Re: othername in subjectAltName

2002-06-12 Thread Michael Bell 

Vadim Fedukovich schrieb:
 
 On Tue, Jun 11, 2002 at 01:46:40PM +0200, Michael Bell wrote:
  Hi,
 
  I start a simple implementation of othername only for strings in the
  subject alternative name. Actually I have a problem with the resolving
  of the ASN1_TYPE.
 
  OTHERNAME is defined like this in crypto/x509v3/x509v3.h:
 
  typedef struct otherName_st {
  ASN1_OBJECT *type_id;
  ASN1_TYPE *value;
  } OTHERNAME;
 
  The problem is that I must do a typecast to store a special type in
  *value but I must know the type in crypto/asn1/tasn_enc.c where
  ASN1_item_ex_i2d must calculate the length of the sequence.
 
  The code crashs in the loop after /* First work out sequence content
  length */ at the second iteration in the line
 
  seqcontlen += ASN1_template_i2d(pseqval, NULL, seqtt);
 
  Is there a trick to get the type from the structure or must I change
  x509v3.h (ASN1_TYPE -- ASN1_CHOICE) and define the supported
  ASN1-types?
 
 Policy certificate extension generator may be an example to do this.
 Naina package: http://www.unity.net/~vf/naina_r1.tgz

Not really. The problem is that value can be every (!!!) ASN1_TYPE. So
is there a difference in the resulting ASN1 if I use an ASN1_CHOICE to
build the structure?

typedef struct otherName_st {
ASN1_OBJECT *type_id;
ASN1_CHOICE *value;
}

ASN1_CHOICE(OTHERNAME) = {
   ...
} ASN1_CHOICE_END(OTHERNAME)

(including new unions etc.)

Is this compatible with ASN1_TYPE *value?

Michael
-- 
---
Michael Bell   Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email:  [EMAIL PROTECTED]
Humboldt-University of Berlin  Tel.: +49 (0)30-2093 2482
Unter den Linden 6 Fax:  +49 (0)30-2093 2959
10099 Berlin
Germany   http://www.openca.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: othername in subjectAltName

2002-06-12 Thread Vadim Fedukovich 

On Wed, Jun 12, 2002 at 09:07:40AM +0200, Michael Bell wrote:
 Vadim Fedukovich schrieb:
  
  On Tue, Jun 11, 2002 at 01:46:40PM +0200, Michael Bell wrote:
   Hi,
  
   I start a simple implementation of othername only for strings in the
   subject alternative name. Actually I have a problem with the resolving
   of the ASN1_TYPE.
  
   OTHERNAME is defined like this in crypto/x509v3/x509v3.h:
  
   typedef struct otherName_st {
   ASN1_OBJECT *type_id;
   ASN1_TYPE *value;
   } OTHERNAME;
  
   The problem is that I must do a typecast to store a special type in
   *value but I must know the type in crypto/asn1/tasn_enc.c where
   ASN1_item_ex_i2d must calculate the length of the sequence.
  
   The code crashs in the loop after /* First work out sequence content
   length */ at the second iteration in the line
  
   seqcontlen += ASN1_template_i2d(pseqval, NULL, seqtt);
  
   Is there a trick to get the type from the structure or must I change
   x509v3.h (ASN1_TYPE -- ASN1_CHOICE) and define the supported
   ASN1-types?
  
  Policy certificate extension generator may be an example to do this.
  Naina package: http://www.unity.net/~vf/naina_r1.tgz
 
 Not really. The problem is that value can be every (!!!) ASN1_TYPE. So
 is there a difference in the resulting ASN1 if I use an ASN1_CHOICE to
 build the structure?

ASN1_TYPE could be handly for two-pass encoding while ASN1_CHOICE
will do it at once. Any type could be encoded at the 1st step.

 typedef struct otherName_st {
 ASN1_OBJECT *type_id;
 ASN1_CHOICE *value;
 }
 
 ASN1_CHOICE(OTHERNAME) = {
...
 } ASN1_CHOICE_END(OTHERNAME)
 
 (including new unions etc.)
 
 Is this compatible with ASN1_TYPE *value?

I dont know object-based choice technique and would also like to learn it.
It may be useful for parsing pkcs7 signed parts of SET messages.

Vadim
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: othername in subjectAltName

2002-06-12 Thread Michael Bell 

Hi,

I read RFC 3280 4.2.1.7 again.

