"Stephen Henson via RT" <[EMAIL PROTECTED]> writes:

>> Is there a good (suggested) workaround for the older version that
>> doesn't have this fix?  Can I, perhaps, define a new hash-type that
>> defines itself as sha1WithRSAEncryption?  Or do you think that would
>> cause problems?
>> 
>
> Well replacing pk7_doit.c with the latest version would be one fix. If
> you need an application level fix you could always look for
> sha1WithRSAEncryption in the PKCS7 structure and change it to SHA1.

Hmm, okay..  Let me rephrase -- is there an application-level fix that
I can put into place while still using the "vendor-supplied" openssl
library?  I wouldn't think that an application could supply its own
version of pk7_doit.c and get the system libssl to see it?

I tried registering a new MD type which was just a copy of the
EVP_sha1 with the type changed from NIP_sha1 to
NIP_sha1WithRSAEncryption.  That seemed to get me further but then
it died in the RSA_verify() section in rsa_sign.c:

                if (sigtype != dtype)
                        {
                        if (((dtype == NID_md5) &&
                                (sigtype == NID_md5WithRSAEncryption)) ||
                                ((dtype == NID_md2) &&
                                (sigtype == NID_md2WithRSAEncryption)))
                                {
                                /* ok, we will let it through */
#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)
                                fprintf(stderr,"signature has problems, re-make 
with post SSLeay045\n");
#endif
                                }
                        else
                                {
                                RSAerr(RSA_F_RSA_VERIFY,
                                                RSA_R_ALGORITHM_MISMATCH);
                                goto err;
                                }
                        }
> Steve.

In the meantime I'm also looking at the other side to see if I can
convince windows to generate pkcs7 with sha1, or some way to change
that.

Thanks,

-derek

-- 
       Derek Atkins                 617-623-3745
       [EMAIL PROTECTED]             www.ihtfp.com
       Computer and Internet Security Consultant

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to