[openssl-users] PKCS7 signature process

[lists]

I'm very sorry for the late reply but I only read the list from time to 
time.
To my knowledge, the PKCS7_sign will init the structure taking data from 
th BIO, so if you put data in the BIO after the call to PKCS7_Sign, that 
won't go into the PKCS7 structure.
Possibly, by adding the flag PKCS7_STREAM you may postpone the signature 
operation, but I never tried that.

On 05/16/2018 05:19 PM, Patrice Guérin wrote:
> Hello OpenSSL-users
>
> In the purpose of signing pdf files, I've found a difference of 
> behaviour that I can't explain between two ways of computing signatures.
> The first one leads to an error in the way that Adobe says that the 
> file was modified after signing, the second does not.
>
> First Method:
>     BIO* BioMem = BIO_new( BIO_s_mem() );
>     while ( Data )
> BIO_write( BioMem , Data, DataLen );
>     MyPKCS7 = PKCS7_sign( Certificate, PrivateKey,NULL, BioMem , 
> PKCS7_DETACHED | PKCS7_BINARY );
>     PKCS7_final( MyPKCS7, BioMem , PKCS7_DETACHED | PKCS7_BINARY );
>     BIO* BioOut = BIO_new( BIO_s_mem() );
>     i2d_PKCS7_bio( BioOut , MyPKCS7 );
>     char*    OutBuf = NULL;
>     int OutLen = BIO_get_mem_data( BioOut , &OutBuf );
>
> Second Method:
>     BIO* BioMem = BIO_new( BIO_s_mem() );
>     MyPKCS7 = PKCS7_sign( Certificate, PrivateKey,NULL, BioMem , 
> PKCS7_DETACHED | PKCS7_BINARY );
>     while ( Data )
>         BIO_write( BioMem , Data, DataLen );
>     PKCS7_final( MyPKCS7, BioMem , PKCS7_DETACHED | PKCS7_BINARY );
>     BIO* BioOut = BIO_new( BIO_s_mem() );
>     i2d_PKCS7_bio( BioOut , MyPKCS7 );
>     char*    OutBuf = NULL;
>     int OutLen = BIO_get_mem_data( BioOut , &OutBuf );
>
> It seems that the order between PKCS7_sign et BIO_Write that feeds the 
> memory BIO has an importance.
>
> Can anybody explains why the first method is incorrect ?
>
> Thank you in advance
> Patrice.