OtherName ::= SEQUENCE {
type-idOBJECT IDENTIFIER,
value  [0] EXPLICIT ANY DEFINED BY type-id }

Does EXPLICIT ANY DEFINED BY type-id mean that the software (e.g.
OpenSSL) must know which ASN1-type does the type-id require?

If the answer is yes then we must extend objects.txt and change the
perlscripts. It's a lot of work for such a small change.

Michael 
-- 
---
Michael Bell   Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email:  [EMAIL PROTECTED]
Humboldt-University of Berlin  Tel.: +49 (0)30-2093 2482
Unter den Linden 6 Fax:  +49 (0)30-2093 2959
10099 Berlin
Germany   http://www.openca.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #94] build Problems

2002-06-12 Thread Lutz Jaenicke via RT 


[[EMAIL PROTECTED] - Tue Jun 11 19:53:21 2002]:

 Hello,
   I'm getting the following error when I try and build openssh-0.9.6d
 while running the make command:
 
 cc -I.. -I../.. -I../../include -KPIC -DTHREADS -D_REENTRANT
 -DDSO_DLFCN
 -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend
 -Xa
 -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM  -c  rmd_one.c
 ar r ../../libcrypto.a rmd_dgst.o rmd_one.o
 You may get an error following this line. Please ignore.
 /usr/ccs/bin/ranlib ../../libcrypto.a
 making all in crypto/des...
 cc -I.. -I../.. -I../../include -KPIC -DTHREADS -D_REENTRANT
 -DDSO_DLFCN
 -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend
 -Xa
 -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM  -c  set_key.c
 /usr/include/math.h, line 7: cannot open include file (too many open
 files): sys/feature_tests.h
 /usr/include/math.h, line 9: cannot open include file (too many open
 files): math.h

I am not sure what is going on, but I would guess, that you have a kind
of infinite loop. In line 9 of math.h seems to be included from math.h,
which does not make sense to me.

 Compiler version:
 odyssey%root%Jamie cc -V
 cc: Sun WorkShop 6 update 2 C 5.3 2001/05/15
 usage: cc [ options] files.  Use 'cc -flags' for details
 
 O/S Version:
 SunOS odyssey 5.8 Generic_108528-14 sun4u sparc SUNW,Sun-Blade-1000
 
 Any help you can provide is greatly appreciated.  I have tried the
 builds on the beta version and version 0.9.6b, which is what we use.
 I'm setting up a firewall and trying to get openssl/openssh to work.

You do have the same problems with 0.9.6b and 0.9.7-beta1, don't you.
For me it seems, that your build system is broken.

Best regards,
   Lutz
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #82] `NID_uniqueIdentifier' undeclared (first use in this function)

2002-06-12 Thread Jeffrey Altman 

Gang.  It is a little uncool to be having a long lengthy discussion of
someone's supported code without involving them in the discussion.  As
it turns out all of the issues that have been addressed in this thread
related to C-Kermit had already been handled in the C-Kermit Daily
builds.

  http://www.kermit-project.org/ckdaily.html


  Also, markus@ created this temp patch:
  +@@ -102,6 +104,13 @@
  + !ERROR This module requires OpenSSL 0.9.5a or higher
  + #endif /* OPENSSL_VERSION_NUMBER */
  + #endif /* SSLDLL */
  ++
  ++#if OPENSSL_VERSION_NUMBER  0x00907000L
  ++#else
  ++  #ifndef NID_UniqueIdentifier
  ++  #define NID_uniqueIdentifier NID_x500UniqueIdentifier
  ++  #endif
  ++#endif
  +
  + static int auth_ssl_valid = 0;
  + static char *auth_ssl_name = 0;/* this holds the oneline name */
 
 That looks better, but not finally good enough. I think that the correct
 solution would be something like:
 * Replace all occurences of NID_UniqueIdentifier with 
   ID_X500UniqueIdentifier.
 * Then:
 #if OPENSSL_VERSION_NUMBER  0x00907000L
 #define NID_X500UniqueIdentifier NID_UniqueIdentifier
 #endif
 
 Of course, this will still break compatibility with application not
 especially prepared.
 
