Vadim Fedukovich wrote: > > > I'm sorry for not mention your patch, Steve. It really do right thing. > > > Specifically if there are any signed attributes (e.g. signing time) the > > signature produced is invalid and it wont verify a correct signature. > > I'd rather say old SSLeay generates SignedData in the simplest allowed form. > According to PKCS#7 RSA Labs Tech note version 1.5 clause 9.2 > "...It is recommended...the authenticatedAttributes field be omitted > whenever the content type of the ContentInfo value being signed is data > and there are no other authenticated attributes". SSLeay code do not > generate authenticated attributes so it goes just right here. Next, > SSLeay verifies SignedData objects that were generated this way but > can not verify if signature was generated on authenticated attributes list. > Your patch implements this functionality, thank you. > > Is 1.5 the right version to follow? Did someone look at popular PKCS7 > generators to see how often signature is generated over auth attr list? > Well for S/MIME, authenticated attributes are almost always present: Netscape and MS stuff always includes them. In fact the S/MIME specs recommend that at least signingTime (and messageDigest as a result) be included. > > I *think* this is fixed in OpenSSL but I haven't got round to looking at > > it yet. > > We were considering to use pkcs7 code in production several months ago; > I review related topics and everything seems to be nice enough to go. > Unfortunately no more progress since that time. > > > If you want to do opaque signing its easy enough: you just send the > > result a base64 encoded MIME type application/x-pkcs7-mime: Netscape > > Messenger and MS stuff will display this. The more common > > This is a really interesting point, thank you. > Steve. -- Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. For info see homepage at http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED] NOTE NEW (13/12/98) PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
