Hi, [ originally written by Scott J. Tamosunas, http://www.mail-archive.com/openssl-dev@openssl.org/msg05433.html ]
I am trying to verify the signature of a PKCS7 object created by another PKI that used SHA1 as the method of digest and RSA Encryption as the method of private key encryption. However, if I parse the DER, the following shows that the sha1withRSAEncryption was used as the digestAlgorthimIdentifier: 0 30 1855: SEQUENCE { 4 06 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 15 A0 1840: [0] { 19 30 1836: SEQUENCE { 23 02 1: INTEGER 1 26 31 13: SET { 28 30 11: SEQUENCE { 30 06 9: OBJECT IDENTIFIER : sha1withRSAEncryption (1 2 840 113549 1 1 5) : } : } 41 30 11: SEQUENCE { 43 06 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) it would seem to me, first of all that seeing this is supposed to be a digestAlgorithmIdentifier, this should just be SHA1 as sha1withRSAEncrytion implies a signature algorithm, not a message digest. Therefore, when I try to verify the signature in the PKCS7 object, in the function PKCS7_dataInit(): if (md_sk != NULL) { for (i=0; i<sk_X509_ALGOR_num(md_sk); i++) { xa=sk_X509_ALGOR_value(md_sk,i); if ((btmp=BIO_new(BIO_f_md())) == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_BIO_LIB); goto err; } j=OBJ_obj2nid(xa->algorithm); evp_md=EVP_get_digestbyname(OBJ_nid2sn(j)); j = 65 evp_md = RSA-SHA1 This gets set into the output bio struct. Later in the PKCS7_signatureVerify() function in the location: md_type=OBJ_obj2nid(si->digest_alg->algorithm); btmp=bio; for (;;) { if ((btmp == NULL) || ((btmp=BIO_find_type(btmp,BIO_TYPE_MD)) == NULL)) { PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); goto err; } BIO_get_md_ctx(btmp,&mdc); if (mdc == NULL) { PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_INTERNAL_ERROR); goto err; } if (EVP_MD_CTX_type(mdc) == md_type) break; btmp=btmp->next_bio; } The error PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST) is set because md_type = 65 and mdc->digest.type = 64. 64 is SHA1 so the comparisons to the message digests fail, when really they should not. My question is: Is this the intended behavior? Shouldn't this situation be handled? From the PKCS7 and X509 specs, I don't see any provision for what is a digest algorithm and what is not. Clearly, SHA1 has been used to create the digest. Or, is the PKI that created the PKCS7 object in the wrong? In either case, OpenSSL should probably accept the message with the sha1WithRSAEncryption instead of sha1 message digest. Thanks, -derek, plagiarizing Scott -- Derek Atkins 617-623-3745 [EMAIL PROTECTED] www.ihtfp.com Computer and Internet Security Consultant ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]