 Best regards,
 Lutz
 __
 OpenSSL Project http://www.openssl.org
 Development Mailing List   [EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 



 Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!!
 The Kermit Project @ Columbia University  SSH, Secure Telnet, Secure FTP, HTTP
 http://www.kermit-project.org/Secured with MIT Kerberos, SRP, and 
 [EMAIL PROTECTED]   OpenSSL.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #94] build Problems

2002-06-12 Thread \\ Jamie L.Lipinski \ via RT\ 


Thanks for the reply, there's a weird line in the math.h file #include
math.h, my c++ is not good, so I don't know what it means.  I made a
local copy and commented out the line and it built successfully.  Thanks
for your reply.

Regards,
Jamie Lipinski

Lutz Jaenicke via RT wrote:
 
 [[EMAIL PROTECTED] - Tue Jun 11 19:53:21 2002]:
 
  Hello,
I'm getting the following error when I try and build openssh-0.9.6d
  while running the make command:
 
  cc -I.. -I../.. -I../../include -KPIC -DTHREADS -D_REENTRANT
  -DDSO_DLFCN
  -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend
  -Xa
  -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM  -c  rmd_one.c
  ar r ../../libcrypto.a rmd_dgst.o rmd_one.o
  You may get an error following this line. Please ignore.
  /usr/ccs/bin/ranlib ../../libcrypto.a
  making all in crypto/des...
  cc -I.. -I../.. -I../../include -KPIC -DTHREADS -D_REENTRANT
  -DDSO_DLFCN
  -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend
  -Xa
  -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM  -c  set_key.c
  /usr/include/math.h, line 7: cannot open include file (too many open
  files): sys/feature_tests.h
  /usr/include/math.h, line 9: cannot open include file (too many open
  files): math.h
 
 I am not sure what is going on, but I would guess, that you have a kind
 of infinite loop. In line 9 of math.h seems to be included from math.h,
 which does not make sense to me.
 
  Compiler version:
  odyssey%root%Jamie cc -V
  cc: Sun WorkShop 6 update 2 C 5.3 2001/05/15
  usage: cc [ options] files.  Use 'cc -flags' for details
 
  O/S Version:
  SunOS odyssey 5.8 Generic_108528-14 sun4u sparc SUNW,Sun-Blade-1000
 
  Any help you can provide is greatly appreciated.  I have tried the
  builds on the beta version and version 0.9.6b, which is what we use.
  I'm setting up a firewall and trying to get openssl/openssh to work.
 
 You do have the same problems with 0.9.6b and 0.9.7-beta1, don't you.
 For me it seems, that your build system is broken.
 
 Best regards,
Lutz

-- 
--- Computing and Information Services Division -
Jamie Lipinski  http://cisd.stsci.edu/support
Network Security Manager410-338-4847
[EMAIL PROTECTED]  [EMAIL PROTECTED] x4400
Public Key: http://certserver.pgp.com 2048 RSA
 CISD: Your partner for computing and information solutions -
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: othername in subjectAltName

2002-06-12 Thread Rich Salz 

 OtherName ::= SEQUENCE {
 type-idOBJECT IDENTIFIER,
 value  [0] EXPLICIT ANY DEFINED BY type-id }

It means that the type-id OID defines the datatype of the value.  Think 
of it as a union.

An alternative scheme would be to make the value be OCTET STRING, but 
then you'd have to buffer and re-decode.

/r$


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #82] `NID_uniqueIdentifier' undeclared (first use in this function)

2002-06-12 Thread Lutz Jaenicke 

On Wed, Jun 12, 2002 at 09:22:22AM -0400, Jeffrey Altman wrote:
 Gang.  It is a little uncool to be having a long lengthy discussion of
 someone's supported code without involving them in the discussion.  As
 it turns out all of the issues that have been addressed in this thread
 related to C-Kermit had already been handled in the C-Kermit Daily
 builds.
 
   http://www.kermit-project.org/ckdaily.html

Sorry for not including you into the discussion. I only cared about the
problem itself, which also pops up in mod_ssl, so I didn't even realize
that we were talking about your package.

Anyway:
NID_uniqueIdentifier _may_ be re-enabled at some point in the future
with its original meaning
# The following clashes with 2.5.4.45, so commented away
#pilotAttributeType 44  : uid   : uniqueIdentifier

I would therefore propose to not code dependant on
  #ifdef NID_uniqueIdentifier
but by OpenSSL version number.

