[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-ssl] [Fwd: [iaik-jce] PKCS#7 compatibility problem.] (S/MIME Warning)

Title: IAIK S/MIME Mapper Security Warning
there are no problems when parsing PEM encoded PKCS#7 ContentInfo objects with OpenSSL 0.94.
I also tried is with SSLeay-0.9.0 and it worked. However, I donīt know what kind of error you got and what version of OpenSSL you used; it would be preferable to try the new 0.94 version.
Here is the source of an example for creating a PKCS#7 object that was successfully parsed with OpenSSL (in fact itīs the createSignedDataStream method of the demo.pkcs.PKCS7Stream class, extended by the last lines for creating a ContentInfo and writing it PEM encoded to a file). You may compare it against your implementation:
 public void createSignedDataStream(byte[] message, int mode) throws PKCSException, IOException  {
    System.out.println("Create a new message signed by user 1:");
    // we are testing the stream interface
    ByteArrayInputStream is = new ByteArrayInputStream(message);
    // create a new SignedData object which includes the data
    SignedDataStream signed_data = new SignedDataStream(is, mode);
    // SignedData shall include the certificate chain for verifying
    // cert at index 0 is the user certificate
    IssuerAndSerialNumber issuer = new IssuerAndSerialNumber(user1);
    // create a new SignerInfo
    SignerInfo signer_info = new SignerInfo(issuer, AlgorithmID.sha, user1_pk);
    // create some authenticated attributes
    // the message digest attribute is automatically added
    Attribute[] attributes = new Attribute[2];
    // content type is data
    attributes[0] = new Attribute(ObjectID.contentType, new ASN1Object[] {ObjectID.pkcs7_data});
    // signing time is now
    attributes[1] = new Attribute(ObjectID.signingTime, new ASN1Object[] {new ChoiceOfTime().toASN1Object()});
    // set the attributes
    // finish the creation of SignerInfo by calling method addSigner
    try {
      // another SignerInfo without authenticated attributes and MD5 as hash algorithm
      signer_info = new SignerInfo(new IssuerAndSerialNumber(user2),
          AlgorithmID.md5, user2_pk);
      // the message digest itself is protected
    } catch (NoSuchAlgorithmException ex) {
      throw new PKCSException("No implementation for signature algorithm: "+ex.getMessage());
    // write the data through SignedData to any out-of-band place
    if (mode == SignedDataStream.EXPLICIT) {
      InputStream data_is = signed_data.getInputStream();
      byte[] buf = new byte[1024];
      int r;
      while ((r = data_is.read(buf)) > 0)
        ;   // skip data
    // return the SignedData as DER encoded byte array with block size 2048
    String fileName = null;
    if (mode == SignedDataStream.IMPLICIT) {
      fileName =  "test_data/pkcs7/contentInfoImplOld.pem"; 
    } else {
      fileName =  "test_data/pkcs7/contentInfoExplOld.pem";  
    java.io.FileOutputStream fos = new java.io.FileOutputStream(fileName);
    String startDelimiter = "-----BEGIN PKCS7-----";
    String endDelimiter = "-----END PKCS7-----";
    iaik.utils.PemOutputStream pos = new iaik.utils.PemOutputStream(fos,startDelimiter,endDelimiter);
    ContentInfoStream cis = new ContentInfoStream(signed_data);
Dieter Bratko