[openssl-users] Is it possible to add eContent to a signedData which has no signers

Martin, Neil Neil.Martin at ncr.com
Fri Feb 6 10:08:35 UTC 2015


I'd like to know if it is possible to add eContent to a signedData which has no signers?

The ANS X9 TR34 technical report defines a rebind token as having the following structure.

SignedData (inner content):
   There are no digestAlgorithms included.
   The EncapsulatedContentInfo eContentType is id-data.
   The EncapsulatedContentInfo eContent includes an identifier  as an 
      issuerAndSerialNumber field.
   1 Certificate is included in the certificates field.
   The CRL field is omitted.
   There are no signers on the content.

SignedData (outer content):
   The digestAlgorithms field specifies id- sha256 : '2.16.840.'.
   The EncapsulatedContentInfo eContentType is id-signedData.
   The certificates field is omitted.
   1 is included in the crl field.
   IssuerAndSerialNumber is chosen for SignerInfo SignerIdentifier.
   The current certificate owner identifier is included in the SignerInfos
     issuerAndSerialNumber field.
   The SignerInfo digestAlgorithm field specifies id- sha256 : '2.16.840.'.
   The random number, is included as random nonce authenticated attribute
     within SignerInfo SignedAttributes.
   The signatureAlgorithm is specified as id-sha256WithrsaEncryption
   The unsignedAttrs field is omitted.

My problem is I can't include the eContent  in the inner content.
In the following code, CMS_final for the inner content fails.

void CreateRebindToken(X509* deviceCertificate, X509* currentCertificate, EVP_PKEY* currentPrivateKey, X509* newCertificate, X509_CRL* crl, LPCSTR tokenFile)
    int rc = 0;

    // Prepare the inner content
    CMS_ContentInfo* cms = CMS_sign(NULL, NULL, NULL, NULL, CMS_PARTIAL);

    rc = CMS_add1_cert(cms, newCertificate);

    BIO* eContentBio = BIO_new(BIO_s_mem()); 
    CreateIssuerAndSerialNumberSequence(deviceCertificate, eContentBio);

    // This fails, presumably because no signer has been added. 
    // How can eContent be added to a SignedData structure with no signers?
    rc = CMS_final(cms, eContentBio, NULL, CMS_NOATTR | SMIME_BINARY);

    rc = BIO_free(eContentBio);
    eContentBio = NULL;

    // Cache the inner content cms in DER format then free the cms
    eContentBio = BIO_new(BIO_s_mem()); 
    rc = i2d_CMS_bio(eContentBio, cms);
    cms = NULL;

    // prepare the outer content
    rc = CMS_add1_crl(cms, crl);
    CMS_SignerInfo* si = CMS_add1_signer(cms, currentCertificate, currentPrivateKey, EVP_sha256(), CMS_NOATTR | CMS_NOCERTS);
    rc = CMS_final(cms, eContentBio, NULL, SMIME_BINARY);

    eContentBio = NULL;

    // Write to file
    BIO* bio = BIO_new_file(tokenFile, "wb");
    rc = i2d_CMS_bio(bio, cms);

    // Cleanup
    rc = BIO_free(bio);
    bio = NULL;

    cms = NULL;


More information about the openssl-users mailing list