This discussion started 1 week ago with corresponding problems reported
in the mod_ssl mailing lists. As nobody else spoke up in that regard,
it is my intention to leave everything as is, make sure that the item
is pointed out in CHANGES (maybe even NEWS) and declare the problem to
be resolved this way.
I have not yet decided about pilotAttributeType 44, but will probably leave
it disabled until the 0.9.8 release of OpenSSL, so that applications not
conforming to the new naming will not compile instead of silently using
a wrong interpretation.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #82] `NID_uniqueIdentifier' undeclared (first use in this function)

2002-06-12 Thread Jeffrey Altman 

 Sorry for not including you into the discussion. I only cared about the
 problem itself, which also pops up in mod_ssl, so I didn't even realize
 that we were talking about your package.
 
 Anyway:
 NID_uniqueIdentifier _may_ be re-enabled at some point in the future
 with its original meaning
 # The following clashes with 2.5.4.45, so commented away
 #pilotAttributeType 44  : uid   : uniqueIdentifier

where original meaning == pilotAttributeType

That is fine.  

 I would therefore propose to not code dependant on
   #ifdef NID_uniqueIdentifier
 but by OpenSSL version number.

Right, I actually already changed this to be dependent not on the item
that is in conflict but based on the item we agree is stable.

 This discussion started 1 week ago with corresponding problems reported
 in the mod_ssl mailing lists. As nobody else spoke up in that regard,
 it is my intention to leave everything as is, make sure that the item
 is pointed out in CHANGES (maybe even NEWS) and declare the problem to
 be resolved this way.
 I have not yet decided about pilotAttributeType 44, but will probably leave
 it disabled until the 0.9.8 release of OpenSSL, so that applications not
 conforming to the new naming will not compile instead of silently using
 a wrong interpretation.

I completely agree with this approach.  It did not come up for me in
the last week because C-Kermit has consistently been kept in sync with
the 0.9.7 development builds.



 Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!!
 The Kermit Project @ Columbia University  SSH, Secure Telnet, Secure FTP, HTTP
 http://www.kermit-project.org/Secured with MIT Kerberos, SRP, and 
 [EMAIL PROTECTED]   OpenSSL.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: othername in subjectAltName

2002-06-12 Thread Michael Bell 

Rich Salz schrieb:
 
  OtherName ::= SEQUENCE {
  type-idOBJECT IDENTIFIER,
  value  [0] EXPLICIT ANY DEFINED BY type-id }
 
 It means that the type-id OID defines the datatype of the value.  Think
 of it as a union.

So the software must now the datatypes of all used OIDs if it wants to
decode this sequence?

Michael
-- 
---
Michael Bell   Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email:  [EMAIL PROTECTED]
Humboldt-University of Berlin  Tel.: +49 (0)30-2093 2482
Unter den Linden 6 Fax:  +49 (0)30-2093 2959
10099 Berlin
Germany   http://www.openca.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

file attachment and signing.

2002-06-12 Thread Mehdi Jabal Ameli 



hi,
I want to send a signed email whichhave file 
attachment.
I want to this functionin Perl 
language.
any one can help me?


Mehdi Jabalameli [EMAIL PROTECTED]ce.sharif.edu/~jabalameli

Re: othername in subjectAltName

2002-06-12 Thread Jean-Marc Desperrier 

Michael Bell wrote:

Rich Salz schrieb:
  

OtherName ::= SEQUENCE {
type-idOBJECT IDENTIFIER,
value  [0] EXPLICIT ANY DEFINED BY type-id }
  

It means that the type-id OID defines the datatype of the value.  Think
of it as a union.


So the software must now the datatypes of all used OIDs if it wants to
decode this sequence?
  

Yes.
It can only decode the sequence for OIDs it knows in advance, but this 
leaves people free to use their own OID with totally arbitrary content.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

draft-ietf-pkix-certstore-http hashes?

2002-06-12 Thread Bear Giles 

I remember mentioning this a while back, but don't think anything
ever came from it.

Are there any plans to add convenience functions for the hashes
specified in draft-ietf-pkix-certstore-http?  (This proposed
document provides some implementation details for RFC2585, and
basically maps a URL of the form query?attribute=value to a
(multipart) MIME response containing the DER-encoded certificate(s)
with Content-Type: application/pkix-cert or application/pkix-crl.)

