Adding support for CADES → CMS_CADES flag #2349
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Francesco Bonanno <mibofra@parrotsec.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello!
So, the title seems pretty explicative.
I was trying to write an app, capable to sign and verify CAdES-BES compliant opaque signatures.
Instead of rewriting the famous wheel, I have choosen to use OpenSSL libs and API, an write it down in rust.
However, at some point, I have noticed that at the moment, rust bindings are missing CMS_CADES in CMSOptions → https://docs.rs/openssl/0.10.68/openssl/cms/struct.CMSOptions.html , that is instead present in OpenSSL since 3.0.0 https://mta.openssl.org/pipermail/openssl-commits/2019-January/021722.html (correct me if I picked up the wrong entry version).
So, as it is a simple change, I have added CMS_CADES support to the rust bindings, if you do not mind :) , as I gess others can take advantage of this!
A note, at line 50 of
openssl/src/cms.rs, I have added#[cfg(all(not(libressl), not(ossl101), not(ossl102), not(ossl110), not(ossl110g), not(ossl110h), not(ossl111), not(ossl111d)))], however, on my system fails, as probably I have wrongly choosen what to avoid or is my understading#[cfg]wrong? Or my OpenSSL version is not detected correctly? Please give feedback about, thanks. Maybe my system sees OpenSSL as known version? My version is the standard Ubuntu 24.10 packaged one, at the moment of writing→OpenSSL 3.3.1 4 Jun 2024 (Library: OpenSSL 3.3.1 4 Jun 2024)I have added this
#[cfg]and[cfg(ossl300)]on line 47 ofopenssl-sys/src/cms.rsas to avoid both LibreSSL (that seems to not have CAdES-BES support, as far as I have searched for, correct me if I am wrong) and OpenSSL versions lower than 3.0.0 (simply cms support does not have CAdES and related ESS stuffs neede for CAdES-BES signatures in lower versions).Commenting the "annoying"
#[cfg]inopenssl/src/cms.rs(the one I have added I mean), my tiny application works, and give a signed CAdES-BES compliant file, that I am adding as attachment to you to verify. Using external tools for verification, the p7m obtained seems to have a valid and without missing attributes CAdES-BES signature :) . However, as I have not yet implemented pkcs#11 to obtain certs/private keys from my smartcard, and other stuffs (I wanted to first try to see if CAdES via the rust bindings was possible at all in first palce), I have used a self-singed generated certificate to sign thetest.txtfile, with contentCIAOCIAOCIAO(yes, a really original test content :D )I am leaving as attachment a zip, with both original and signed p7m as github does support p7m as attachment.
test.zip