PKCS#7/CMS verify reports bad signature

Michael Richardson mcr at
Tue Apr 2 13:51:05 UTC 2019

Matt Caswell <matt at> wrote:
    > Using the cert/data files you provided me off-list (thanks), I was able to
    > confirm the above and narrow it down further to the following commit:

What had produced the signatures?

    > In some cases, the damage is permanent and the spec deviation and
    > security risk becomes a tax all implementors must forever pay, but not
    > here. Both BoringSSL and Go successfully implemented and deployed
    > RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so
    > this change should be compatible enough to pin down in future OpenSSL
    > releases.

    > So, based on the above description, it appears that older versions of OpenSSL
    > were unduly lenient in tolerating incorrectly formatted signatures. As a
    > security hardening measure that tolerance was removed. If you want to know more
    > then David Benjamin may be able to expand.

Did openssl ever produce these wrong signatures?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <>

More information about the openssl-users mailing list