How to create a pkcs7-envelopedData inside a pkcs7-signedData?
Erwann ABALEA
I'm facing a problem I can't manage to solve.
I need to create a structure like this one:
signed PKCS#7 {
signer certificate
authenticated attributes
content: enveloped PKCS#7 {
recipient certificates
enc_content: data
}
}
I know how to create an enveloped PKCS#7 alone, with data encipherment, I
know how to create a signed PKCS#7 alone, with data signature, but I don't
know how to encapsulate an enveloped PKCS#7 inside a signed PKCS#7.
Creating a signedAndEnveloped PKCS#7 is *not* an option, I *must* have
this encapsulation.
I tried these methods:
* first one: create the enveloped pkcs7, fill it with my data, turn it
into a DER stream, create the signed pkcs7, set the content to be of
type pkcs7_enveloped, create a BIO on this signed pkcs7, write the DER
stream to this BIO. That doesn't work, it core dumps when I try to i2d
the signed PKCS#7 object (maybe because the inner enveloped pkcs7
object is not fully initialized?)
* second one: create the enveloped pkcs7, fill it with my data, create
the signed pkcs7, set its content to be of type pkcs7_enveloped, change
the pointers to put my previous enveloped pkcs7 inside. That doesn't
work, when I do a i2d of the outter PKCS#7 object I get a valid PKCS#7
object, but with no data at all. Anyway, I think it won't work at all
since there's no data that has passed through the message digests
methods, so the signature should be incorrect.
* third one: create the signed pkcs7, set it's content to be of type
pkcs7_enveloped (the necessary objects are now created, even the
inner enveloped pkcs7), create a BIO for the inner enveloped pkcs7 (I
now have a BIO of type cipher, chained with a BIO of type
memorybuffer), create a BIO for the outter signed pkcs7, with the
previous BIO as an argument, so the 2 are chained, write my data to the
second BIO, the outter one (which in turn will write to my first BIO,
the inner one). That doesn't work either, I have the same core dump
when trying to do an i2d of the outter PKCS#7 object. But I also
suspect it won't work at all, since the outter BIO sees cleartext data,
where it should have seen only ciphered data.
What is the correct way to do this? Was I correct but with something
important missing? (it must be huge, huge things are the ones you usually
forget ;) ).
Thanks,
--
Erwann ABALEA <eab...@certplus.com> - RSA PGP Key ID: 0x2D0EABD5
-----
Normalement un enfant a le droit de monter à l'avant de l'automobile à
partir de 10 ans, âge à partir duquel il compte pour une personne. Avant
il ne compte que pour une demi-personne.
-+- MCG in : Guide du Neuneu d'Usenet - En voiture Simone -+-
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Dr S N Henson
>
> Hi,
>
> I'm facing a problem I can't manage to solve.
>
> I need to create a structure like this one:
>
> signed PKCS#7 {
> signer certificate
> authenticated attributes
> content: enveloped PKCS#7 {
> recipient certificates
> enc_content: data
> }
> }
>
> I know how to create an enveloped PKCS#7 alone, with data encipherment, I
> know how to create a signed PKCS#7 alone, with data signature, but I don't
> know how to encapsulate an enveloped PKCS#7 inside a signed PKCS#7.
>
> Creating a signedAndEnveloped PKCS#7 is *not* an option, I *must* have
> this encapsulation.
>
>
> What is the correct way to do this?
Don't know, yet :-) This isn't something I've ever tried. The relevant
code my not properly handle this construct.
However first thing: is that really what you want to do? The usual
reason for doing this is to generate a "signed and encrypted" S/MIME
message which isn't the above structure at all.
Also this is one of the areas of incompatibility with PKCS#7 and CMS (as
used in S/MIME v3). If want to do the equivalent in CMS its a different
structure but with a more logical layout.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: she...@drh-consultancy.demon.co.uk
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: stephen...@gemplus.com PGP key: via homepage.
Vadim Fedukovich
On Thu, 14 Feb 2002, Erwann ABALEA wrote:
> Hi,
>
> I'm facing a problem I can't manage to solve.
>
> I need to create a structure like this one:
>
> signed PKCS#7 {
> signer certificate
> authenticated attributes
> content: enveloped PKCS#7 {
> recipient certificates
> enc_content: data
> }
> }
>
> I know how to create an enveloped PKCS#7 alone, with data encipherment, I
> know how to create a signed PKCS#7 alone, with data signature, but I don't
> know how to encapsulate an enveloped PKCS#7 inside a signed PKCS#7.
>
> Creating a signedAndEnveloped PKCS#7 is *not* an option, I *must* have
> this encapsulation.
