Re: Problem decrypting a pkcs7 structure
On Sun, Nov 03, 2002 at 01:56:31AM +0100, Massimiliano Pala wrote:
Hi,
I am trying to decrypt some data in a pkcs7 env structure. The problem comes
when I try to use the PKCS7_decrypt (I guess the problem to be in
PKCS_dataDecode that is actually called -- see pk7_doit.c and pk7_smime.c).
If I use a loaded normal certificate everything is fine, but when I try
to use a fake X509 structure where I store only the cert_info-issuer
and cert_info-serialNumber data (the only one that should be accessed
in the used when decrypting) I get a core dump.
Here it is the code:
if( (foo_cert = X509_new()) == NULL ) {
// Memory error...
} else {
char buffer[1024];
foo_cert-cert_info-issuer =
rinfo-ias-issuer;
foo_cert-cert_info-serialNumber =
rinfo-ias-serial;
}
bio = BIO_new(BIO_s_mem());
if (PKCS7_decrypt(p7, pkey, foo_cert, bio, 0) == 0) {
BIO_printf(bio_err, %s:%d: decryption failed\n, __FILE__,
__LINE__);
goto err;
}
Where am I wrong ? Is there a function for decrypting a pkcs7 structure
that does not require a (X509 *) [virtually useless, if not for cecking
against the recipient info, I guess] ?
It's easy to see PKCS7_decrypt() does X509_check_private_key(certificate, key)
and then PKCS7_dataDecode()
One could also read PKCS7_dataDecode() source to see decryption certificate
will only be used to match issuer and serial number with that of each
recipient info from enveloped data, so your code should work fine
with PKCS7_decrypt() replaced
good luck,
Vadim
--
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Problem decrypting a pkcs7 structure
Vadim Fedukovich wrote: [...] It's easy to see PKCS7_decrypt() does X509_check_private_key(certificate, key) and then PKCS7_dataDecode() One could also read PKCS7_dataDecode() source to see decryption certificate will only be used to match issuer and serial number with that of each recipient info from enveloped data, so your code should work fine with PKCS7_decrypt() replaced Indeed I had tried also using directly the PKCS7_dataDecode() but I got a core dump as well... Thanks for the hint on the PKCS7_decrypt(), however should't we add some checking on the passed parameters so as to avoid unsafe code from core dumping ? -- C'you, Massimiliano Pala --o- Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED] [EMAIL PROTECTED] http://www.openca.orgTel.: +39 (0)59 270 094 http://openca.sourceforge.netMobile: +39 (0)347 7222 365 smime.p7s Description: S/MIME Cryptographic Signature
Problem decrypting a pkcs7 structure
Hi,
I am trying to decrypt some data in a pkcs7 env structure. The problem comes
when I try to use the PKCS7_decrypt (I guess the problem to be in
PKCS_dataDecode that is actually called -- see pk7_doit.c and pk7_smime.c).
If I use a loaded normal certificate everything is fine, but when I try
to use a fake X509 structure where I store only the cert_info-issuer
and cert_info-serialNumber data (the only one that should be accessed
in the used when decrypting) I get a core dump.
Here it is the code:
if( (foo_cert = X509_new()) == NULL ) {
// Memory error...
} else {
char buffer[1024];
foo_cert-cert_info-issuer =
rinfo-ias-issuer;
foo_cert-cert_info-serialNumber =
rinfo-ias-serial;
}
bio = BIO_new(BIO_s_mem());
if (PKCS7_decrypt(p7, pkey, foo_cert, bio, 0) == 0) {
BIO_printf(bio_err, %s:%d: decryption failed\n, __FILE__,
__LINE__);
goto err;
}
Where am I wrong ? Is there a function for decrypting a pkcs7 structure
that does not require a (X509 *) [virtually useless, if not for cecking
against the recipient info, I guess] ?
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
[EMAIL PROTECTED]
http://www.openca.orgTel.: +39 (0)59 270 094
http://openca.sourceforge.netMobile: +39 (0)347 7222 365
smime.p7s
Description: S/MIME Cryptographic Signature
Re: Problem decrypting a pkcs7 structure
Hi all,
I am replying myself... this seems like a sign I have to stop working
late at night... anyway... here it comes the real message...
Massimiliano Pala wrote:
Hi,
I am trying to decrypt some data in a pkcs7 env structure. The problem
comes
when I try to use the PKCS7_decrypt (I guess the problem to be in
PKCS_dataDecode that is actually called -- see pk7_doit.c and pk7_smime.c).
If I use a loaded normal certificate everything is fine, but when I try
to use a fake X509 structure where I store only the cert_info-issuer
and cert_info-serialNumber data (the only one that should be accessed
in the used when decrypting) I get a core dump.
Here it is the code:
if( (foo_cert = X509_new()) == NULL ) {
// Memory error...
} else {
char buffer[1024];
foo_cert-cert_info-issuer =
rinfo-ias-issuer;
foo_cert-cert_info-serialNumber =
rinfo-ias-serial;
}
bio = BIO_new(BIO_s_mem());
if (PKCS7_decrypt(p7, pkey, foo_cert, bio, 0) == 0) {
BIO_printf(bio_err, %s:%d: decryption failed\n, __FILE__,
__LINE__);
goto err;
}
Where am I wrong ? Is there a function for decrypting a pkcs7 structure
that does not require a (X509 *) [virtually useless, if not for cecking
against the recipient info, I guess] ?
Still I don't know where and why, but it seems that in the fake X509
there should be a pkey, so I made with the one I had... :-D this code
fixes the problem (after the X509_new()), but if you know why the old
one was not working, please let me know ...
X509_set_issuer_name(foo_cert,rinfo-ias-issuer);
X509_set_subject_name(foo_cert,rinfo-ias-issuer);
X509_set_serialNumber(foo_cert,rinfo-ias-serial);
// X509_gmtime_adj(X509_get_notBefore(foo_cert),0);
// X509_gmtime_adj(X509_get_notAfter(foo_cert), 1L );
X509_set_pubkey(foo_cert, pkey);
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
[EMAIL PROTECTED]
http://www.openca.orgTel.: +39 (0)59 270 094
http://openca.sourceforge.netMobile: +39 (0)347 7222 365
smime.p7s
Description: S/MIME Cryptographic Signature
