[openssl-users] smime -sign changes?
weber at infotech.de
weber at infotech.de
Wed Mar 9 14:13:06 UTC 2016
Dear openssl users,
we're using openssl since quite a longer time. For code signing we're
still using separate p2s files.
Hence, in our development environment, we integrated code signing by
commandline (batch):
openssl smime -sign -in %1 -out %1.p7s -outform der -signer
integritycert.cert.pem -inkey integritycert.key.pem -binary -noattr
We found newer (detached) signatures being not successfully verifiable
within our (and by other)
applications since migration from version 1.0.1h to 1.0.2d. It seems
like the signatures were broken.
We noticed, that the default digest algorithm has changed from sha1 to
sha256, which is currently
documented differently. The commandline tool's usage output says nothing
about the implemented
-md option.
Within our application we call:
int p7flags = PKCS7_BINARY | PKCS7_NOSMIMECAP | PKCS7_NOVERIFY |
PKCS7_NOCHAIN | PKCS7_NOSIGS;
int rc = PKCS7_verify(p7, 0, 0, indata, out, p7flags);
and get back 0 instead of 1 while the error stack stays empty.
Surely current (and probably future) applications should use the (newer)
cms variant, but the
older smime should still work.
Neither we found a report concerning this issue within the users mailing
list nor we traced down
the issue itself.
Heard about this issue before? Any idea?
Thanks in advance
--
Christian Weber
More information about the openssl-users
mailing list