Re: Problem decrypting a pkcs7 structure
On Sun, Nov 03, 2002 at 01:56:31AM +0100, Massimiliano Pala wrote: Hi, I am trying to decrypt some data in a pkcs7 env structure. The problem comes when I try to use the PKCS7_decrypt (I guess the problem to be in PKCS_dataDecode that is actually called -- see pk7_doit.c and pk7_smime.c). If I use a loaded normal certificate everything is fine, but when I try to use a fake X509 structure where I store only the cert_info-issuer and cert_info-serialNumber data (the only one that should be accessed in the used when decrypting) I get a core dump. Here it is the code: if( (foo_cert = X509_new()) == NULL ) { // Memory error... } else { char buffer[1024]; foo_cert-cert_info-issuer = rinfo-ias-issuer; foo_cert-cert_info-serialNumber = rinfo-ias-serial; } bio = BIO_new(BIO_s_mem()); if (PKCS7_decrypt(p7, pkey, foo_cert, bio, 0) == 0) { BIO_printf(bio_err, %s:%d: decryption failed\n, __FILE__, __LINE__); goto err; } Where am I wrong ? Is there a function for decrypting a pkcs7 structure that does not require a (X509 *) [virtually useless, if not for cecking against the recipient info, I guess] ? It's easy to see PKCS7_decrypt() does X509_check_private_key(certificate, key) and then PKCS7_dataDecode() One could also read PKCS7_dataDecode() source to see decryption certificate will only be used to match issuer and serial number with that of each recipient info from enveloped data, so your code should work fine with PKCS7_decrypt() replaced good luck, Vadim -- Naina library: http://www.unity.net/~vf/naina_r1.tgz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem decrypting a pkcs7 structure
Vadim Fedukovich wrote: [...] It's easy to see PKCS7_decrypt() does X509_check_private_key(certificate, key) and then PKCS7_dataDecode() One could also read PKCS7_dataDecode() source to see decryption certificate will only be used to match issuer and serial number with that of each recipient info from enveloped data, so your code should work fine with PKCS7_decrypt() replaced Indeed I had tried also using directly the PKCS7_dataDecode() but I got a core dump as well... Thanks for the hint on the PKCS7_decrypt(), however should't we add some checking on the passed parameters so as to avoid unsafe code from core dumping ? -- C'you, Massimiliano Pala --o- Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED] [EMAIL PROTECTED] http://www.openca.orgTel.: +39 (0)59 270 094 http://openca.sourceforge.netMobile: +39 (0)347 7222 365 smime.p7s Description: S/MIME Cryptographic Signature
Problem decrypting a pkcs7 structure
Hi, I am trying to decrypt some data in a pkcs7 env structure. The problem comes when I try to use the PKCS7_decrypt (I guess the problem to be in PKCS_dataDecode that is actually called -- see pk7_doit.c and pk7_smime.c). If I use a loaded normal certificate everything is fine, but when I try to use a fake X509 structure where I store only the cert_info-issuer and cert_info-serialNumber data (the only one that should be accessed in the used when decrypting) I get a core dump. Here it is the code: if( (foo_cert = X509_new()) == NULL ) { // Memory error... } else { char buffer[1024]; foo_cert-cert_info-issuer = rinfo-ias-issuer; foo_cert-cert_info-serialNumber = rinfo-ias-serial; } bio = BIO_new(BIO_s_mem()); if (PKCS7_decrypt(p7, pkey, foo_cert, bio, 0) == 0) { BIO_printf(bio_err, %s:%d: decryption failed\n, __FILE__, __LINE__); goto err; } Where am I wrong ? Is there a function for decrypting a pkcs7 structure that does not require a (X509 *) [virtually useless, if not for cecking against the recipient info, I guess] ? -- C'you, Massimiliano Pala --o- Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED] [EMAIL PROTECTED] http://www.openca.orgTel.: +39 (0)59 270 094 http://openca.sourceforge.netMobile: +39 (0)347 7222 365 smime.p7s Description: S/MIME Cryptographic Signature
Re: Problem decrypting a pkcs7 structure
Hi all, I am replying myself... this seems like a sign I have to stop working late at night... anyway... here it comes the real message... Massimiliano Pala wrote: Hi, I am trying to decrypt some data in a pkcs7 env structure. The problem comes when I try to use the PKCS7_decrypt (I guess the problem to be in PKCS_dataDecode that is actually called -- see pk7_doit.c and pk7_smime.c). If I use a loaded normal certificate everything is fine, but when I try to use a fake X509 structure where I store only the cert_info-issuer and cert_info-serialNumber data (the only one that should be accessed in the used when decrypting) I get a core dump. Here it is the code: if( (foo_cert = X509_new()) == NULL ) { // Memory error... } else { char buffer[1024]; foo_cert-cert_info-issuer = rinfo-ias-issuer; foo_cert-cert_info-serialNumber = rinfo-ias-serial; } bio = BIO_new(BIO_s_mem()); if (PKCS7_decrypt(p7, pkey, foo_cert, bio, 0) == 0) { BIO_printf(bio_err, %s:%d: decryption failed\n, __FILE__, __LINE__); goto err; } Where am I wrong ? Is there a function for decrypting a pkcs7 structure that does not require a (X509 *) [virtually useless, if not for cecking against the recipient info, I guess] ? Still I don't know where and why, but it seems that in the fake X509 there should be a pkey, so I made with the one I had... :-D this code fixes the problem (after the X509_new()), but if you know why the old one was not working, please let me know ... X509_set_issuer_name(foo_cert,rinfo-ias-issuer); X509_set_subject_name(foo_cert,rinfo-ias-issuer); X509_set_serialNumber(foo_cert,rinfo-ias-serial); // X509_gmtime_adj(X509_get_notBefore(foo_cert),0); // X509_gmtime_adj(X509_get_notAfter(foo_cert), 1L ); X509_set_pubkey(foo_cert, pkey); -- C'you, Massimiliano Pala --o- Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED] [EMAIL PROTECTED] http://www.openca.orgTel.: +39 (0)59 270 094 http://openca.sourceforge.netMobile: +39 (0)347 7222 365 smime.p7s Description: S/MIME Cryptographic Signature