Dear Stephen,
Thanks for your advise. Following are our code for generating a PKCS#7
signed-data:
===================================================================
// Read Signer's Certificate
ret = NST_X509_read(&x509Signer, SignerCert, SignerCertLen);
// read RSA private key
ret = NST_EVP_PKEY_read(&pkey, 0, SignerPrivateKey, SignerPrivateKeyLen);
// create a new envelope structure and set type as signed
p7s=PKCS7_new ()
PKCS7_set_type(p7s,NID_pkcs7_signed);
// set signature parameters
si=PKCS7_add_signature(p7s,x509Signer.x,pkey.pkey,EVP_sha1());
// If you do this then you get signing time automatically added
PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,
OBJ_nid2obj(NID_pkcs7_data));
/* we may want to add more */
if (ifAddCertificate)
PKCS7_add_certificate(p7s,x509Signer.x);
/* Set the content of the signed to 'data' */
PKCS7_content_new(p7s,NID_pkcs7_data);
PKCS7_set_detached(p7s,1);
// If we didn't call this function, exception would occure when performing
BIO_write(..)
// create pkcs7 bio
p7bio=PKCS7_dataInit(p7s,NULL))
// write data to pkcs7 bio
BIO_write(p7bio,Data,DataLen);
BIO_flush(p7bio);
// do pkcs7 procedure
PKCS7_dataFinal(p7s,p7bio)
// write pkcs7 result with PEM format
bio=BIO_new(BIO_s_mem
BIO_set_mem_buf(bio, &bm, BIO_NOCLOSE);
PEM_write_bio_PKCS7(bio,p7s
*EVPLen = bm.length;
end:
if (p7s != NULL)
PKCS7_free(p7s);
NST_X509_free(&x509Signer);
NST_EVP_PKEY_free(&pkey);
if(p7bio != NULL)
BIO_free(p7bio);
if(bio != NULL)
BIO_free(bio);
return ret;
-----��l�l��-----
�H���: Dr Stephen Henson <[EMAIL PROTECTED]>
�����: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
���: 1999�~9��30�� AM 09:42
�D��: Re: PKCS#7 Signed-data problem
>> Cathy Yeh wrote:
>>
>> Hi all,
>>
>> I'm working on packing PKCS#7 Signed-data type with latest OpenSSL
>> snap-shot. However, if we did not call
>> "PKCS7_set_detached(p7s,1)" function to set it as detached type,
>> exception would occure after calling BIO_write(..) to write data to
>> PKCS7 structure. It seems the function ( PKCS7_set_detached(..) ) is
>> required to generate a Signed package. But apparently the followed
>> verification would be failed since no detached file was supplied. Did
>> anyone meet the same situation? How did you solve this problem? Please
>> kindly give your advise or comment. Thanks!
>
>Unless this is the Windows threaded problem (not using the /MD option
>for multithreaded DLL) its not clear what your problem is from the
>description. Can you give some more info or a code sample?
>
>If you set the data to be detached then the data is not included in the
>PKCS#7 structure, this is used in S/MIME multipart/signed for example.
>You then have to supply the same data to the verify process as in
>crypto/pkcs7/verify.c
>
>Steve.
>--
>Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
>Personal Email: [EMAIL PROTECTED]
>Senior crypto engineer, Celo Communications: http://www.celocom.com/
>Core developer of the OpenSSL project: http://www.openssl.org/
>Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>
>______________________________________________________________________
>OpenSSL Project http://www.openssl.org
>Development Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
