On Mon, Feb 13, 2012, Andy Polyakov wrote: > >> mdc2 algorithm is not listed as enabled by default in 1.0+. > >> > >> What is current status to this algorithm ? > >> > >> It seems to me** result of openssl 0.9.8t digest command (*openssl* > >> *dgst -mdcs2..) *is not compatible with openssl 1.0+ . > >> > >> Another issue is between 0.9.8, 1.0.0 and upcoming 1.0.1 . If a > >> certificate use mdcd2 algorithm created by openssl 0.9.8 it could > >> be verified by 0.9.8 and 1.0.0+ but fail with 1.0.1(stable branch). > >> Same if for certificates created by 1.0.0+ - verify command succeed > >> with 0.9.8 and 1.0.0+ and fail with 1.0.1. Certificates created with > >> 1.01 could be verified only with 1.0.1 and verification fail with > >> earlier version. > >> > >> Issue with certificates apply to CRLs > >> > > > > Looking into this there is a long standing incompatibility between various > > functions that use mdc2 for signatures. Since SSLeay the function RSA_sign() > > using mdc2 as an argument uses a DigestInfo structure whereas using EVP ends > > up with a different octet string format signature. > > > > It's only when the signature code was revised to use RSA_sign more > > extensively > > that this is more apparent. > > > > How widespread is use of mdc2 for signatures and certificates? > > Neither Redhat, Debian or Suse deliver openssl with mdc2, so it can't be > widespread. However, it's more of a principle, 1.0.1 is meant to be > compatible with 1.0.0 and fixing it in 1.0.1 would be manifestation that > we actually stick to the principle. As for 1.1 it might be appropriate > to actually omit mdc2 (along with some other algorithms)... > > > I can address the 1.0.1 certificate issue fairly easily but I'm wondering if > > some compatibility option is needed for dgst too. > > Tricky one. The breakage in certificate handling is caused by switch > from EVP_[Sign|Verify]XXX to EVP_Digest[Sign|Verify]XXX in > crypto/asn1/a_[sign|verify].c, but 1.0.0 dgst is using the latter. I'd > guess dgst is incompatible between 0.9.8 and 1.0.0, but not between > 1.0.0 and 1.0.1. And it appears to be the case. I personally would vote > for treating dgst behavior in 1.0.0 as bug and fixing it in > EVP_Digest[Sign|Verify] so that certificate handling and dgst is harmonized.
It is possibly to modify RSA_verify (which is what the verify code ultimately uses) to transparently support both formats. Then no matter what version was used it would "just work". That could be applied to all branches or just 1.0.1+. Personally I think all then we get maximum compatibility with no side effects. Fixing the signature output can be done by modifying the code EVP_DigestSign calls (with is an RSA method) or finally making RSA_sign use the correct format. I'm tempted to change RSA_sign but that would make the output different between 1.0.1+ and all previous versions of OpenSSL so perhaps not. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
