David Chia wrote:
>
> > The SHA1 change to use NID_rsaEncryption is another.
>
> I have also independently come to make that modification
> otherwise NS communicator will reject the signature.
> SECUDE accepts both types from OPENSSL without complaint.
>
> David Chia, RMIT University
Nevertheless it's still wrong. I believe that field is used (among other
things) by the certificate signing code to determine the OID to use when
signing a certificate. The consequences of changing it to
NID_rsaEncryption are that OpenSSL creates invalid certificates when
SHA1 is the digest algorithm.
The actual problem is that the PKCS#7 code uses that field to set the
digestEncryptionAlgorithm OID. It should indeed be rsaEncryption but
some software doesn't mind it being wrong.
Anyway the solution is simple. Instead of the old version in pk7_lib.c:
p7i->digest_enc_alg->algorithm=OBJ_nid2obj(EVP_MD_pkey_type(dgst));
which sets the OID from the digest algorithm it becomes:
p7i->digest_enc_alg->algorithm=OBJ_nid2obj(EVP_PKEY_type(pkey->type));
which sets the OID from the type of the passed private key.
This is in the latest snapshot, let me know if it doesn't work.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
