[openssl-users] PKCS7->signerInfo->encryptedDigest not type X509_SIG
Michael Heide
michael.heide at student.uni-siegen.de
Sun Sep 20 08:51:26 UTC 2015
Am Sat, 19 Sep 2015 23:09:16 +0200 schrieb Jakob Bohm <jb-openssl at wisemo.com>:
> 1. The error should not call this "plain", this would lead
> to the same misunderstanding I had earlier.
Right. I'm not an advanced english speaker, I shouldn't name it at all. ;-)
Btw. In the meantime I think my last suggestion for a patch is poor. Still handling this kind of signatures as an error would fail/stop the whole verification process and if this happens with some intermediate certificate, then the application cannot turn this into a successful verification (AFAIK).
I haven't found a way to make it configurable, yet. That is to not change OpenSSLs default behaviour but have an option to let it accept those kind of signatures.
> 3. It would be really nice if someone in the know would
> explain under which conditions this alternative signature
> algorithm is used and/or necessary.
Yes.
I've found only a single time stamping service so far.
Regards
Michael
More information about the openssl-users
mailing list