PKCS7 unsigned/signed attributes support #421
Conversation
|
Thank you for your time looking into this! Unfortunately, the PKCS#7 module hasn't got much attention since it was initially implemented in ~2005 and it's still lacking core features and documentation. :( signedAttrs/unsignedAttrs is specified in RFC 5652: SignerInfo ::= SEQUENCE {
[...],
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
[...],
unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
SignedAttributes ::= SET SIZE (1..MAX) OF Attribute
UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute
Attribute ::= SEQUENCE {
attrType OBJECT IDENTIFIER,
attrValues SET OF AttributeValue }
AttributeValue ::= ANY
[...]
attrValues is a set of values that comprise the attribute. The
type of each value in the set can be determined uniquely by
attrType. The attrType can impose restrictions on the number of
items in the set.It seems that It's probably useful to write programs in C, but I suspect it would be simpler for us to implement a wrapper for the lower-level function attrValue = OpenSSL::ASN1::Set.new([OpenSSL::ASN1::OctetString.new("data")])
si = OpenSSL::PKCS7::SignerInfo.new(..)
si.signed_attributes = [
OpenSSL::X509::Attribute.new("attrType", attrValue),
]
They are not needed if we go with
I think so.
I don't understand the difference. They were identical when it was first introduced. openssl/openssl@60f2063
To my understanding, NIDs are mostly for convenience (so C programs can use NID_* macro) and there should be a way to pass |
| @@ -878,6 +889,24 @@ ossl_pkcs7_to_pem(VALUE self) | |||
| return str; | |||
| } | |||
|
|
|||
| static VALUE | |||
| ossl_pkcs7_finalize(VALUE self, VALUE data, VALUE flags) | |||
There was a problem hiding this comment.
PKCS7#add_data seems to do the similar thing as PKCS7_final(p7, in, PKCS7_BINARY) already.
|
|
||
| GetPKCS7(self, pkcs7); | ||
|
|
||
| int flg = NIL_P(flags) ? 0 : NUM2INT(flags); |
There was a problem hiding this comment.
Style: Until we drop support for Ruby 2.6, we have to avoid C99 features (// comments and mixed declarations and statements).
|
@rhenium so I've taken a stab at I think something's going on with Do you have any advice for how to debug this issue? |
|
A problem is that |
rxbynerd
force-pushed
the
add-pkcs7-signed-attributes-support
branch
from
e6e33ed
to
4b95ee6
Compare
|
I've moved this to the backburner as I've changed languages for this project, but I think I've got the PKCS7 authenticated attribute setter working! Testing just a setter is quite questionable though, so I think for feature completeness this PR will need a getter for the attributes of a parsed message as well. I'll figure this one out when I've got some spare cycles 👍 |
Hi there!
I'm attempting to implement a SCEP server in Ruby to produce certificates for Apple devices as part of a device management solution. As part of this, Apple confirms that the signed PKCS7 response contains both a
senderNonceandrecipientNoncein thesignedAttributesfield of the PKCS7 message. micromdm/scep has an implementation of this process written in Go.I've spent my weekend attempting to add support for PKCS7 attribute assignment to openssl-ruby, but I've hit a wall, hence the draft PR. Specifically, I have some compile errors (submitted below the fold) I've run into, and before continuing I thought it best to start a discussion about my approach to confirm I'm on the right track, and how to proceed.
I should note now that I'm very new to both C extension development & the inner workings of OpenSSL/X509/ASN.1, and I understand I may have taken an incorrect approach. Please don't hesitate to let me know how I can improve, and I would be more than happy to donate this pull request to someone more qualified so they can nurture this to completion. That said, I would really like to see the capability added to Ruby (especially as I'm not the only one asking for it), so I'm more than happy to continue work to get this PR into a mergeable state.
At this juncture, I would like a confirmation as to my approach, and the answers to the following questions:
obj_to_asn1obj&ossl_asn1_get_valuefrom outside ofossl_asn1.c? This would solve my compile error, but given my unfamiliarity with C I'm not sure how to make this happen. I'm pretty confident I only need a header declaration, but I'm sensitive to unintentionally clashing with another function somewhere.void *valuesuitable forASN1_TYPE_set(viaX509_ATTRIBUTE_createviaadd_attributeviaPKCS7_add_signed_attribute). We already do this with a long case statement inossl_asn1_get_asn1type— would it be okay to break this case statement out ofget_asn1type? I'm currently callingget_asn1typethen pulling the "value" from the returnedASN1_TYPE, which does not seem efficient or wise.PKCS7_add_signed_attribute? It seems that the last two arguments toPKCS7_add_signed_attributeare provided by the single typedvaluein#add_signed_attribute(oid, value)ObjectIdis anObjectIdin C?OpenSSL::PKCS7::PARTIALconstant but neglectedPKCS7_STREAM, as I do not have a use case nor understand it. Is it acceptable to only continue withPARTIALsupport?add_attribute-style method. Is it okay to explain in this error what's necessary to fix the issue? The PKCS7 class is notably devoid of documentation, which I'm not sure is intentional or not.Additionally I'm struggling to understand ASN.1 as a concept, especially coming from JSON/Protobuffers land where I have the ability to parse a structure into something with labels. If anyone has any further reading that could assist with this, I would be more than grateful.
Thank you for reading & maintaining this library, and I hope we can work together to get this pull request over the finish line.
Current compile errors
testharness.rb