Specifically, the draft RFC borrows from Gutman to require 
base64-encoded SHA-1 hashes of the subject and issuer X509_NAME
fields, the issuer X509_NAME concatenated with the serial number,
the entire certificate (the fingerprint), and a base64-encoded
subject key id.  These are identified as sHash, iHash, iAndSHash,
(fingerprint?) and sKID, respectively.  I think Gutman also
mentioned an aKID hash, but it's not mentioned in this document.

I know that something similar is covered by the new OCSP routines,
but the OCSP_CERTID doesn't provide all of the hashes or wrap it
up into a nice base64-encoded string.  Obviously OCSP provides a
much cleaner interface, but it requires a larger investment than
some CGI-BIN scripts to handle these simple lookups.  But this
implies that there code will be used by people unfamiliar with
the library internals - there needs to either be some convenience
functions and/or additional options to openssl x509.

I can provide some simple (and probably horribly coded) code to
implement these hashes, if somebody has a suggestion for a good
name.  Right now I'm using

  int b64_shash (char *, size_t, X509 *);
  int b64_ihash (char *, size_t, X509 *);
  int b64_iandshash (char *, size_t, X509 *);
  int b64_skid (char *, size_t, X509 *);
  int b64_fingerprint (char *, size_t, X509 *);

but I'm not sure that either the prefix or signature would be
good long-term choices.

Bear
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #95] SSL_CTX_set_client_cert_cb error ?

2002-06-12 Thread Sohns Erik via RT 


Hello,

the callback I set with SSL_CTX_set_client_cert_cb() is never called, even
though SSL_CTX_get_client_cert_cb(), if called afterwards, returns a
non-NULL-value. I use OpenSSL 0.9.7 beta 1.
Any hints ?

Greetings
Erik
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #95] SSL_CTX_set_client_cert_cb error ?

2002-06-12 Thread Lutz Jaenicke via RT 


The manual page about SSL_CTX_set_client_cert_cb was simply wrong.
What in hell did I smoke when writing it? Or was it simply too late
at night??

Anyway, I have just checked in a new version:
If a certificate was already set, the client_cert_cb will never be
called. Once it is called and returns a certificate, the certificate
will be set for this SSL object and the callback will not be called again.

Sorry for any confusion caused.

Best regards,
Lutz
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #82] `NID_uniqueIdentifier' undeclared (first use in this function)

2002-06-12 Thread Lutz Jaenicke via RT 


As already pointed out in additional emails in openssl-dev:
* the change will stay in place, thus NID_x500UniqueIdentifier
  will be the macro to use starting with OpenSSL 0.9.7
* I have not activated the original meaning of uniqueIdentifier and
  it will not be done before 0.9.8 in order to prevent silent failure.
* I have added appropriate documentation in CHANGES, NEWS, FAQ.

Best regards,
   Lutz
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

d2i_PKCS7

2002-06-12 Thread 



Hi:
 I foundthere is something wrong in 
crypto/asn1/asn1_mac.h and crypto/pkcs7/pk7_lib.c

in crypto/asn1/asn1_mac.h 

the OLD code is:
 #define M_ASN1_D2I_get(b,func) 
\c.q=c.p; \if (func((b),c.p,c.slen) == NULL) 
\{c.line=__LINE__; goto err; } 
\c.slen-=(c.p-c.q);

and I changed it to:

#define M_ASN1_D2I_get(b,func) 
\c.q=c.p; \ if 
(c.p+c.slenc.max)\{c.line=__LINE__; goto err; } 
\if (func((b),c.p,c.slen) == NULL) 
\{c.line=__LINE__; goto err; } 
\c.slen-=(c.p-c.q);

in crypto/pkcs7/pk7_lib.c

X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO 
*si){//gongxy 2000 MODIFY BEGIN/*if 
(PKCS7_type_is_signed(p7))return(X509_find_by_issuer_and_serial(p7-d.sign-cert,si-issuer_and_serial-issuer,si-issuer_and_serial-serial));elsereturn(NULL);*/if 
(PKCS7_type_is_signed(p7))return(X509_find_by_issuer_and_serial(p7-d.sign-cert,si-issuer_and_serial-issuer,si-issuer_and_serial-serial));if 
(PKCS7_type_is_signedAndEnveloped(p7)) 
return(X509_find_by_issuer_and_serial(p7-d.signed_and_enveloped-cert,si-issuer_and_serial-issuer,si-issuer_and_serial-serial)); 
return(NULL);//gongxy 2000 MODIFY END}
Is it OK ?