I think I've spotted a problem generating PKCS#7 DER-encoded output
using OpenSSL 0.9.8e
crypto/pkcs7/pk7_asn1.c has an ASN.1 definition for PKCS7_SIGNED as:
> ASN1_NDEF_SEQUENCE(PKCS7_SIGNED) = {
> ASN1_SIMPLE(PKCS7_SIGNED, version, ASN1_INTEGER),
> ASN1_SET_OF(PKCS7_SIGNED, md_algs, X509_ALGOR),
> ASN1_SIMPLE(PKCS7_SIGNED, contents, PKCS7),
> --> ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
> ASN1_IMP_SET_OF_OPT(PKCS7_SIGNED, crl, X509_CRL, 1),
> ASN1_SET_OF(PKCS7_SIGNED, signer_info, PKCS7_SIGNER_INFO)
> } ASN1_NDEF_SEQUENCE_END(PKCS7_SIGNED)
RFC 2315 defines the associated ASN.1 type as
> SignedData ::= SEQUENCE {
> version Version,
> digestAlgorithms DigestAlgorithmIdentifiers,
> contentInfo ContentInfo,
> --> certificates
> [0] IMPLICIT ExtendedCertificatesAndCertificates
> OPTIONAL,
> crls
> [1] IMPLICIT CertificateRevocationLists OPTIONAL,
> signerInfos SignerInfos }
and defines "ExtendedCertificatesAndCertificates" as
> ExtendedCertificatesAndCertificates ::=
> SET OF ExtendedCertificateOrCertificate
I think this means that the definition in pk7_asn1.c for "cert" is wrong.
ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
should be
ASN1_IMP_SET_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
Without this, if you populate a PKCS7_SIGNED structure with a list of
certificates, they do not get DER-encoded properly (they are written in
the order they appear in the STACK_OF(X509), like a SEQUENCE rather than
sorted lexicographically, like a SET should be.)
Is the analysis correct?
--- crypto/pkcs7/pk7_asn1.c 29 Jul 2006 19:10:18 -0000 1.1.1.2
+++ crypto/pkcs7/pk7_asn1.c 30 May 2008 10:07:59 -0000
@@ -90,7 +90,7 @@
ASN1_SIMPLE(PKCS7_SIGNED, version, ASN1_INTEGER),
ASN1_SET_OF(PKCS7_SIGNED, md_algs, X509_ALGOR),
ASN1_SIMPLE(PKCS7_SIGNED, contents, PKCS7),
- ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
+ ASN1_IMP_SET_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
ASN1_IMP_SET_OF_OPT(PKCS7_SIGNED, crl, X509_CRL, 1),
ASN1_SET_OF(PKCS7_SIGNED, signer_info, PKCS7_SIGNER_INFO)
} ASN1_NDEF_SEQUENCE_END(PKCS7_SIGNED)
