[EMAIL PROTECTED] - Fri Feb 18 09:28:03 2005]: > Hi, > > [ originally written by Scott J. Tamosunas, > http://www.mail-archive.com/openssl-dev@openssl.org/msg05433.html ] > > I am trying to verify the signature of a PKCS7 object created by > another PKI > that used SHA1 as the method of digest and RSA Encryption as the > method of > private key encryption. However, if I parse the DER, the following > shows > that the sha1withRSAEncryption was used as the > digestAlgorthimIdentifier: > > 0 30 1855: SEQUENCE { > 4 06 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) > 15 A0 1840: [0] { > 19 30 1836: SEQUENCE { > 23 02 1: INTEGER 1 > 26 31 13: SET { > 28 30 11: SEQUENCE { > 30 06 9: OBJECT IDENTIFIER > : sha1withRSAEncryption (1 2 840 113549 1 1 5)
there are 2 published standard versions: 1.5 and 1.6 http://www.rsasecurity.com/rsalabs/node.asp?id=2129 The "1" shows version 1.5 rules apply ftp://ftp.rsasecurity.com/pub/pkcs/ps/pkcs-7.ps.gz SET of objects here should be DigestAlgorithmIdentifier with DigestAlgorithms "include MD2 and MD5" (clause 6.3). For S/MIME (draft-ietf-smime-rfc2633bis-08.txt), DigestAlgorithmIdentifier "MUST support SHA-1" (clause 2.1). See also draft-ietf-smime-rfc3369bis-02.txt clause 10.1.1. For a project implementing SET, I was using SHA-1 here http://www.unity.net/~vf/naina_r1.tgz and that was specified in SET books. For the message attached, SignedData start at offset 63 and objectID in question at offset 74. I'd suggest to double-check exactly what specifications the other PKI (creating PKCS7 in question) follows > : } > : } > 41 30 11: SEQUENCE { > 43 06 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) > > it would seem to me, first of all that seeing this is supposed to be a > digestAlgorithmIdentifier, this should just be SHA1 as > sha1withRSAEncrytion > implies a signature algorithm, not a message digest. > > > Therefore, when I try to verify the signature in the PKCS7 object, in > the > function PKCS7_dataInit(): > if (md_sk != NULL) > { > for (i=0; i<sk_X509_ALGOR_num(md_sk); i++) > { > xa=sk_X509_ALGOR_value(md_sk,i); > if ((btmp=BIO_new(BIO_f_md())) == NULL) > { > PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_BIO_LIB); > goto err; > } > > j=OBJ_obj2nid(xa->algorithm); > evp_md=EVP_get_digestbyname(OBJ_nid2sn(j)); > > j = 65 > evp_md = RSA-SHA1 > > This gets set into the output bio struct. > > Later in the PKCS7_signatureVerify() function in the location: > > md_type=OBJ_obj2nid(si->digest_alg->algorithm); > > btmp=bio; > for (;;) > { > if ((btmp == NULL) || > ((btmp=BIO_find_type(btmp,BIO_TYPE_MD)) == > NULL)) > { > PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, > PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); > goto err; > } > BIO_get_md_ctx(btmp,&mdc); > if (mdc == NULL) > { > PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, > PKCS7_R_INTERNAL_ERROR); > goto err; > } > if (EVP_MD_CTX_type(mdc) == md_type) > break; > btmp=btmp->next_bio; > } > > The error PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, > PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST) is set because md_type = 65 and > mdc->digest.type = 64. 64 is SHA1 so the comparisons to the message > digests > fail, when really they should not. > > My question is: > Is this the intended behavior? Shouldn't this situation be handled? > From the > PKCS7 and X509 specs, I don't see any provision for what is a digest > algorithm and what is not. Clearly, SHA1 has been used to create the > digest. > Or, is the PKI that created the PKCS7 object in the wrong? > > In either case, OpenSSL should probably accept the message with the > sha1WithRSAEncryption instead of sha1 message digest. > > Thanks, > > -derek, plagiarizing Scott ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
