Correcting myself for the record: > From: owner-openssl-us...@openssl.org On Behalf Of Dave Thompson > Sent: Thursday, 17 November, 2011 18:53
> <snip> As I said, I don't believe any openssl commandline > function will create a 'degenerate' (cert-only) PKCS#7, which > is a signeddata with zero signerinfos (and zero digestalgs), > omitted or dummy content, and your cert(s). You could: > Looking for something else, I discovered that commandline 'crl2pkcs7 -nocrl -certfile' (obviously :-?) does do this. > - (probably) write a tiny program using the PKCS7_* API; > on a quick scan it looks like you can just create a > (inner) PKCS7 and _set0_other(data,empty octet string), then a > (outer) PKCS7 and _set_type(,signed) and _set_content(,thatdata) > and _add_cert and write it out, but I haven't tested. > and I was off some here. outer PKCS7 needs to have type signed and also version, and *point to* PKCS7_SIGNED whose 'contents' are the inner data, but are apparently preallocated and only need to be set to omitted data (although I bet empty would work). And it's _add_certificate, or inline which crl2p7.c does instead. <snip other options, still correct but less important> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
