openssl cms resign with RSA-PSS corrupts the CMS(?)
Alon Bar-Lev
alon.barlev at gmail.com
Fri Feb 19 07:45:31 UTC 2021
Hello OpenSSL masters,
Can someone please try to reproduce the below issue?
Thanks,
Alon
On Sat, 13 Feb 2021 at 23:23 Alon Bar-Lev <alon.barlev at gmail.com> wrote:
> Hello,
>
> I am trying to resign a CMS using the openssl tool.
>
> When I use RSA-PKCS1 everything is working fine.
>
> When I use RSA-PSS it seems like the asn1 is produced corrupted, I do not
> see the signature in asn1dump.
>
> I prepared a demo[1] to help people reproduce the issue, tested with
> openssl-1.1.1i.
>
> The script output pasted below shows that CMS resign without PSS works
> correctly, while the same sequence with PSS produces a corrupted CMS file.
>
> What am I doing wrong?
>
> Regards,
> Alon Bar-Lev
>
> [1] https://github.com/alonbl/openssl-cms-pss
>
> ---
>
> ===============
> CMS without PSS
> ===============
> cms -sign 1.cms
> cms -verify 1.cms
> hello world
> Verification successful
> cms -resign 1.cms to 2.cms
> cms -verify 2.cms
> hello world
> Verification successful
> ===============
> CMS with PSS
> ===============
> cms -sign 1.cms
> cms -verify 1.cms
> hello world
> Verification successful
> cms -resign 1.cms to 2.cms
> cms -verify 2.cms
> Error reading S/MIME message
> 140438977062208:error:0D078079:asn1 encoding
> routines:asn1_item_embed_d2i:field
> missing:../crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR
> 140438977062208:error:0D08303A:asn1 encoding
> routines:asn1_template_noexp_d2i:nested asn1
> error:../crypto/asn1/tasn_dec.c:646:Field=signatureAlgorithm,
> Type=CMS_SignerInfo
> 140438977062208:error:0D08303A:asn1 encoding
> routines:asn1_template_noexp_d2i:nested asn1
> error:../crypto/asn1/tasn_dec.c:614:Field=signerInfos, Type=CMS_SignedData
> 140438977062208:error:0D08303A:asn1 encoding
> routines:asn1_template_noexp_d2i:nested asn1
> error:../crypto/asn1/tasn_dec.c:646:
> 140438977062208:error:0D08403A:asn1 encoding
> routines:asn1_template_ex_d2i:nested asn1
> error:../crypto/asn1/tasn_dec.c:496:Field=d.signedData, Type=CMS_ContentInfo
> FATAL: verify 2.cms failed
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210219/24795472/attachment.html>
More information about the openssl-users
mailing list