pkcs7: use the PK_PKIX1_RSA_OID when writing RSA signature OIDs for PKCS#7 structures

That is because there are implementations which cannot cope with the normal RSA signature OIDs. Relates #59
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2015-12-16 14:02:56 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2015-12-16 14:03:57 +0100
commit: 6cc022a099f3d13a8da59850a553a050703a01e7 (patch)
tree: 020574b3fe15ad46b9fbeee42ea6c05e40042f3f /lib/x509/pkcs7.c
parent: 0dd5c078ad6db71f60a107dc0cdf78637baeafe1 (diff)
download: gnutls-6cc022a099f3d13a8da59850a553a050703a01e7.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
index ad527deb7b..b09e7c8a42 100644
--- a/lib/x509/pkcs7.c
+++ b/lib/x509/pkcs7.c
@@ -2051,7 +2051,12 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7,
 	/* write the signature algorithm */
 	pk = gnutls_x509_crt_get_pk_algorithm(signer, NULL);
 
-	ret = _gnutls_x509_write_sig_params(pkcs7->signed_data, "signerInfos.?LAST.signatureAlgorithm", pk, dig);
+	/* RFC5652 is silent on what the values would be and initially I assumed that
+	 * typical signature algorithms should be set. However RFC2315 (PKCS#7) mentions
+	 * that a generic RSA OID should be used. We switch to this "unexpected" value
+	 * because some implementations cannot cope with the "expected" signature values.
+	 */
+	ret = _gnutls_x509_write_sig_params(pkcs7->signed_data, "signerInfos.?LAST.signatureAlgorithm", pk, dig, 1);
 	if (ret < 0) {
 		gnutls_assert();
 		goto cleanup;
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2015-12-16 14:02:56 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2015-12-16 14:03:57 +0100
commit	6cc022a099f3d13a8da59850a553a050703a01e7 (patch)
tree	020574b3fe15ad46b9fbeee42ea6c05e40042f3f /lib/x509/pkcs7.c
parent	0dd5c078ad6db71f60a107dc0cdf78637baeafe1 (diff)
download	gnutls-6cc022a099f3d13a8da59850a553a050703a01e7.tar.gz