>
1st variant looks fine for me. One may output DER enveloped into
a memory buffer, just to discover exactly what fails, in case coredump
would not go away.
good luck,
Vadim
Vadim Fedukovich
Vadim Fedukovich
Erwann ABALEA
> Erwann ABALEA wrote:
> >
> > Hi,
> >
> > I'm facing a problem I can't manage to solve.
> >
> > I need to create a structure like this one:
> >
> > signed PKCS#7 {
> > signer certificate
> > authenticated attributes
> > content: enveloped PKCS#7 {
> > recipient certificates
> > enc_content: data
> > }
> > }
> >
> > I know how to create an enveloped PKCS#7 alone, with data encipherment, I
> > know how to create a signed PKCS#7 alone, with data signature, but I don't
> > know how to encapsulate an enveloped PKCS#7 inside a signed PKCS#7.
> >
> > Creating a signedAndEnveloped PKCS#7 is *not* an option, I *must* have
> > this encapsulation.
> >
> [snip]
> >
> > What is the correct way to do this?
>
> Don't know, yet :-) This isn't something I've ever tried. The relevant
> code my not properly handle this construct.
I'm writing my code using OpenSSL 0.9.6c, I haven't tried the CVS version
yet. The 0.9.6c code can easily read such structures, but I have to verify
and decrypt using 2 passes:
- the first time, I don't try to decrypt the inner content, and I can
then verify the signature
- the second time, I can decrypt the content
That means creating 2 BIO, but it doesn't matter in my application, as I
already do these operations in 2 passes.
> However first thing: is that really what you want to do? The usual
> reason for doing this is to generate a "signed and encrypted" S/MIME
> message which isn't the above structure at all.
Yeah, i *need* to do this. It's not related to S/MIME. In fact, I have to
interface with the VeriSign OnSite, and their interface uses a old RFC
draft, now obsolated. It was named CRS, it has been replaced and
extended later by CMS, but VeriSign still uses the old one. The CRS draft
defines this structure. As I just wrote, I'm already able to read such
messages, but not create them.
> Also this is one of the areas of incompatibility with PKCS#7 and CMS (as
> used in S/MIME v3). If want to do the equivalent in CMS its a different
> structure but with a more logical layout.
I haven't proofread CMS yet ('cause I don't really need it by now), but
I'll take a glance at it.
--
Erwann ABALEA <eab...@certplus.com> - RSA PGP Key ID: 0x2D0EABD5
-----
hier j ai sans le vouloirs j'ai envoyé un virus sur Internet
qu'une personne mal intentionné m'avez donné pour tous .
je leurs demande de m'excuser
-+- RP in : GNU - Le retour du fils de la vengeance d'Henry -+-
Erwann ABALEA
> On Thu, 14 Feb 2002, Dr S N Henson wrote:
>
> > Erwann ABALEA wrote:
> > >
> > > Hi,
> > >
> > > I'm facing a problem I can't manage to solve.
> > >
> > > I need to create a structure like this one:
> > >
> > > signed PKCS#7 {
> > > signer certificate
> > > authenticated attributes
> > > content: enveloped PKCS#7 {
> > > recipient certificates
> > > enc_content: data
> > > }
> > > }
It works now. I forgot that I also had to perform a few 'hacks' in order
to verify the signature, because native OpenSSL code can't verify the
signature of such a structure.
Now I can create those. I had to:
- create a signed pkcs7, set it to detached
- transform my enveloped pkcs7 to DER into a BIO
- read the first 23 bytes of the BIO (it's a magic value, in real life it
has to be calculated) to 'consume' them
- create a BIO on the signed pkcs7
- write to the signed BIO the rest of the partly-consumed BIO (write into
the second ont the rest of the first)
- finalize the signed BIO
- set the signed pkcs7 to non-detached
- place in the signed pkcs7->d.sign->contents my enveloped pkcs7
- and I get it
Hard to do it right... :(
The process of 'consuming' the first bytes of the inner enveloped pkcs7
allows me to verify the signature on the outter signed pkcs7 (what is
signed is the contents of the enveloped pkcs7, without the first tag and
length). Natively, OpenSSL doesn't handle this situation correctly.
I also have a request for a change in OpenSSL: remove the automatically
added 'signingTime' attribute... If a developer wants it to be there, he
should explicitely put it there. In my case, I don't want it, but I can't
do that without modifying the OpenSSL source code, which I'd like to avoid
as much as possible.
--
Erwann ABALEA <eab...@certplus.com> - RSA PGP Key ID: 0x2D0EABD5
-----
C'est tout bête mais avec OE 4 je n'arrive plus à envoyer de
mails (...) alors que j'arrive à me connecter sur le net, à
envoyer des mails,... Please please sauvez-moi...
-+- JC in GNU : Docteur, quand je fais ca, je n'y arrive pas ! -+-