[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-ssl] [Fwd: [iaik-jce] PKCS#7 compatibility problem.]



Hi Dieter.

  The problem occurs when the OpenSSL library parses the PKCS#7 in PEM
format. I use a wrapped ContentInfo, i.e., the data being signed goes
within the PKCS#7. The equivalent definition using the OpenSSL is the
undetached version of the pkcs7. Have you tried these compatability
tests
with other toolkits ?

  I mentioned the Ismael Blesa mail because I thought (and excuse me if
I'm wrong) that there might exist more variations than the explicit and
implicit mode. This also came to my mind due to the apparent
incompatability
between the OpenSSL and IAIK implementation. 

Best regards,

Dieter Bratko wrote:
> 
> >  I have done a program using SSLeay to verify PKCS#7 objects in PEM
> > format and extract the contents of such objects. This works pretty well
> with
> > J/Crypto
> > toolkit from Baltimore but I can't make it work with IAIK toolkit and I
> > followed the SignedData example using the PemOutputStream. I am using
> > the JCE
> > Applet Edition, latest version (downloaded 3 day ago).
> 
> Please give some more information about this problem. Where does the error
> occur, and what kind of error is it? Does it occur when creating the
> SignedData and writing it out? Or when parsing a PKCS#7 object? Do you deal
> with a pure SignedData, or - as usually - is it wrapped into a ContentInfo?
> 
> > Another thing that worries me a bit is a problem that ocurred in the
> > mailing
> > list (Ismael Blesa) with a PKCS#7 object that, from what I could
> > understand, has
> > to be dealt with a different approach. I have already understood that
> > with
> > PKCS#7 objects you can put the data inline or outside, with the PKCS#7
> > serving
> > in the last case as a signature "provider". Which differences between
> > different
> > formats can occur besides this one ?
> 
> What mail of Ismael Blesa do you mean.
> A ContentInfo may have no content field. The content of a SignedData object
> is presented as a ContentInfo. If it does not include the content field,
> only the content type of the content is specified, and the content has to be
> transmitted by other means (see RFC 2315). Within IAIK-JCE this is called
> "explicit" mode. It is, for instance, used for multipart/signed S/MIME
> messages. For actual transmission, usually the SignedData itself is wrapped
> into a ContentInfo.
> 
> Dieter Bratko
> 
> ----- Original Message -----
> From: Bruno Salgueiro <bs@sibs.pt>
> To: IAIK List <iaik-jce@iaik.tu-graz.ac.at>
> Cc: IAIK List <iaik-ssl@iaik.tu-graz.ac.at>
> Sent: Wednesday, September 08, 1999 1:23 PM
> Subject: [iaik-ssl] [Fwd: [iaik-jce] PKCS#7 compatibility problem.]
> 
> Hi to all.
> 
>   I'm sorry if you receive this mail duplicate but I haven't found
> any answers on this subject. We need to know this because we are
> evaluating Java toolkits and in particular IAIK toolkit.
> 
>   Any help will be necessary.
> 
> Best regards,
> --
> =======================================================
> Bruno Salgueiro       (mailto:bs@sibs.pt)
> 
> SIBS - Sociedade Interbancária de Serviços
> Rua Soeiro Pereira Gomes, Lote 1, 1600 Lisboa, Portugal
> 
> Tel: + 351 1 791 88 33
> Fax: + 351 1 793 50 80
> http://www.sibs.pt
> 
> Esta mensagem foi assinada com certificado MULTIcert.
> Para obter o certificado da Autoridade de Certificação
> PILOTO MULTIcert dirija-se ao site
>             http://www.sibs.multicert.com
> 
> "Computers are useless. They can only give you answers."
>                                         --Pablo Picasso
> =======================================================

-- 
=======================================================
Bruno Salgueiro       (mailto:bs@sibs.pt)
                   
SIBS - Sociedade Interbancária de Serviços
Rua Soeiro Pereira Gomes, Lote 1, 1600 Lisboa, Portugal

Tel: + 351 1 791 88 33
Fax: + 351 1 793 50 80
http://www.sibs.pt

Esta mensagem foi assinada com certificado MULTIcert.
Para obter o certificado da Autoridade de Certificação
PILOTO MULTIcert dirija-se ao site
            http://www.sibs.multicert.com

"Computers are useless. They can only give you answers."
                                        --Pablo Picasso
=======================================================

S/MIME Cryptographic Signature