creating certificate only structure -- CMS_sign

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

creating certificate only structure -- CMS_sign

Michael Richardson

https://www.openssl.org/docs/man1.1.0/man3/CMS_sign.html says:
  If signcert and pkey are NULL then a certificates only CMS structure is
  output.

I am trying to create one to return in an RFC7030 (EST) /cacerts request.
It appears that it needs to be a NID_pkcs7_signed.

a) Do I need to set any flags?
b) I assume that any certificates in the STACK_OF(X509) *certs will be included?
c) Does it have to have CMS_PARTIAL or some other flags set, and then call
   CMS_final() explicitely?

I am getting
      error:2E07F068:CMS routines:CMS_final:cms lib

(I think I am dumping the entire error stack with:
        unsigned long err = ERR_get_error();
        while(err != 0) {
            fprintf(stderr, "error: %s\n", ERR_error_string(err, NULL));
            err = ERR_get_error();
        }

when called like:
  signcert: (nil) pkey: (nil) certs: 0x563df7fc1e30 bio: (nil), flg: 0
  (via ruby, I haven't written a C-only example yet...)

I am running with  => "OpenSSL 1.1.1-dev  xx XXX xxxx", which is really
1.1.1c with a patch to the DTLS code.

Looking at CMS_dataInit(), it looks like if the contentType is not set,
and icont is NULL, and no content was provided into the CMS structure,
that it simply runs to the end and returns NULL.  Or, it is type
pkcs7_signed, and since cont and icont are NULL, it also returns NULL.
If I had run into an error, there would be additional items on the error stack.

It appears that it needs to be a NID_pkcs7_signed, so it seems that returning
with no content is what is happening.  I try adding some data to sign, but I
get the same error.

Looking at test/cmsapitest.c, I think that probably cert only payload
creation is simply not tested/implemented.  Would I be wrong here?
I haven't looked at "openssl cms" to see if it can be built that way.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     [hidden email]  http://www.sandelman.ca/        |   ruby on rails    [










signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: creating certificate only structure -- CMS_sign

Michael Richardson

{resending, because it did not seem to make it into the archives}

https://www.openssl.org/docs/man1.1.0/man3/CMS_sign.html says:
  If signcert and pkey are NULL then a certificates only CMS structure is
  output.

I am trying to create one to return in an RFC7030 (EST) /cacerts request.
It appears that it needs to be a NID_pkcs7_signed.

a) Do I need to set any flags?
b) I assume that any certificates in the STACK_OF(X509) *certs will be included?
c) Does it have to have CMS_PARTIAL or some other flags set, and then call
   CMS_final() explicitely?

I am getting
      error:2E07F068:CMS routines:CMS_final:cms lib

(I think I am dumping the entire error stack with:
        unsigned long err = ERR_get_error();
        while(err != 0) {
            fprintf(stderr, "error: %s\n", ERR_error_string(err, NULL));
            err = ERR_get_error();
        }

when called like:
  signcert: (nil) pkey: (nil) certs: 0x563df7fc1e30 bio: (nil), flg: 0
  (via ruby, I haven't written a C-only example yet...)

I am running with  => "OpenSSL 1.1.1-dev  xx XXX xxxx", which is really
1.1.1c with a patch to the DTLS code.

Looking at CMS_dataInit(), it looks like if the contentType is not set,
and icont is NULL, and no content was provided into the CMS structure,
that it simply runs to the end and returns NULL.  Or, it is type
pkcs7_signed, and since cont and icont are NULL, it also returns NULL.
If I had run into an error, there would be additional items on the error stack.

It appears that it needs to be a NID_pkcs7_signed, so it seems that returning
with no content is what is happening.  I try adding some data to sign, but I
get the same error.

Looking at test/cmsapitest.c, I think that probably cert only payload
creation is simply not tested/implemented.  Would I be wrong here?
I haven't looked at "openssl cms" to see if it can be built that way.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     [hidden email]  http://www.sandelman.ca/        |   ruby on rails    [









signature.asc (497 bytes) Download Attachment