You may try a routine like the following by replacing all occurences of ESS_SIGNING_CERTIFICATE by PKCS7 and change the nid to the PKCS9 V2 defined one. Or to consider to (mis)use
id-aa-timeStampToken OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) aa(2) 14 } The difference I see is that the i2d is done before setting the attribute. int ESS_add_attrib_signcert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERTIFICATE *sc) { ASN1_STRING *seq; unsigned char *p, *pp ; int len; len = i2d_ESS_SIGNING_CERTIFICATE(sc, NULL); if (!(pp = (unsigned char *) OPENSSL_malloc(len))) { ESSerr(ESS_F_ADD_ATTRIB_SIGNCERT,ERR_R_MALLOC_FAILURE); return 0; } p = pp; i2d_ESS_SIGNING_CERTIFICATE(sc, &p); if(!(seq = ASN1_STRING_new())) { OPENSSL_free(pp); ESSerr(ESS_F_ADD_ATTRIB_SIGNCERT,ERR_R_MALLOC_FAILURE); return 0; } if(!ASN1_STRING_set (seq, pp, len)) { ASN1_STRING_free(seq); OPENSSL_free(pp); ESSerr(ESS_F_ADD_ATTRIB_SIGNCERT,ERR_R_MALLOC_FAILURE); return 0; } OPENSSL_free(pp); return PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificate, V_ASN1_SEQUENCE, seq); } ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]