"Stephen Henson via RT" <[EMAIL PROTECTED]> writes: >> Is there a good (suggested) workaround for the older version that >> doesn't have this fix? Can I, perhaps, define a new hash-type that >> defines itself as sha1WithRSAEncryption? Or do you think that would >> cause problems? >> > > Well replacing pk7_doit.c with the latest version would be one fix. If > you need an application level fix you could always look for > sha1WithRSAEncryption in the PKCS7 structure and change it to SHA1.
Hmm, okay.. Let me rephrase -- is there an application-level fix that I can put into place while still using the "vendor-supplied" openssl library? I wouldn't think that an application could supply its own version of pk7_doit.c and get the system libssl to see it? I tried registering a new MD type which was just a copy of the EVP_sha1 with the type changed from NIP_sha1 to NIP_sha1WithRSAEncryption. That seemed to get me further but then it died in the RSA_verify() section in rsa_sign.c: if (sigtype != dtype) { if (((dtype == NID_md5) && (sigtype == NID_md5WithRSAEncryption)) || ((dtype == NID_md2) && (sigtype == NID_md2WithRSAEncryption))) { /* ok, we will let it through */ #if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16) fprintf(stderr,"signature has problems, re-make with post SSLeay045\n"); #endif } else { RSAerr(RSA_F_RSA_VERIFY, RSA_R_ALGORITHM_MISMATCH); goto err; } } > Steve. In the meantime I'm also looking at the other side to see if I can convince windows to generate pkcs7 with sha1, or some way to change that. Thanks, -derek -- Derek Atkins 617-623-3745 [EMAIL PROTECTED] www.ihtfp.com Computer and Internet Security Consultant ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]