PKCS7_verify() with zero length input

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

PKCS7_verify() with zero length input

bradh (Bugzilla)
I'm trying to do detached CMS signatures and verification using the
PKCS7_sign() and PKCS7_verify() functions. It appears to work OK, except that
my test case for a zero length array fails to verify() - looks like the
signature is OK though.

The documentation suggests that PKCS7_verify() isn't expected to work ("indata
cannot be NULL"). Are there any alternative functions that I should be
looking at? Or is there some workaround?

Brad

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PKCS7_verify() with zero length input

Dr. Stephen Henson
On Thu, Apr 13, 2006, Brad Hards wrote:

> I'm trying to do detached CMS signatures and verification using the
> PKCS7_sign() and PKCS7_verify() functions. It appears to work OK, except that
> my test case for a zero length array fails to verify() - looks like the
> signature is OK though.
>
> The documentation suggests that PKCS7_verify() isn't expected to work ("indata
> cannot be NULL"). Are there any alternative functions that I should be
> looking at? Or is there some workaround?
>

Have you tried passing it an empty memory BIO?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: PKCS7_verify() with zero length input

bradh (Bugzilla)
On Thursday 13 April 2006 22:26 pm, Dr. Stephen Henson wrote:

> On Thu, Apr 13, 2006, Brad Hards wrote:
> > I'm trying to do detached CMS signatures and verification using the
> > PKCS7_sign() and PKCS7_verify() functions. It appears to work OK, except
> > that my test case for a zero length array fails to verify() - looks like
> > the signature is OK though.
> >
> > The documentation suggests that PKCS7_verify() isn't expected to work
> > ("indata cannot be NULL"). Are there any alternative functions that I
> > should be looking at? Or is there some workaround?
>
> Have you tried passing it an empty memory BIO?
Yes. Roughly what I'm doing is:
                        ... stuff to set up the keystore and PKCS7 structure...
                        bi = BIO_new(BIO_s_mem());
                        BIO_write(bi, in.data(), in.size());
                        int ret = PKCS7_verify(p7, xs, store, bi, NULL, 0);
It works (ret == 1) for data I've signed using PKCS7_sign, except for the case
where in.size() == 0 (i.e. an empty string). Then it returns 0.

Brad

attachment0 (196 bytes) Download Attachment