"Stephen Henson via RT" <[EMAIL PROTECTED]> writes:
>> Is there a good (suggested) workaround for the older version that
>> doesn't have this fix? Can I, perhaps, define a new hash-type that
>> defines itself as sha1WithRSAEncryption? Or do you think that would
>> cause problems?
>>
>
> Well replacing pk7_doit.c with the latest version would be one fix. If
> you need an application level fix you could always look for
> sha1WithRSAEncryption in the PKCS7 structure and change it to SHA1.
Hmm, okay.. Let me rephrase -- is there an application-level fix that
I can put into place while still using the "vendor-supplied" openssl
library? I wouldn't think that an application could supply its own
version of pk7_doit.c and get the system libssl to see it?
I tried registering a new MD type which was just a copy of the
EVP_sha1 with the type changed from NIP_sha1 to
NIP_sha1WithRSAEncryption. That seemed to get me further but then
it died in the RSA_verify() section in rsa_sign.c:
if (sigtype != dtype)
{
if (((dtype == NID_md5) &&
(sigtype == NID_md5WithRSAEncryption)) ||
((dtype == NID_md2) &&
(sigtype == NID_md2WithRSAEncryption)))
{
/* ok, we will let it through */
#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)
fprintf(stderr,"signature has problems, re-make
with post SSLeay045\n");
#endif
}
else
{
RSAerr(RSA_F_RSA_VERIFY,
RSA_R_ALGORITHM_MISMATCH);
goto err;
}
}
> Steve.
In the meantime I'm also looking at the other side to see if I can
convince windows to generate pkcs7 with sha1, or some way to change
that.
Thanks,
-derek
--
Derek Atkins 617-623-3745
[EMAIL PROTECTED] www.ihtfp.com
Computer and Internet Security Consultant
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
