Hi, I am trying to analyze openssl sources, and it looks like the resign is implemented in an naive path that does not handle all cases.
In other words, the CMS resign is not working in any case other than the default execution path. For example the -noattr is also not working. I updated my reproduction project[1] to show all cases of resign that do not work CMS_NO_ATTR, CMS_KEY_PARAM. I believe the root cause is that when resign is executed the CMS_final() is not called and instead the i2d_CMS_bio() is called, while its logic is incomplete. I hope this will ring a bell to people who are maintaining the crypto/cms/* implementation. Tested [fails] with: OpenSSL_1_1_1-stable master Regards, Alon [1] https://github.com/alonbl/openssl-cms-pss On Fri, Feb 19, 2021 at 10:06 PM Alon Bar-Lev <alon.bar...@gmail.com> wrote: > > Thanks. > I managed to narrow this, it is not related to pss also if I pass pkcs1 I can > reproduce. It has something to do with CMS_KEY_PARAM flag and add signer. > > On Fri, 19 Feb 2021 at 22:03 Thulasi Goriparthi > <thulasi.goripar...@gmail.com> wrote: >> >> With PSS, for the first signature, PSS alg ID and params are encoded >> correctly, but not for the second signature(resign). >> >> 2542:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capabilities >> >> 2553:d=7 hl=2 l= 108 cons: SET >> >> 2555:d=8 hl=2 l= 106 cons: SEQUENCE >> >> 2557:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2559:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc >> >> 2570:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2572:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc >> >> 2583:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2585:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc >> >> 2596:d=9 hl=2 l= 10 cons: SEQUENCE >> >> 2598:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc >> >> 2608:d=9 hl=2 l= 14 cons: SEQUENCE >> >> 2610:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> 2620:d=10 hl=2 l= 2 prim: INTEGER :80 >> >> 2624:d=9 hl=2 l= 13 cons: SEQUENCE >> >> 2626:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> 2636:d=10 hl=2 l= 1 prim: INTEGER :40 >> >> 2639:d=9 hl=2 l= 7 cons: SEQUENCE >> >> 2641:d=10 hl=2 l= 5 prim: OBJECT :des-cbc >> >> 2648:d=9 hl=2 l= 13 cons: SEQUENCE >> >> 2650:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> 2660:d=10 hl=2 l= 1 prim: INTEGER :28 >> >> 2663:d=5 hl=2 l= 0 cons: SEQUENCE >> >> 2665:d=5 hl=2 l= 0 prim: OCTET STRING >> >> 2667:d=4 hl=4 l= 723 cons: SEQUENCE >> >> 2671:d=5 hl=2 l= 1 prim: INTEGER :01 >> >> 2674:d=5 hl=3 l= 149 cons: SEQUENCE >> >> 2677:d=6 hl=3 l= 143 cons: SEQUENCE >> >> 2680:d=7 hl=2 l= 11 cons: SET >> >> 2682:d=8 hl=2 l= 9 cons: SEQUENCE >> >> 2684:d=9 hl=2 l= 3 prim: OBJECT :countryName >> >> 2689:d=9 hl=2 l= 2 prim: PRINTABLESTRING :IN >> >> 2693:d=7 hl=2 l= 11 cons: SET >> >> ==multiple lines truncated== >> >> 2949:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capabilities >> >> 2960:d=7 hl=2 l= 108 cons: SET >> >> 2962:d=8 hl=2 l= 106 cons: SEQUENCE >> >> 2964:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2966:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc >> >> 2977:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2979:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc >> >> 2990:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2992:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc >> >> 3003:d=9 hl=2 l= 10 cons: SEQUENCE >> >> 3005:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc >> >> 3015:d=9 hl=2 l= 14 cons: SEQUENCE >> >> 3017:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> 3027:d=10 hl=2 l= 2 prim: INTEGER :80 >> >> 3031:d=9 hl=2 l= 13 cons: SEQUENCE >> >> 3033:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> 3043:d=10 hl=2 l= 1 prim: INTEGER :40 >> >> 3046:d=9 hl=2 l= 7 cons: SEQUENCE >> >> 3048:d=10 hl=2 l= 5 prim: OBJECT :des-cbc >> >> 3055:d=9 hl=2 l= 13 cons: SEQUENCE >> >> 3057:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> 3067:d=10 hl=2 l= 1 prim: INTEGER :28 >> >> 3070:d=5 hl=2 l= 62 cons: SEQUENCE >> >> 3072:d=6 hl=2 l= 9 prim: