{resending, because it did not seem to make it into the archives} https://www.openssl.org/docs/man1.1.0/man3/CMS_sign.html says: If signcert and pkey are NULL then a certificates only CMS structure is output. I am trying to create one to return in an RFC7030 (EST) /cacerts request. It appears that it needs to be a NID_pkcs7_signed. a) Do I need to set any flags? b) I assume that any certificates in the STACK_OF(X509) *certs will be included? c) Does it have to have CMS_PARTIAL or some other flags set, and then call CMS_final() explicitely? I am getting error:2E07F068:CMS routines:CMS_final:cms lib (I think I am dumping the entire error stack with: unsigned long err = ERR_get_error(); while(err != 0) { fprintf(stderr, "error: %s\n", ERR_error_string(err, NULL)); err = ERR_get_error(); } when called like: signcert: (nil) pkey: (nil) certs: 0x563df7fc1e30 bio: (nil), flg: 0 (via ruby, I haven't written a C-only example yet...) I am running with => "OpenSSL 1.1.1-dev xx XXX xxxx", which is really 1.1.1c with a patch to the DTLS code. Looking at CMS_dataInit(), it looks like if the contentType is not set, and icont is NULL, and no content was provided into the CMS structure, that it simply runs to the end and returns NULL. Or, it is type pkcs7_signed, and since cont and icont are NULL, it also returns NULL. If I had run into an error, there would be additional items on the error stack. It appears that it needs to be a NID_pkcs7_signed, so it seems that returning with no content is what is happening. I try adding some data to sign, but I get the same error. Looking at test/cmsapitest.c, I think that probably cert only payload creation is simply not tested/implemented. Would I be wrong here? I haven't looked at "openssl cms" to see if it can be built that way. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@xxxxxxxxxxxx http://www.sandelman.ca/ | ruby on rails [
Attachment:
signature.asc
Description: PGP signature