[derek@ihtfp.com - Fri Feb 18 09:28:03 2005]:

> Hi,
>
> [ originally written by Scott J. Tamosunas,
> http://www.mail-archive.com/openssl-.../msg05433.html ]
>
> I am trying to verify the signature of a PKCS7 object created by
> another PKI
> that used SHA1 as the method of digest and RSA Encryption as the
> method of
> private key encryption. However, if I parse the DER, the following
> shows
> that the sha1withRSAEncryption was used as the
> digestAlgorthimIdentifier:
>
> 0 30 1855: SEQUENCE {
> 4 06 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
> 15 A0 1840: [0] {
> 19 30 1836: SEQUENCE {
> 23 02 1: INTEGER 1
> 26 31 13: SET {
> 28 30 11: SEQUENCE {
> 30 06 9: OBJECT IDENTIFIER
> : sha1withRSAEncryption (1 2 840 113549 1 1 5)


there are 2 published standard versions: 1.5 and 1.6
http://www.rsasecurity.com/rsalabs/node.asp?id=2129

The "1" shows version 1.5 rules apply
ftp://ftp.rsasecurity.com/pub/pkcs/ps/pkcs-7.ps.gz

SET of objects here should be DigestAlgorithmIdentifier
with DigestAlgorithms "include MD2 and MD5" (clause 6.3).

For S/MIME (draft-ietf-smime-rfc2633bis-08.txt),
DigestAlgorithmIdentifier "MUST support SHA-1" (clause 2.1).
See also draft-ietf-smime-rfc3369bis-02.txt clause 10.1.1.

For a project implementing SET, I was using SHA-1 here
http://www.unity.net/~vf/naina_r1.tgz
and that was specified in SET books.
For the message attached, SignedData start at offset 63
and objectID in question at offset 74.

I'd suggest to double-check exactly what specifications
the other PKI (creating PKCS7 in question) follows

> : }
> : }
> 41 30 11: SEQUENCE {
> 43 06 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
>
> it would seem to me, first of all that seeing this is supposed to be a
> digestAlgorithmIdentifier, this should just be SHA1 as
> sha1withRSAEncrytion
> implies a signature algorithm, not a message digest.
>
>
> Therefore, when I try to verify the signature in the PKCS7 object, in
> the
> function PKCS7_dataInit():
> if (md_sk != NULL)
> {
> for (i=0; i > {
> xa=sk_X509_ALGOR_value(md_sk,i);
> if ((btmp=BIO_new(BIO_f_md())) == NULL)
> {
>

PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_BIO_LIB);
> goto err;
> }
>
> j=OBJ_obj2nid(xa->algorithm);
> evp_md=EVP_get_digestbyname(OBJ_nid2sn(j));
>
> j = 65
> evp_md = RSA-SHA1
>
> This gets set into the output bio struct.
>
> Later in the PKCS7_signatureVerify() function in the location:
>
> md_type=OBJ_obj2nid(si->digest_alg->algorithm);
>
> btmp=bio;
> for (;
> {
> if ((btmp == NULL) ||
> ((btmp=BIO_find_type(btmp,BIO_TYPE_MD)) ==
> NULL))
> {
> PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
>

PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
> goto err;
> }
> BIO_get_md_ctx(btmp,&mdc);
> if (mdc == NULL)
> {
> PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
>

PKCS7_R_INTERNAL_ERROR);
> goto err;
> }
> if (EVP_MD_CTX_type(mdc) == md_type)
> break;
> btmp=btmp->next_bio;
> }
>
> The error PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
> PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST) is set because md_type = 65 and
> mdc->digest.type = 64. 64 is SHA1 so the comparisons to the message
> digests
> fail, when really they should not.
>
> My question is:
> Is this the intended behavior? Shouldn't this situation be handled?
> From the
> PKCS7 and X509 specs, I don't see any provision for what is a digest
> algorithm and what is not. Clearly, SHA1 has been used to create the
> digest.
> Or, is the PKI that created the PKCS7 object in the wrong?
>
> In either case, OpenSSL should probably accept the message with the
> sha1WithRSAEncryption instead of sha1 message digest.
>
> Thanks,
>
> -derek, plagiarizing Scott



__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org