Problems I've found so far are things like: RFC3369 says to put the cmc message into a SignedData object. cmcEnroll.exe does this, but then it puts the Signed Data object into a ContentInfo object. Netscape CA 6.2 likes the Signed Data object.
RFC3369 says to use CMSVersion 1 in a SignerInfo object when using SignerIdentifier.ISSUER_AND_SERIALNUMBER. cmcEnroll.exe uses CMSVersion 3. Netscape CA 6.2 likes CMSVersion 3 here.
RFC3369 section 5.4 says to get the hash when calculating a signature for a ContentInfo object, you must replace the IMPLICIT [0] tag on the encoded SignedAttributes field with an EXPLICIT SET OF tag, then proceed hashing the SignedAttribute object with the new tag. I don't know how cmcEnroll does this, but the verify() method in SignerInfo (JSS 3.4) re-calculates the hash with a SET OF tag (without EXPLICIT encoding).
I built my application according to RFC3369, but I need to throw that all away and construct my cmc messages accoring to the way that Netscape CA 6.2 expects to see them.
Do you know how Netscape CA 6.2 (or cmcEnroll.exe) calculates the signature on a cmc message? The source code to cmcEnroll.exe would be particularly helpful.
TIA _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
