Hi,

[ originally written by Scott J. Tamosunas,
http://www.mail-archive.com/openssl-.../msg05433.html ]

I am trying to verify the signature of a PKCS7 object created by another PKI
that used SHA1 as the method of digest and RSA Encryption as the method of
private key encryption. However, if I parse the DER, the following shows
that the sha1withRSAEncryption was used as the digestAlgorthimIdentifier:

0 30 1855: SEQUENCE {
4 06 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15 A0 1840: [0] {
19 30 1836: SEQUENCE {
23 02 1: INTEGER 1
26 31 13: SET {
28 30 11: SEQUENCE {
30 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5)
: }
: }
41 30 11: SEQUENCE {
43 06 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)

it would seem to me, first of all that seeing this is supposed to be a
digestAlgorithmIdentifier, this should just be SHA1 as sha1withRSAEncrytion
implies a signature algorithm, not a message digest.


Therefore, when I try to verify the signature in the PKCS7 object, in the
function PKCS7_dataInit():
if (md_sk != NULL)
{
for (i=0; i {
xa=sk_X509_ALGOR_value(md_sk,i);
if ((btmp=BIO_new(BIO_f_md())) == NULL)
{
PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_BIO_LIB);
goto err;
}

j=OBJ_obj2nid(xa->algorithm);
evp_md=EVP_get_digestbyname(OBJ_nid2sn(j));

j = 65
evp_md = RSA-SHA1

This gets set into the output bio struct.

Later in the PKCS7_signatureVerify() function in the location:

md_type=OBJ_obj2nid(si->digest_alg->algorithm);

btmp=bio;
for (;
{
if ((btmp == NULL) ||
((btmp=BIO_find_type(btmp,BIO_TYPE_MD)) == NULL))
{
PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
goto err;
}
BIO_get_md_ctx(btmp,&mdc);
if (mdc == NULL)
{
PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
PKCS7_R_INTERNAL_ERROR);
goto err;
}
if (EVP_MD_CTX_type(mdc) == md_type)
break;
btmp=btmp->next_bio;
}

The error PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST) is set because md_type = 65 and
mdc->digest.type = 64. 64 is SHA1 so the comparisons to the message digests
fail, when really they should not.

My question is:
Is this the intended behavior? Shouldn't this situation be handled? From the
PKCS7 and X509 specs, I don't see any provision for what is a digest
algorithm and what is not. Clearly, SHA1 has been used to create the digest.
Or, is the PKI that created the PKCS7 object in the wrong?

In either case, OpenSSL should probably accept the message with the
sha1WithRSAEncryption instead of sha1 message digest.

Thanks,

-derek, plagiarizing Scott
--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org