[openssl-users] PKCS7->signerInfo->encryptedDigest not type X509_SIG

Michael Heide michael.heide at student.uni-siegen.de
Sun Sep 20 08:51:26 UTC 2015

Am Sat, 19 Sep 2015 23:09:16 +0200 schrieb Jakob Bohm <jb-openssl at wisemo.com>:

> 1. The error should not call this "plain", this would lead
>    to the same misunderstanding I had earlier.

Right. I'm not an advanced english speaker, I shouldn't name it at all. ;-)

Btw. In the meantime I think my last suggestion for a patch is poor. Still handling this kind of signatures as an error would fail/stop the whole verification process and if this happens with some intermediate certificate, then the application cannot turn this into a successful verification (AFAIK). 

I haven't found a way to make it configurable, yet. That is to not change OpenSSLs default behaviour but have an option to let it accept those kind of signatures.

> 3. It would be really nice if someone in the know would
>    explain under which conditions this alternative signature
>    algorithm is used and/or necessary.

I've found only a single time stamping service so far. 


More information about the openssl-users mailing list