[openssl-users] How to produce a nested CMS / PKCS#7 structure?

Wim Lewis wiml at omnigroup.com
Mon Nov 28 21:33:51 UTC 2016

On Nov 25, 2016, at 12:43 PM, Dr. Stephen Henson <steve at openssl.org> wrote:
> Something like that did happen for PKCS#7 but the  OCTET STRING encapsulation
> is correct for CMS.

Aha, and this difference is called out in RFC5652 [5.2.1]. Thanks, that clarifies things for me a little. So typically it's only the outermost ContentInfo that directly embeds a CMS object without an intervening OCTET STRING, and other structures use EncapsulatedContentInfo instead of ContentInfo.

However, I think the other half of my problem remains: if I'm putting another CMS object into a SignedData, AuthEnvelopedData, or other kind of wrapper, the OCTET STRING should contain the encoding of that object's structure (e.g. a BER-encoded AuthEnvelopedData, SignedData, ContentWithAttributes, etc. structure), not a ContentInfo *containing* that structure, right? How do I get OpenSSL to give me that encoded object without an enclosing ContentInfo?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161128/35c16819/attachment.html>

More information about the openssl-users mailing list