Signing with two different versions of Openssl

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Signing with two different versions of Openssl

Eduardo Chappa
Dear all,

   I am trying to understand why the same code for the Alpine email program
behave differently when compiling it with two different versions of
Openssl. I have tried many variations of the official code, to no avail.
Maybe here someone can point me in the right direction.

The git repository for the code is located at
https://repo.or.cz/alpine.git

The code that creates detached signatures is in the file pith/smime.c. The
flow more or less goes as follows

flags = PKCS7_DETACHED | PKCS7_PARTIAL;
if((p7 = PKCS7_sign(NULL, NULL, chain, in, flags)) != NULL
         && PKCS7_sign_add_signer(p7, pcert->cert, pcert->key, md, flags))
            PKCS7_final(p7, in, flags);
i2d_PKCS7_bio(out, p7);
(void) BIO_flush(out);

The "in" and "out" BIOs are memory buffers. The out BIO is internally
base64 encoded and attached.

Does anyone here see why a code like this would succeed in creating valid
signed messages when the same code in Alpine is built with version OpenSSL
1.1.0i-fips 14 Aug 2018, but not with OpenSSL 1.1.1g 21 Apr 2020 (and I
believe with any of the versions 1.1.1 series).

The exact details of the code are in the repository (address above) in the
file pith/smime.c, starting around line 3766.

Thank you for any insights.

--
Eduardo