Signing with two different versions of Openssl
Eduardo Chappa
alpine.chappa at yandex.com
Fri Jun 19 06:21:13 UTC 2020
Dear all,
I am trying to understand why the same code for the Alpine email program
behave differently when compiling it with two different versions of
Openssl. I have tried many variations of the official code, to no avail.
Maybe here someone can point me in the right direction.
The git repository for the code is located at
https://repo.or.cz/alpine.git
The code that creates detached signatures is in the file pith/smime.c. The
flow more or less goes as follows
flags = PKCS7_DETACHED | PKCS7_PARTIAL;
if((p7 = PKCS7_sign(NULL, NULL, chain, in, flags)) != NULL
&& PKCS7_sign_add_signer(p7, pcert->cert, pcert->key, md, flags))
PKCS7_final(p7, in, flags);
i2d_PKCS7_bio(out, p7);
(void) BIO_flush(out);
The "in" and "out" BIOs are memory buffers. The out BIO is internally
base64 encoded and attached.
Does anyone here see why a code like this would succeed in creating valid
signed messages when the same code in Alpine is built with version OpenSSL
1.1.0i-fips 14 Aug 2018, but not with OpenSSL 1.1.1g 21 Apr 2020 (and I
believe with any of the versions 1.1.1 series).
The exact details of the code are in the repository (address above) in the
file pith/smime.c, starting around line 3766.
Thank you for any insights.
--
Eduardo
More information about the openssl-users
mailing list