[openssl-users] smime -sign changes?

weber at infotech.de weber at infotech.de
Wed Mar 9 15:10:53 UTC 2016


Sorry, my fault. The file to de signed couldn't be hashed correctly due 
to an error while applying a patch
to the original sources.

Please ignore the issue.

--
Christian Weber

Am 09.03.2016 um 15:13 schrieb weber at infotech.de:
> Dear openssl users,
>
> we're using openssl since quite a longer time. For code signing we're 
> still using separate p2s files.
> Hence, in our development environment, we integrated code signing by 
> commandline (batch):
>
>     openssl smime -sign -in %1 -out %1.p7s -outform der -signer 
> integritycert.cert.pem -inkey integritycert.key.pem -binary -noattr
>
> We found newer (detached) signatures being not successfully verifiable 
> within our (and by other)
> applications since migration from version 1.0.1h to 1.0.2d. It seems 
> like the signatures were broken.
>
> We noticed, that the default digest algorithm has changed from sha1 to 
> sha256, which is currently
> documented differently. The commandline tool's usage output says 
> nothing about the implemented
> -md option.
>
> Within our application we call:
>     int p7flags = PKCS7_BINARY | PKCS7_NOSMIMECAP | PKCS7_NOVERIFY | 
> PKCS7_NOCHAIN | PKCS7_NOSIGS;
>     int rc = PKCS7_verify(p7, 0, 0, indata, out, p7flags);
>
> and get back 0 instead of 1 while the error stack stays empty.
>
> Surely current (and probably future) applications should use the 
> (newer) cms variant, but the
> older smime should still work.
>
> Neither we found a report concerning this issue within the users 
> mailing list nor we traced down
> the issue itself.
>
> Heard about this issue before? Any idea?
>
> Thanks in advance
> -- 
> Christian Weber


More information about the openssl-users mailing list