> From: owner-openssl-us...@openssl.org On Behalf Of TMS Brokers / Lukasz Kosciesza > Sent: Tuesday, 23 August, 2011 09:44
> I'm trying to create a pkcs#7 detached signature with openssl. <snip> > I analysed the signature with the signature created by other > tool, and only one part is different when created by openssl. > > I get <snip (in auth-attrs) > While I need: <snip> > It looks like I need to add "id-smime-aa-signingCertificate" > attribute instead of "S/MIME Capabilities" and "signingTime" > which I get. > Is there any way to add attributes in openssl smime command? > Or in some other way? Not in commandline/utility I don't think. You can omit smimecap, or omit auth-attrs entirely and sign directly, but there's no visible provision to add anything much less this specifically. You might look at ts/ts_rsp_sign.c (and ts_asn1.c and ts.h). It does this attribute. It optionally does a full chain (which you apparently don't) and defines but doesn't use the policy part (which you apparently also don't). You could write a few routines or a simple utility which does the same thing (except with detached) or modify your copy to do it in apps/smime.c . I don't think you can omit signingTime; it's buried under PKCS7_dataFinal without any option to suppress it (though you could modify your copy to add one -- probably a state in the PKCS7 object like detached makes most sense). But I'm not sure you need to. In general most receivers of ASN.1 OID+data maps in this style should ignore OIDs they don't want or don't understand except where something overrides that like X.509 extensions 'critical' flag. Worst case, you could recode the parts of PKCS7 you need. Down at the bottom, it's 'merely' an ASN.1 structure with a lot of possible formats and options of which you only need one specific set. It's rather tedious to do, and seems a shame when OpenSSL already includes code that does very nearly what you want, but it should work. Good luck. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
