• David Howells's avatar
    sign-file: Generate CMS message as signature instead of PKCS#7 · ed8c2076
    David Howells authored
    Make sign-file use the OpenSSL CMS routines to generate a message to be
    used as the signature blob instead of the PKCS#7 routines.  This allows us
    to change how the matching X.509 certificate is selected.  With PKCS#7 the
    only option is to match on the serial number and issuer fields of an X.509
    certificate; with CMS, we also have the option of matching by subjectKeyId
    extension.  The new behaviour is selected with the "-k" flag.
    
    Without the -k flag specified, the output is pretty much identical to the
    PKCS#7 output.
    
    Whilst we're at it, don't include the S/MIME capability list in the message
    as it's irrelevant to us.
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Reviewed-By: David Woodhouse <David.Woodhouse@intel.com
    ed8c2076
sign-file.c 6.46 KB