pkcs7.js - findRecipient about forge HOT 3 CLOSED

I'm pretty sure that the current code is correct for this. It may be that the PKCS#7 spec's name choice for an attribute (issuerAndSerialNumber) is questionable. However, the spec RFC 2315 says the following in section 10.2:

The fields of type RecipientInfo have the following meanings:

issuerAndSerialNumber specifies the recipient's
certificate (and thereby the recipient's
distinguished name and public key) by issuer
distinguished name and issuer-specific serial
number

If that's the case, and the method is supposed to use the recipient's certificate to fetch the recipient from the message, then I believe it is currently doing the right thing, ie: using the certificate's subject (which should be that of the recipient) and comparing it against the RecipientInfo's issuerAndSerialNumber property.

I'm going to close this for now, but if my reading of the spec is inaccurate, feel free to reopen it.

from forge.

Dave,
thanks for looking into this. I was initially confused as well, but if you look at the precise wording of the RFC 2315, it says "issuer distinguished name", i.e. the DN of the issuer - not the subject. It kind of makes sense, as the combination of (issuer name, serial number generated by that issuer) should uniquely identify a certificate.

Also, if you look at other implementations, they seem to use issuer and serial number (and not subject and serial number) as well. E.g. in Bouncy Castle, src/org/bouncycastle/cms/RecipientInformationStore.java, method getRecipients()

So, I will (try to) reopen this.

from forge.

Ok, I'll take another look when I get a chance.

from forge.