Zero-byte eContent container produced by PKCS7_sign() - correct?
I'm signing data with PKCS7_sign(), and the result has a 0-byte element for eContent under encapContentInfo. This is a snap from 'openssl cms -cmsout -print' of the resulting signature: ... encapContentInfo: eContentType: pkcs7-data (1.2.840.113549.1.7.1) eContent: ... Or, from 'openssl asn1parse' (which clearly shows length=0): ... 43:d=3 hl=2 l= 15 cons:SEQUENCE 45:d=4 hl=2 l= 9 prim: OBJECT:pkcs7-data 56:d=4 hl=2 l= 2 cons: cont [ 0 ] 58:d=5 hl=2 l= 0 prim: OCTET STRING (next element after the SEQUENCE follows) ... I would rather expect no 'eContent' block at all, like this: ... encapContentInfo: eContentType: pkcs7-data (1.2.840.113549.1.7.1) eContent: ABSENT ... Or, consequently, ... 43:d=3 hl=2 l= 11 cons:SEQUENCE 45:d=4 hl=2 l= 9 prim: OBJECT:pkcs7-data (next element after the SEQUENCE follows) ... Is it possible to make PKCS7_sign() behave in the latter way, i.e. not create the container with zero-byte content? Thanks in advance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Zero-byte eContent container produced by PKCS7_sign() - correct?
On Thu, Jul 10, 2014, Konstantin Shemyak wrote: I'm signing data with PKCS7_sign(), and the result has a 0-byte element for eContent under encapContentInfo. This is a snap from 'openssl cms -cmsout -print' of the resulting signature: ... encapContentInfo: eContentType: pkcs7-data (1.2.840.113549.1.7.1) eContent: ... Or, from 'openssl asn1parse' (which clearly shows length=0): ... 43:d=3 hl=2 l= 15 cons:SEQUENCE 45:d=4 hl=2 l= 9 prim: OBJECT:pkcs7-data 56:d=4 hl=2 l= 2 cons: cont [ 0 ] 58:d=5 hl=2 l= 0 prim: OCTET STRING (next element after the SEQUENCE follows) ... I would rather expect no 'eContent' block at all, like this: ... encapContentInfo: eContentType: pkcs7-data (1.2.840.113549.1.7.1) eContent: ABSENT ... Or, consequently, ... 43:d=3 hl=2 l= 11 cons:SEQUENCE 45:d=4 hl=2 l= 9 prim: OBJECT:pkcs7-data (next element after the SEQUENCE follows) ... Is it possible to make PKCS7_sign() behave in the latter way, i.e. not create the container with zero-byte content? Are you using the PKCS7_DETACHED flag? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Zero-byte eContent container produced by PKCS7_sign() - correct?
On Thu, 10 Jul 2014 18:32:11 +0200, Dr. Stephen Henson st...@openssl.org wrote: On Thu, Jul 10, 2014, Konstantin Shemyak wrote: [...] Is it possible to make PKCS7_sign() behave in the latter way, i.e. not create the container with zero-byte content? Are you using the PKCS7_DETACHED flag? No. I do not want a detached signature. (I'm using PKCS7_NOATTR; to my understanding, it is not related to my question.) Konstantin. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Zero-byte eContent container produced by PKCS7_sign() - correct?
On Thu, Jul 10, 2014, Konstantin Shemyak wrote: On Thu, 10 Jul 2014 18:32:11 +0200, Dr. Stephen Henson st...@openssl.org wrote: On Thu, Jul 10, 2014, Konstantin Shemyak wrote: [...] Is it possible to make PKCS7_sign() behave in the latter way, i.e. not create the container with zero-byte content? Are you using the PKCS7_DETACHED flag? No. I do not want a detached signature. Well then that's a problem. If you set PKCS7_DETACHED you get the content excluded, if you don't set it it is included (even if it is zero length). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate problem - SOLVED
From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton Sent: Tuesday, July 08, 2014 20:33 On Tue, Jul 8, 2014 at 7:00 PM, Dave Thompson dthomp...@prinpay.com wrote: From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton Sent: Tuesday, July 08, 2014 16:20 ... Not sure if this is any consolation, but countryName is a DirectoryString, and PrintableString is OK per RFC 5280 (http://tools.ietf.org/html/rfc5280#section-4.1.2.6): Actually it's not. 4.1.2.4 Issuer says Name.RDN.AVA values are 'generally' DirectoryString, but see appendix A on p115: countryName is PrintableString size(2), presumably because its allowed values are from ISO 3166 which in turn uses ASCII letters. So countryName is not PrintableString? countryName IS PrintableString. countryName is specified as exactly PrintableString, unlike other fields which are specified as DirectoryString where DirectoryString is CHOICE that includes PrintableString as one option so those fields MAY BE PrintableString. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: About RC4 decryption.
Hi! Have you already solved this problem? I have the same problem -- View this message in context: http://openssl.6102.n7.nabble.com/About-RC4-decryption-tp18745p51980.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
