Re: openssl cms resign with RSA-PSS corrupts the CMS(?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Alon,

I am able to reproduce this issue with 1.1.1i

echo "hello world" > msg


/* pkcs1 */

openssl cms -sign -in msg -text -signer cert1.pem -out 1.cms 

openssl cms -verify -in 1.cms -CAfile ca.pem

openssl cms -resign -in 1.cms -signer cert2.pem -out 2.cms

openssl cms -verify -in 2.cms -CAfile ca.pem 


/* pss */

openssl cms -sign -in msg -text -signer cert1.pem -out 1.cms -keyopt rsa_padding_mode:pss

openssl cms -verify -in 1.cms -CAfile ca.pem

openssl cms -resign -in 1.cms -signer cert2.pem -out 2.cms -keyopt rsa_padding_mode:pss

openssl cms -verify -in 2.cms -CAfile ca.pem



Thanks,

Thulasi.


On Fri, 19 Feb 2021 at 13:16, Alon Bar-Lev <alon.barlev@xxxxxxxxx> wrote:
Hello OpenSSL masters,

Can someone please try to reproduce the below issue?

Thanks,
Alon

On Sat, 13 Feb 2021 at 23:23 Alon Bar-Lev <alon.barlev@xxxxxxxxx> wrote:
Hello,

I am trying to resign a CMS using the openssl tool.

When I use RSA-PKCS1 everything is working fine.

When I use RSA-PSS it seems like the asn1 is produced corrupted, I do not see the signature in asn1dump.

I prepared a demo[1] to help people reproduce the issue, tested with openssl-1.1.1i.

The script output pasted below shows that CMS resign without PSS works correctly, while the same sequence with PSS produces a corrupted CMS file.

What am I doing wrong?

Regards,
Alon Bar-Lev


---

===============
CMS without PSS
===============
cms -sign 1.cms
cms -verify 1.cms
hello world
Verification successful
cms -resign 1.cms to 2.cms
cms -verify 2.cms
hello world
Verification successful
===============
CMS with PSS
===============
cms -sign 1.cms
cms -verify 1.cms
hello world
Verification successful
cms -resign 1.cms to 2.cms
cms -verify 2.cms
Error reading S/MIME message
140438977062208:error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing:../crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR
140438977062208:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=signatureAlgorithm, Type=CMS_SignerInfo
140438977062208:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:614:Field=signerInfos, Type=CMS_SignedData
140438977062208:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:
140438977062208:error:0D08403A:asn1 encoding routines:asn1_template_ex_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:496:Field=d.signedData, Type=CMS_ContentInfo
FATAL: verify 2.cms failed



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux