PKCS7 signature process

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

PKCS7 signature process

Patrice Guérin-2
Hello OpenSSL-users

In the purpose of signing pdf files, I've found a difference of
behaviour that I can't explain between two ways of computing signatures.
The first one leads to an error in the way that Adobe says that the file
was modified after signing, the second does not.

First Method:
     BIO* BioMem = BIO_new( BIO_s_mem() );
     while ( Data )
BIO_write( BioMem , Data, DataLen );
     MyPKCS7 = PKCS7_sign( Certificate, PrivateKey,NULL, BioMem ,
PKCS7_DETACHED | PKCS7_BINARY );
     PKCS7_final( MyPKCS7, BioMem , PKCS7_DETACHED | PKCS7_BINARY );
     BIO* BioOut = BIO_new( BIO_s_mem() );
     i2d_PKCS7_bio( BioOut , MyPKCS7 );
     char*    OutBuf = NULL;
     int OutLen = BIO_get_mem_data( BioOut , &OutBuf );

Second Method:
     BIO* BioMem = BIO_new( BIO_s_mem() );
     MyPKCS7 = PKCS7_sign( Certificate, PrivateKey,NULL, BioMem ,
PKCS7_DETACHED | PKCS7_BINARY );
     while ( Data )
         BIO_write( BioMem , Data, DataLen );
     PKCS7_final( MyPKCS7, BioMem , PKCS7_DETACHED | PKCS7_BINARY );
     BIO* BioOut = BIO_new( BIO_s_mem() );
     i2d_PKCS7_bio( BioOut , MyPKCS7 );
     char*    OutBuf = NULL;
     int OutLen = BIO_get_mem_data( BioOut , &OutBuf );

It seems that the order between PKCS7_sign et BIO_Write that feeds the
memory BIO has an importance.

Can anybody explains why the first method is incorrect ?

Thank you in advance
Patrice.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: PKCS7 signature process

lists-161

I'm very sorry for the late reply but I only read the list from time to
time.
To my knowledge, the PKCS7_sign will init the structure taking data from
th BIO, so if you put data in the BIO after the call to PKCS7_Sign, that
won't go into the PKCS7 structure.
Possibly, by adding the flag PKCS7_STREAM you may postpone the signature
operation, but I never tried that.

On 05/16/2018 05:19 PM, Patrice Guérin wrote:

> Hello OpenSSL-users
>
> In the purpose of signing pdf files, I've found a difference of
> behaviour that I can't explain between two ways of computing signatures.
> The first one leads to an error in the way that Adobe says that the
> file was modified after signing, the second does not.
>
> First Method:
>     BIO* BioMem = BIO_new( BIO_s_mem() );
>     while ( Data )
> BIO_write( BioMem , Data, DataLen );
>     MyPKCS7 = PKCS7_sign( Certificate, PrivateKey,NULL, BioMem ,
> PKCS7_DETACHED | PKCS7_BINARY );
>     PKCS7_final( MyPKCS7, BioMem , PKCS7_DETACHED | PKCS7_BINARY );
>     BIO* BioOut = BIO_new( BIO_s_mem() );
>     i2d_PKCS7_bio( BioOut , MyPKCS7 );
>     char*    OutBuf = NULL;
>     int OutLen = BIO_get_mem_data( BioOut , &OutBuf );
>
> Second Method:
>     BIO* BioMem = BIO_new( BIO_s_mem() );
>     MyPKCS7 = PKCS7_sign( Certificate, PrivateKey,NULL, BioMem ,
> PKCS7_DETACHED | PKCS7_BINARY );
>     while ( Data )
>         BIO_write( BioMem , Data, DataLen );
>     PKCS7_final( MyPKCS7, BioMem , PKCS7_DETACHED | PKCS7_BINARY );
>     BIO* BioOut = BIO_new( BIO_s_mem() );
>     i2d_PKCS7_bio( BioOut , MyPKCS7 );
>     char*    OutBuf = NULL;
>     int OutLen = BIO_get_mem_data( BioOut , &OutBuf );
>
> It seems that the order between PKCS7_sign et BIO_Write that feeds the
> memory BIO has an importance.
>
> Can anybody explains why the first method is incorrect ?
>
> Thank you in advance
> Patrice.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users