Skip to content

CMS: Adding signers should gen a content type attribute#8944

Closed
slontis wants to merge 4 commits intoopenssl:masterfrom
slontis:cms_issue8923
Closed

CMS: Adding signers should gen a content type attribute#8944
slontis wants to merge 4 commits intoopenssl:masterfrom
slontis:cms_issue8923

Conversation

@slontis
Copy link
Member

@slontis slontis commented May 17, 2019

Fixes #8923

Found using the openssl cms -resign option.
This uses an alternate path to do the signing which was not adding the required signed attribute
content type. This attribute should always exist since it is required is there are any signed attributes.
As the signing time attribute is always added in code, then the content type attribute is also always required.

Checklist
  • documentation is added or updated
  • tests are added or updated

@slontis slontis changed the title CMS: Adding signers should gen a content type attribute WIP: CMS: Adding signers should gen a content type attribute May 24, 2019
@slontis
Copy link
Member Author

slontis commented May 25, 2019
edited
Loading

#8117 needs to be merged for verify -cades to work after -resign is used.

FdaSilvaYY
FdaSilvaYY reviewed May 25, 2019
View reviewed changes
@slontis slontis changed the title WIP: CMS: Adding signers should gen a content type attribute CMS: Adding signers should gen a content type attribute May 27, 2019
@slontis slontis mentioned this pull request May 27, 2019
Closed
@slontis slontis closed this May 27, 2019
@slontis slontis reopened this May 27, 2019
@mattcaswell mattcaswell added branch: 1.1.1 Applies to OpenSSL_1_1_1-stable branch (EOL) branch: master Applies to master branch labels May 28, 2019
mattcaswell
mattcaswell requested changes May 28, 2019
View reviewed changes
@slontis
Copy link
Member Author

slontis commented May 28, 2019

Last commit contains the changes + updated commit messages

@slontis slontis closed this May 29, 2019
@slontis slontis reopened this May 29, 2019
@openssl openssl deleted a comment from ping May 29, 2019
slontis added 4 commits May 29, 2019 13:47
@slontis
Add the content type attribute to additional CMS signerinfo.
e2ec63d 
Fixes openssl#8923

Found using the openssl cms -resign option.
This uses an alternate path to do the signing which was not adding the required signed attribute
content type. The content type attribute should always exist since it is required is there are
any signed attributes.
As the signing time attribute is always added in code, the content type attribute is also required.
The CMS_si_check_attributes() method adds validity checks for signed and unsigned attributes
e.g. The message digest attribute is a signed attribute that must exist if any signed attributes
exist, it cannot be an unsigned attribute and there must only be one instance containing a single
value.
@slontis
fixup! Add the content type attribute to additional CMS signerinfo.
9524aae
@slontis
fixup! Add the content type attribute to additional CMS signerinfo.
ae3a06a
@slontis
fixup! Add the content type attribute to additional CMS signerinfo.
84a4ede
@mattcaswell mattcaswell added the approval: done This pull request has the required number of approvals label May 29, 2019
levitte pushed a commit that referenced this pull request Jun 3, 2019
@slontis
Add the content type attribute to additional CMS signerinfo.
19e512a 
Fixes #8923

Found using the openssl cms -resign option.
This uses an alternate path to do the signing which was not adding the required signed attribute
content type. The content type attribute should always exist since it is required is there are
any signed attributes.
As the signing time attribute is always added in code, the content type attribute is also required.
The CMS_si_check_attributes() method adds validity checks for signed and unsigned attributes
e.g. The message digest attribute is a signed attribute that must exist if any signed attributes
exist, it cannot be an unsigned attribute and there must only be one instance containing a single
value.

Reviewed-by: Matt Caswell <[email protected]>
(Merged from #8944)
levitte pushed a commit that referenced this pull request Jun 3, 2019
@slontis
Add the content type attribute to additional CMS signerinfo.
d63d841 
Fixes #8923

Found using the openssl cms -resign option.
This uses an alternate path to do the signing which was not adding the required signed attribute
content type. The content type attribute should always exist since it is required is there are
any signed attributes.
As the signing time attribute is always added in code, the content type attribute is also required.
The CMS_si_check_attributes() method adds validity checks for signed and unsigned attributes
e.g. The message digest attribute is a signed attribute that must exist if any signed attributes
exist, it cannot be an unsigned attribute and there must only be one instance containing a single
value.

Reviewed-by: Matt Caswell <[email protected]>
(Merged from #8944)

(cherry picked from commit 19e512a)
@slontis
Copy link
Member Author

slontis commented Jun 3, 2019

Merged to master and 1_1_1

@slontis slontis closed this Jun 3, 2019
@st-elo st-elo mentioned this pull request Aug 4, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattcaswell mattcaswell mattcaswell approved these changes

+1 more reviewer

@FdaSilvaYY FdaSilvaYY FdaSilvaYY left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approval: done This pull request has the required number of approvals branch: master Applies to master branch branch: 1.1.1 Applies to OpenSSL_1_1_1-stable branch (EOL)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

openssl cms -resign dosn't work properly

3 participants

@slontis @mattcaswell @FdaSilvaYY