Hi,
I'm facing a problem I can't manage to solve.
I need to create a structure like this one:
signed PKCS#7 {
signer certificate
authenticated attributes
content: enveloped PKCS#7 {
recipient certificates
enc_content: data
}
}
I know how to create an enveloped PKCS#7 alone, with data encipherment, I
know how to create a signed PKCS#7 alone, with data signature, but I don't
know how to encapsulate an enveloped PKCS#7 inside a signed PKCS#7.
Creating a signedAndEnveloped PKCS#7 is *not* an option, I *must* have
this encapsulation.
I tried these methods:
* first one: create the enveloped pkcs7, fill it with my data, turn it
into a DER stream, create the signed pkcs7, set the content to be of
type pkcs7_enveloped, create a BIO on this signed pkcs7, write the DER
stream to this BIO. That doesn't work, it core dumps when I try to i2d
the signed PKCS#7 object (maybe because the inner enveloped pkcs7
object is not fully initialized?)
* second one: create the enveloped pkcs7, fill it with my data, create
the signed pkcs7, set its content to be of type pkcs7_enveloped, change
the pointers to put my previous enveloped pkcs7 inside. That doesn't
work, when I do a i2d of the outter PKCS#7 object I get a valid PKCS#7
object, but with no data at all. Anyway, I think it won't work at all
since there's no data that has passed through the message digests
methods, so the signature should be incorrect.
* third one: create the signed pkcs7, set it's content to be of type
pkcs7_enveloped (the necessary objects are now created, even the
inner enveloped pkcs7), create a BIO for the inner enveloped pkcs7 (I
now have a BIO of type cipher, chained with a BIO of type
memorybuffer), create a BIO for the outter signed pkcs7, with the
previous BIO as an argument, so the 2 are chained, write my data to the
second BIO, the outter one (which in turn will write to my first BIO,
the inner one). That doesn't work either, I have the same core dump
when trying to do an i2d of the outter PKCS#7 object. But I also
suspect it won't work at all, since the outter BIO sees cleartext data,
where it should have seen only ciphered data.
What is the correct way to do this? Was I correct but with something
important missing? (it must be huge, huge things are the ones you usually
forget ;) ).
Thanks,
--
Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5
-----
Normalement un enfant a le droit de monter � l'avant de l'automobile �
partir de 10 ans, �ge � partir duquel il compte pour une personne. Avant
il ne compte que pour une demi-personne.
-+- MCG in : Guide du Neuneu d'Usenet - En voiture Simone -+-
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
