[openssl-users] smime -sign changes?

weber at infotech.de weber at infotech.de
Wed Mar 9 14:13:06 UTC 2016


Dear openssl users,

we're using openssl since quite a longer time. For code signing we're 
still using separate p2s files.
Hence, in our development environment, we integrated code signing by 
commandline (batch):

     openssl smime -sign -in %1 -out %1.p7s -outform der -signer 
integritycert.cert.pem -inkey integritycert.key.pem -binary -noattr

We found newer (detached) signatures being not successfully verifiable 
within our (and by other)
applications since migration from version 1.0.1h to 1.0.2d. It seems 
like the signatures were broken.

We noticed, that the default digest algorithm has changed from sha1 to 
sha256, which is currently
documented differently. The commandline tool's usage output says nothing 
about the implemented
-md option.

Within our application we call:
     int p7flags = PKCS7_BINARY | PKCS7_NOSMIMECAP | PKCS7_NOVERIFY | 
PKCS7_NOCHAIN | PKCS7_NOSIGS;
     int rc = PKCS7_verify(p7, 0, 0, indata, out, p7flags);

and get back 0 instead of 1 while the error stack stays empty.

Surely current (and probably future) applications should use the (newer) 
cms variant, but the
older smime should still work.

Neither we found a report concerning this issue within the users mailing 
list nor we traced down
the issue itself.

Heard about this issue before? Any idea?

Thanks in advance
--
Christian Weber



More information about the openssl-users mailing list