Re: PKCS7_decrypt vs RSA OAEP padding

Hi Michal, CMS has limited backward compatibility with PKCS#7.  This is discussed in RFC 5652 , and includes some suggestions as to how to some issues that might crop up.   At least the old draft of SCEP very specifically does NOT specify CMS, bu

Re: Goodbye

Can we please put the knives a way?  Rich has given a lot to this community.  As an openssl user, I'd rather the conversation moved along. signature.asc Description: OpenPGP digital signature

PHP interface and CMS_STREAM flag for cms_encrypt()/cms_sign()

Hi there, I am now just tidying up the PHP interface for CMS, which is an analog to the PKCS#7 interface.  As all the inputs are file names, one wonders if there is any possibility of the CMS_STREAM flag ever being a reasonable option.  If it is not, it will simplify the code. Eliot signature

some testers needed for PHP CMS calls

Hi everyone, If anyone is interested, I have attempted to port the OpenSSL CMS routines into PHP.  The code is available in a PR at https://github.com/php/php-src/pull/5251.  Comments/reviews most welcome. Eliot signature.asc Description: OpenPGP digital signature

Re: [openssl-users] in the department of "ain't no perfect"

On 17.01.19 21:20, Hubert Kario wrote: > then I'd say that showing the date from within the signature will be more > confusing than helpful to the administrator Nevermind the date, you can't even get the expiration error programmatically. signature.asc Description: OpenPGP digital signature

Re: [openssl-users] in the department of "ain't no perfect"

On 17.01.19 17:29, Hubert Kario wrote: > > alternatively, you can save all the certificates and revocation data, bind it > to the original signature using a timestamp from a TSA and store that (that's > necessary if you want to be able to prove to some 3rd party that you received > a correctly

Re: [openssl-users] in the department of "ain't no perfect"

Hi Hubert On 16.01.19 12:27, Hubert Kario wrote: > For maintaining signatures that need to be valid long into the future > standards like CAdES should be used. They keep time of signing in timestamps > signed by trusted time-stamping authorities, along with the rest of > revocation > data nece

Re: [openssl-users] in the department of "ain't no perfect"

Hi Rich and thanks for your response.  Please see below. On 15.01.19 21:12, Salz, Rich via openssl-users wrote: >> like a way to extract the signature date from a CMS structure. With all the >> opaque structs that have been introduced in the last few releases, it's not >> clear to me how to do

[openssl-users] in the department of "ain't no perfect"

I realize things haven't been made easy to do this on purpose, and that there's even a comment in one of the man pages to that effect, but here goes... I have an application that requires long-lived signatures, perhaps long past the point where the signer's cert has expired.  I'd like a way to ext