PKCS#7 issues

Wed, 20 Jul 2005 15:07:58 -0700

I just had the weirdest day ever. At first I thought PayPal's EWP system decided to flake out. From staring at the problem all day, and talking to PayPal support for a couple hours, and then having the problem fix itself (without either PayPal or myself doing anything!) makes it appear to me that PKCS#7 generation may have a timing bug somewhere that causes verification problems when PayPal goes to either verify the embedded public cert. or decrypt the data block itself.
It didn't matter what version of OpenSSL I tried on my end (see below), all versions failed until about 4p.m. when every encrypted and signed data block started working just fine. However, I still have several of the encrypted and signed data blocks that were NOT working and I tried those again and they still fail. I even tried using brand new certs. It is definitely some sort of problem with OpenSSL and PKCS#7 - all versions. 


Windows versions of OpenSSL (default builds) that I tested with that 
failed and then suddenly started working again around 4 p.m. today:

0.9.6m
0.9.7d
0.9.7e
0.9.7f
0.9.7g
0.9.8


All of those versions are working properly (for the moment), but that 
doesn't mean they won't break again.  Also note that the data being 
encrypted was identical throughout the entire process.  Also, I'm pretty 
certain that the source code to interface with OpenSSL can't be at fault 
because each and every function used is tested for returning error values.



Suggestions?  I could try hammering PayPal's service with an automated 
script that generates an encrypted and signed block and then submits it 
until I get one that is deemed bogus, but I don't think they would 
appreciate that.



--
Thomas Hruska
Shining Light Productions

Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/

Ask me about discounts on any Shining Light Productions product!
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to