"Stephen Henson via RT" writes:

>> Is there a good (suggested) workaround for the older version that
>> doesn't have this fix? Can I, perhaps, define a new hash-type that
>> defines itself as sha1WithRSAEncryption? Or do you think that would
>> cause problems?
>>

>
> Well replacing pk7_doit.c with the latest version would be one fix. If
> you need an application level fix you could always look for
> sha1WithRSAEncryption in the PKCS7 structure and change it to SHA1.


Hmm, okay.. Let me rephrase -- is there an application-level fix that
I can put into place while still using the "vendor-supplied" openssl
library? I wouldn't think that an application could supply its own
version of pk7_doit.c and get the system libssl to see it?

I tried registering a new MD type which was just a copy of the
EVP_sha1 with the type changed from NIP_sha1 to
NIP_sha1WithRSAEncryption. That seemed to get me further but then
it died in the RSA_verify() section in rsa_sign.c:

if (sigtype != dtype)
{
if (((dtype == NID_md5) &&
(sigtype == NID_md5WithRSAEncryption)) ||
((dtype == NID_md2) &&
(sigtype == NID_md2WithRSAEncryption)))
{
/* ok, we will let it through */
#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)
fprintf(stderr,"signature has problems, re-make with post SSLeay045\n");
#endif
}
else
{
RSAerr(RSA_F_RSA_VERIFY,
RSA_R_ALGORITHM_MISMATCH);
goto err;
}
}
> Steve.


In the meantime I'm also looking at the other side to see if I can
convince windows to generate pkcs7 with sha1, or some way to change
that.

Thanks,

-derek

--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org