[openssl-users] smime -sign changes?
weber at infotech.de
weber at infotech.de
Wed Mar 9 15:10:53 UTC 2016
Sorry, my fault. The file to de signed couldn't be hashed correctly due
to an error while applying a patch
to the original sources.
Please ignore the issue.
--
Christian Weber
Am 09.03.2016 um 15:13 schrieb weber at infotech.de:
> Dear openssl users,
>
> we're using openssl since quite a longer time. For code signing we're
> still using separate p2s files.
> Hence, in our development environment, we integrated code signing by
> commandline (batch):
>
> openssl smime -sign -in %1 -out %1.p7s -outform der -signer
> integritycert.cert.pem -inkey integritycert.key.pem -binary -noattr
>
> We found newer (detached) signatures being not successfully verifiable
> within our (and by other)
> applications since migration from version 1.0.1h to 1.0.2d. It seems
> like the signatures were broken.
>
> We noticed, that the default digest algorithm has changed from sha1 to
> sha256, which is currently
> documented differently. The commandline tool's usage output says
> nothing about the implemented
> -md option.
>
> Within our application we call:
> int p7flags = PKCS7_BINARY | PKCS7_NOSMIMECAP | PKCS7_NOVERIFY |
> PKCS7_NOCHAIN | PKCS7_NOSIGS;
> int rc = PKCS7_verify(p7, 0, 0, indata, out, p7flags);
>
> and get back 0 instead of 1 while the error stack stays empty.
>
> Surely current (and probably future) applications should use the
> (newer) cms variant, but the
> older smime should still work.
>
> Neither we found a report concerning this issue within the users
> mailing list nor we traced down
> the issue itself.
>
> Heard about this issue before? Any idea?
>
> Thanks in advance
> --
> Christian Weber
More information about the openssl-users
mailing list