Hi Alon, I am able to reproduce this issue with 1.1.1i
echo "hello world" > msg /* pkcs1 */ openssl cms -sign -in msg -text -signer cert1.pem -out 1.cms openssl cms -verify -in 1.cms -CAfile ca.pem openssl cms -resign -in 1.cms -signer cert2.pem -out 2.cms openssl cms -verify -in 2.cms -CAfile ca.pem /* pss */ openssl cms -sign -in msg -text -signer cert1.pem -out 1.cms -keyopt rsa_padding_mode:pss openssl cms -verify -in 1.cms -CAfile ca.pem openssl cms -resign -in 1.cms -signer cert2.pem -out 2.cms -keyopt rsa_padding_mode:pss openssl cms -verify -in 2.cms -CAfile ca.pem Thanks, Thulasi. On Fri, 19 Feb 2021 at 13:16, Alon Bar-Lev <alon.bar...@gmail.com> wrote: > Hello OpenSSL masters, > > Can someone please try to reproduce the below issue? > > Thanks, > Alon > > On Sat, 13 Feb 2021 at 23:23 Alon Bar-Lev <alon.bar...@gmail.com> wrote: > >> Hello, >> >> I am trying to resign a CMS using the openssl tool. >> >> When I use RSA-PKCS1 everything is working fine. >> >> When I use RSA-PSS it seems like the asn1 is produced corrupted, I do not >> see the signature in asn1dump. >> >> I prepared a demo[1] to help people reproduce the issue, tested with >> openssl-1.1.1i. >> >> The script output pasted below shows that CMS resign without PSS works >> correctly, while the same sequence with PSS produces a corrupted CMS file. >> >> What am I doing wrong? >> >> Regards, >> Alon Bar-Lev >> >> [1] https://github.com/alonbl/openssl-cms-pss >> >> --- >> >> =============== >> CMS without PSS >> =============== >> cms -sign 1.cms >> cms -verify 1.cms >> hello world >> Verification successful >> cms -resign 1.cms to 2.cms >> cms -verify 2.cms >> hello world >> Verification successful >> =============== >> CMS with PSS >> =============== >> cms -sign 1.cms >> cms -verify 1.cms >> hello world >> Verification successful >> cms -resign 1.cms to 2.cms >> cms -verify 2.cms >> Error reading S/MIME message >> 140438977062208:error:0D078079:asn1 encoding >> routines:asn1_item_embed_d2i:field >> missing:../crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR >> 140438977062208:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:../crypto/asn1/tasn_dec.c:646:Field=signatureAlgorithm, >> Type=CMS_SignerInfo >> 140438977062208:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:../crypto/asn1/tasn_dec.c:614:Field=signerInfos, Type=CMS_SignedData >> 140438977062208:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:../crypto/asn1/tasn_dec.c:646: >> 140438977062208:error:0D08403A:asn1 encoding >> routines:asn1_template_ex_d2i:nested asn1 >> error:../crypto/asn1/tasn_dec.c:496:Field=d.signedData, Type=CMS_ContentInfo >> FATAL: verify 2.cms failed >> >> >>
