attribute OID is equal to the OID for PKCS #9 friendly name (06 09 2A 86 48 86 F7 0D 01 09 14).  If so, then continue.

The next (second) element is a SET OF AttributeValue.

From RFC 3280:
============================
Attribute       ::=     SEQUENCE {
      type              AttributeType,
      values    SET OF AttributeValue }
            -- at least one value is required

AttributeType           ::=  OBJECT IDENTIFIER

AttributeValue          ::=  ANY
============================

Go down one level to the first element in the SET OF.

That element will be a BMPString.

From PKCS #9:
============================
friendlyName ATTRIBUTE ::= {
        WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName)) -- 1.2.2.1.1.2.1.1.3.1.2
        EQUALITY MATCHING RULE caseIgnoreMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-friendlyName
}
============================

Legacy Article IDa46062

Attachments

    Outcomes