Fix ASN.1 for S/MIME capabilities.

facutuesca · facutuesca · commit 6ef8e9f2c61b · 2024-02-09T18:28:23.000+01:00
The current implementation defines the SMIMECapabilities attribute
so that its value is a SEQUENCE of all the algorithm OIDs that are
supported.
However, the S/MIME v3 spec (RFC 2633) specifies that each algorithm
should be specified in its own SEQUENCE:

SMIMECapabilities ::= SEQUENCE OF SMIMECapability

SMIMECapability ::= SEQUENCE {
   capabilityID OBJECT IDENTIFIER,
   parameters ANY DEFINED BY capabilityID OPTIONAL }

(RFC 2633, Appendix A)

This commit changes the implementation so that each algorithm
is inside its own SEQUENCE. This also matches the OpenSSL
implementation.
diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs
@@ -104,9 +104,9 @@ fn sign_and_serialize<'p>(
         // Subset of values OpenSSL provides:
         // https://github.com/openssl/openssl/blob/667a8501f0b6e5705fd611d5bb3ca24848b07154/crypto/pkcs7/pk7_smime.c#L150
         // removing all the ones that are bad cryptography
-        AES_256_CBC_OID,
-        AES_192_CBC_OID,
-        AES_128_CBC_OID,
+        &asn1::SequenceOfWriter::new([AES_256_CBC_OID]),
+        &asn1::SequenceOfWriter::new([AES_192_CBC_OID]),
+        &asn1::SequenceOfWriter::new([AES_128_CBC_OID]),
     ]))?;
 
     let py_signers: Vec<(
