Re: pkcs7 processing

Mon, 04 Dec 2000 10:09:22 -0800 

Rodney Thayer wrote:
> 
> I am trying to create a pkcs7-formatted certificate.  This is for
> an IPsec user.  In the IPsec world, even in the year 2000, we are
> having silly interoperability battles over raw vs. PEM vs.
> pkcs7 certificate formats.
> 
> I tried using 'openssl pkcs7 -inform DER -in cert7.p7c -print_certs'
> with the file in the crypto/pkcs7/p7 directory, but it can't parse that.
> It claims the length is wrong somewhere.  Other samples also fail.
> 

Yes the stuff in there is broken. What it's for only Eric knows. It
should really be cleared out.

> I am able to parse a copy of the Verisign test CA root.
> 
> So... I'm now trying to establish what is happening here.  I have a
> question about the code.
> 
> In apps/pkcs7.c, it reads the pkcs7-formatted blob in, with
> a d2i_PKCS7_bio call.  I would expect that the 'p7' structure
> that produces contains a raw copy of the 'content' of of the
> PKCS7 in p7->d.ptr.  But, this seems to point to pointers.
> Before I go nuts stepping through the code, is this the right
> place to look?  I am looking because I want to figure out what
> format is in the p7 structure so when I create one I create
> it with the proper arguments.
> 

Well there isn't any "content" in the typical PKCS#7 certificates only
form. 

What you get in there is the PKCS#7 fields parsed out. If you compare
the stuff in there with a PKCS#7 specification it isn't too hard to see
the correspondence between the two.

The certificates only form is particularly simple. The code to extract
certificates in in apps/pkcs7.c and to generate a PKCS#7 certificates
only structure is in apps/crl2pk7.c

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to