[EMAIL PROTECTED] - Sat Feb 19 17:01:21 2005]:

> "Stephen Henson via RT" <[EMAIL PROTECTED]> writes:
> 
> >> Is there a good (suggested) workaround for the older version that
> >> doesn't have this fix?  Can I, perhaps, define a new hash-type that
> >> defines itself as sha1WithRSAEncryption?  Or do you think that
> would
> >> cause problems?
> >>
> >
> > Well replacing pk7_doit.c with the latest version would be one fix.
> If
> > you need an application level fix you could always look for
> > sha1WithRSAEncryption in the PKCS7 structure and change it to SHA1.
> 
> Hmm, okay..  Let me rephrase -- is there an application-level fix that
> I can put into place while still using the "vendor-supplied" openssl
> library?  I wouldn't think that an application could supply its own
> version of pk7_doit.c and get the system libssl to see it?
> 

That is what my second suggestion was: after the PKCS7 structure has
been read in, but before passing to PKCS7_verify() change any digest
OIDs that are sha1WithRSAEncryption to SHA1.

> 
> In the meantime I'm also looking at the other side to see if I can
> convince windows to generate pkcs7 with sha1, or some way to change
> that.
> 

That's certainly possible: OE and some programs I've seen readily
produce the correct form.

Steve.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to