Robert Eiglmaier wrote:
>
> Hi,
>
> I have a PKCS#7 signedData Block generated by an
> external application.
>
> When reading it in OpenSSL with d2i_PKCS7() and writing
> it out again with i2d_PKCS7() the order of the
> authenticated attributes changes and the signature
> becomes invalid.
>
> The reason is that when writing the SignerInfo
> the call for writing the STACK_OF(X509_ATTRIBUTE)
> is made through
>
> #define M_ASN1_I2D_put_IMP_SET_opt_type(type,a,f,x) \
> if ((a != NULL) && (sk_##type##_num(a) != 0)) \
> { i2d_ASN1_SET_OF_##type(a,&p,f,x, \
> V_ASN1_CONTEXT_SPECIFIC, \
> IS_SET); }
> (asn1_mac.h, ln. 488)
>
> The last parameter (IS_SET) causes i2d_ASN1_SET()
> (asn1/a_set.c, ln. 86) to sort the attributes (!) after they
> have already been written properly!!
>
> So is there a reason why IS_SET must be used?
> Can I change it to IS_SEQUENCE without breaking other
> functionality?
> Or how can I get OpenSSL to write the attributes in
> stack-order?
>
> Background: the reason why I read and write the data
> is that I want to strip the certificates (which works).
>
> Any help would be gladly appreciated.
>
If the attribute order is being changed then the external application is
not ordering them correctly. IS_SET is there because the PKCS#7 spec
defines them as a SET OF.
You can change the IS_SET to IS_SEQUENCE but then PKCS#7 structures
created with OpenSSL will have an invalid order as well.
The best solution is IMHO to use IS_SEQUENCE and order the attributes
when OpenSSL signs them. I'll look into adding that to the code.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
