PKCS7_sign() + PKCS7_sign_add_signer() + PKCS7_final() do not read stdin?
Hello everyone, I cannot read data from stdin - like this: BIO *in = BIO_new_fp(stdin, BIO_NOCLOSE); BIO *out = BIO_new_fp(stdout, BIO_NOCLOSE); PKCS7 *signed_data = PKCS7_sign(NULL, NULL, NULL, in, PKCS7_NOATTR | PKCS7_DETACHED | PKCS7_PARTIAL); PKCS7_sign_add_signer(signed_data, sign_cert, priv_key, nonstandard_digest, PKCS7_NOATTR); PKCS7_final(signed_data, NULL, 0); PEM_write_bio_PKCS7_stream(out, signed_data, NULL, 0); The result on the stdout is a valid signature, but of 0-byte data. STDIN is not even being read, as I see from output of strace. In real code, I check return values of *all* OpenSSL functions and none returns an error. What am I missing?? Thanks in advance, Konstantin. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Zero-byte eContent container produced by PKCS7_sign() - correct?
On 2014-07-10 20:43, Dr. Stephen Henson wrote: Is it possible to make PKCS7_sign() behave in the latter way, i.e. not create the container with zero-byte content? Are you using the PKCS7_DETACHED flag? No. I do not want a detached signature. Well then that's a problem. If you set PKCS7_DETACHED you get the content excluded, if you don't set it it is included (even if it is zero length). Steve, thank you very much! This explains it (so easily). Konstantin. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Zero-byte eContent container produced by PKCS7_sign() - correct?
I'm signing data with PKCS7_sign(), and the result has a 0-byte element for eContent under encapContentInfo. This is a snap from 'openssl cms -cmsout -print' of the resulting signature: ... encapContentInfo: eContentType: pkcs7-data (1.2.840.113549.1.7.1) eContent: ... Or, from 'openssl asn1parse' (which clearly shows length=0): ... 43:d=3 hl=2 l= 15 cons:SEQUENCE 45:d=4 hl=2 l= 9 prim: OBJECT:pkcs7-data 56:d=4 hl=2 l= 2 cons: cont [ 0 ] 58:d=5 hl=2 l= 0 prim: OCTET STRING (next element after the SEQUENCE follows) ... I would rather expect no 'eContent' block at all, like this: ... encapContentInfo: eContentType: pkcs7-data (1.2.840.113549.1.7.1) eContent: ABSENT ... Or, consequently, ... 43:d=3 hl=2 l= 11 cons:SEQUENCE 45:d=4 hl=2 l= 9 prim: OBJECT:pkcs7-data (next element after the SEQUENCE follows) ... Is it possible to make PKCS7_sign() behave in the latter way, i.e. not create the container with zero-byte content? Thanks in advance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Zero-byte eContent container produced by PKCS7_sign() - correct?
On Thu, 10 Jul 2014 18:32:11 +0200, Dr. Stephen Henson st...@openssl.org wrote: On Thu, Jul 10, 2014, Konstantin Shemyak wrote: [...] Is it possible to make PKCS7_sign() behave in the latter way, i.e. not create the container with zero-byte content? Are you using the PKCS7_DETACHED flag? No. I do not want a detached signature. (I'm using PKCS7_NOATTR; to my understanding, it is not related to my question.) Konstantin. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org