Hi,
Since commit e0bd2a2 the method CMSSignedData.replaceSigners() overrides the version of the SignedData structure. In the version 1.84 CMSSignedData preserves the fields and replaces the last one with the SignerInfo, but after this commit it calls the SignedData constructor which triggers a call to SignedData.calculateVersion() and changes the original version.
This is an issue in the Microsoft Authenticode ecosystem because the signatures must have the version set to 1 to be recognized.
Also note that this commit hasn't been released in bc-java yet, but it was picked in the bc-lts-java 2.73.11 release, which is an issue on its own I think for a LTS version.
https://github.com/bcgit/bc-lts-java/blob/74b6c85114320edece32013954bb676de290396b/pkix/src/main/java/org/bouncycastle/cms/CMSSignedData.java#L619
Hi,
Since commit e0bd2a2 the method
CMSSignedData.replaceSigners()overrides the version of theSignedDatastructure. In the version 1.84CMSSignedDatapreserves the fields and replaces the last one with the SignerInfo, but after this commit it calls the SignedData constructor which triggers a call toSignedData.calculateVersion()and changes the original version.This is an issue in the Microsoft Authenticode ecosystem because the signatures must have the version set to 1 to be recognized.
Also note that this commit hasn't been released in bc-java yet, but it was picked in the bc-lts-java 2.73.11 release, which is an issue on its own I think for a LTS version.
https://github.com/bcgit/bc-lts-java/blob/74b6c85114320edece32013954bb676de290396b/pkix/src/main/java/org/bouncycastle/cms/CMSSignedData.java#L619