NativeCrypto: empty data content for PKCS7 container

The EncapsulatedContentInfo must be present in the output, but OpenSSL
will fill in a zero-length OID if you don't call PKCS7_set_content on the
outer PKCS7 container. So we construct an empty PKCS7 data container and
set it as the content. This fixes the invalid PKCS7 output.

(cherry picked from commit 525df9b12c1eb77db9f1b2b8fa5d41f779b9afa6)

Bug: 18664989
Change-Id: I6f4cf785dd02ee40f1951d098fa987aa25d2421a
diff --git a/src/main/native/org_conscrypt_NativeCrypto.cpp b/src/main/native/org_conscrypt_NativeCrypto.cpp
index 0392dac..4c4270a 100644
--- a/src/main/native/org_conscrypt_NativeCrypto.cpp
+++ b/src/main/native/org_conscrypt_NativeCrypto.cpp
@@ -5867,6 +5867,22 @@
         return NULL;
     }
 
+    // The EncapsulatedContentInfo must be present in the output, but OpenSSL
+    // will fill in a zero-length OID if you don't call PKCS7_set_content on the
+    // outer PKCS7 container. So we construct an empty PKCS7 data container and
+    // set it as the content.
+    Unique_PKCS7 pkcs7Data(PKCS7_new());
+    if (PKCS7_set_type(pkcs7Data.get(), NID_pkcs7_data) != 1) {
+        throwExceptionIfNecessary(env, "PKCS7_set_type data");
+        return NULL;
+    }
+
+    if (PKCS7_set_content(pkcs7.get(), pkcs7Data.get()) != 1) {
+        throwExceptionIfNecessary(env, "PKCS7_set_content");
+        return NULL;
+    }
+    OWNERSHIP_TRANSFERRED(pkcs7Data);
+
     ScopedLongArrayRO certs(env, certsArray);
     for (size_t i = 0; i < certs.size(); i++) {
         X509* item = reinterpret_cast<X509*>(certs[i]);