Re: CMS: message digest algorithm selection is ignored when signing receipts (+ peer-review request)
On Tue, Dec 7, 2010 at 01:50, Dr. Stephen Henson st...@openssl.org wrote: On Tue, Dec 07, 2010, Maxim Kammerer wrote: The command-line argument -md to openssl cms -sign_receipt is apparently ignored, and the default digest algorithm (SHA-1 in my tests) is used instead. At present this is a limitation of the API: there is no option to specify an alternative digest. I'll have to see if there is an easy way to fix this without a new API. It would be relatively easy to use the same digest as the original content instead of using the default public key algorithm digest. Any news on this issue? openssl cms -sign_receipt still used SHA-1 in my tests for 1.0.0d. Thanks, Maxim (please CC me on replies) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CMS: message digest algorithm selection is ignored when signing receipts (+ peer-review request)
On Tue, Dec 7, 2010 at 01:50, Dr. Stephen Henson st...@openssl.org wrote: On Tue, Dec 07, 2010, Maxim Kammerer wrote: The command-line argument -md to openssl cms -sign_receipt is apparently ignored, and the default digest algorithm (SHA-1 in my tests) is used instead. At present this is a limitation of the API: there is no option to specify an alternative digest. I'll have to see if there is an easy way to fix this without a new API. It would be relatively easy to use the same digest as the original content instead of using the default public key algorithm digest. Any news on this issue? openssl cms -sign_receipt still uses SHA-1 in my tests for 1.0.0d. Thanks, Maxim __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CMS: message digest algorithm selection is ignored when signing receipts (+ peer-review request)
The command-line argument -md to openssl cms -sign_receipt is apparently ignored, and the default digest algorithm (SHA-1 in my tests) is used instead. In addition, the -noattr argument has the same effect as -nosmimecap, apparently leaving some unnecessary attributes (like signing time) - contrary to the manual. Maybe it wasn't clear from my post, but this issue is a bug, not a missing feature. The CMS structure for -sign_receipt is very similar to one for -sign, and both have a field for the selected message digest algorithm (visible with openssl cms -cmsout -noout -print -in receipt.sig). Not so sure about -noattr/-nosmimecap, though. Maxim __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CMS: message digest algorithm selection is ignored when signing receipts (+ peer-review request)
On Tue, Dec 07, 2010, Maxim Kammerer wrote: The command-line argument -md to openssl cms -sign_receipt is apparently ignored, and the default digest algorithm (SHA-1 in my tests) is used instead. In addition, the -noattr argument has the same effect as -nosmimecap, apparently leaving some unnecessary attributes (like signing time) - contrary to the manual. Maybe it wasn't clear from my post, but this issue is a bug, not a missing feature. The CMS structure for -sign_receipt is very similar to one for -sign, and both have a field for the selected message digest algorithm (visible with openssl cms -cmsout -noout -print -in receipt.sig). Not so sure about -noattr/-nosmimecap, though. At present this is a limitation of the API: there is no option to specify an alternative digest. I'll have to see if there is an easy way to fix this without a new API. It would be relatively easy to use the same digest as the original content instead of using the default public key algorithm digest. The -noattr option isn't a bug: you can't omit all attributes with signed receipts and the use of any means that the standard mandatory attributes are included. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
CMS: message digest algorithm selection is ignored when signing receipts (+ peer-review request)
I am implementing a two-party messages exchange system based on CMS for Liberté Linux (http://dee.su/liberte). The command-line argument -md to openssl cms -sign_receipt is apparently ignored, and the default digest algorithm (SHA-1 in my tests) is used instead. In addition, the -noattr argument has the same effect as -nosmimecap, apparently leaving some unnecessary attributes (like signing time) - contrary to the manual. Also, the last option marker - for openssl verify doesn't work, contrary to the man page (perhaps the manual should be fixed). The version is OpenSSL 1.0.0a on Gentoo Linux. The script I use can be seen here: https://liberte.svn.sourceforge.net/svnroot/liberte/trunk/liberte/src/home/anon/bin/cable . Incidentally, I will be glad for some critical peer-review. * ${certdir} contains user's certificates, and ${msgdir} contains untrusted certificates fetched from the other end * The principle is described briefly in the first section at at http://dee.su/liberte-security * The initial communication protocol description is at https://liberte.svn.sourceforge.net/svnroot/liberte/trunk/liberte/doc/cable.txt * Certificates generation is performed in https://liberte.svn.sourceforge.net/svnroot/liberte/trunk/liberte/src/home/anon/bin/gen-anon-username . Thanks, Maxim __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org