OBJECT :rsassaPss >> >> 3083:d=6 hl=2 l= 49 cons: SEQUENCE >> >> 3085:d=7 hl=2 l= 13 cons: cont [ 0 ] >> >> 3087:d=8 hl=2 l= 11 cons: SEQUENCE >> >> 3089:d=9 hl=2 l= 9 prim: OBJECT :sha256 >> >> 3100:d=7 hl=2 l= 26 cons: cont [ 1 ] >> >> 3102:d=8 hl=2 l= 24 cons: SEQUENCE >> >> 3104:d=9 hl=2 l= 9 prim: OBJECT :mgf1 >> >> 3115:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 3117:d=10 hl=2 l= 9 prim: OBJECT :sha256 >> >> 3128:d=7 hl=2 l= 4 cons: cont [ 2 ] >> >> 3130:d=8 hl=2 l= 2 prim: INTEGER :DE >> >> 3134:d=5 hl=4 l= 256 prim: OCTET STRING [HEX >> DUMP]:66C7A406905E0BEF3BE8A55B8BA05915020B6960BDE4700C3C3FB2F115FE5BA60B453EFF39BA37E4D16CA3A86582B3057D05875766BE99C51BC5BEC9CD1AAE3BEC34943160BB06784209F1A3773E07A101BA3E2231FDF85FAB91872A081E37410905A09DAF530600BF9099B054B1DF869826E864A95F5D55DAE84A0CEC43E52F6D13574E1EF66A4E3A65883788E265D6C174211ADBCFEA96A9DD186887BFE040D6D0B59547D8763157D322F0307D7AF3123B0ECFB11E1E7EA228861F4363DBA8D478A7E44F1DEB77A3904FBD90CAA41E291A2E094ABCBD5134146FB1C0F42BC8D7B4829DEFEE7BACDFC024FB8B9FAF16F225EB3C96D866C535B2A06E83DCF007 >> >> >> Thanks, >> >> Thulasi. >> >> >> >> On Sat, 20 Feb 2021 at 00:40, Alon Bar-Lev <alon.bar...@gmail.com> wrote: >>> >>> Thanks! >>> Was about to write... I tested both 1.1 and master branches and result is >>> the same. >>> >>> >>> On Fri, 19 Feb 2021 at 21:04 Thulasi Goriparthi >>> <thulasi.goripar...@gmail.com> wrote: >>>> >>>> I am able to reproduce this issue with 1.1.1j too. >>>> >>>> openssl version -a >>>> >>>> OpenSSL 1.1.1j 16 Feb 2021 >>>> >>>> built on: Fri Feb 19 18:56:06 2021 UTC >>>> >>>> platform: darwin64-x86_64-cc >>>> >>>> options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) >>>> >>>> compiler: cc -fPIC -arch x86_64 -g -Wall -DL_ENDIAN -DOPENSSL_PIC >>>> -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT >>>> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM >>>> -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM >>>> -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_REENTRANT >>>> -DNDEBUG >>>> >>>> OPENSSLDIR: "/usr/local/ssl" >>>> >>>> ENGINESDIR: "/usr/local/lib/engines-1.1" >>>> >>>> Seeding source: os-specific >>>> >>>> >>>> openssl cms -sign -in msg -text -signer cert1.pem -out 1.cms -keyopt >>>> rsa_padding_mode:pss >>>> >>>> openssl cms -verify -in 1.cms -CAfile ca.pem >>>> >>>> Content-Type: text/plain >>>> >>>> >>>> hello world >>>> >>>> Verification successful >>>> >>>> openssl cms -resign -in 1.cms -signer cert2.pem -out 2.cms -keyopt >>>> rsa_padding_mode:pss >>>> >>>> openssl cms -verify -in 2.cms -CAfile ca.pem >>>> >>>> Error reading S/MIME message >>>> >>>> 4757167552:error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field >>>> missing:crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR >>>> >>>> 4757167552:error:0D08303A:asn1 encoding >>>> routines:asn1_template_noexp_d2i:nested asn1 >>>> error:crypto/asn1/tasn_dec.c:646:Field=signatureAlgorithm, >>>> Type=CMS_SignerInfo >>>> >>>> 4757167552:error:0D08303A:asn1 encoding >>>> routines:asn1_template_noexp_d2i:nested asn1 >>>> error:crypto/asn1/tasn_dec.c:615:Field=signerInfos, Type=CMS_SignedData >>>> >>>> 4757167552:error:0D08303A:asn1 encoding >>>> routines:asn1_template_noexp_d2i:nested asn1 >>>> error:crypto/asn1/tasn_dec.c:646: >>>> >>>> 4757167552:error:0D08403A:asn1 encoding >>>> routines:asn1_template_ex_d2i:nested asn1 >>>> error:crypto/asn1/tasn_dec.c:496:Field=d.signedData, Type=CMS_ContentInfo >>>> >>>> 4757167552:error:0D0D106E:asn1 encoding routines:b64_read_asn1:decode >>>> error:crypto/asn1/asn_mime.c:143: >>>> >>>> 4757167552:error:0D0D40CC:asn1 encoding routines:SMIME_read_ASN1:asn1 sig >>>> parse error:crypto/asn1/asn_mime.c:451: >>>> >>>> >>>> Thanks, >>>> >>>> Thulasi. >>>> >>>> >>>> On Sat, 20 Feb 2021 at 00:09, Viktor Dukhovni <openssl-us...@dukhovni.org> >>>> wrote: >>>>> >>>>> On Fri, Feb 19, 2021 at 11:19:42PM +0530, Thulasi Goriparthi wrote: >>>>> >>>>> > I am able to reproduce this issue with 1.1.1i >>>>> >>>>> OpenSSL 1.1.1j has been released. Do you still see the problem with >>>>> 1.1.1j? >>>>> >>>>> -- >>>>> Viktor.
