Hi,
we have an SOD (a CMS for e-passports and e-ID cards) file that we can read
out and verify nicely if the signature algo is RSA_PKCS1_PADDING.
But if the algo is RSA_PKCS1_PSS_PADDING (see attached txt for an asn1
dump),
the verification fails.
Below is a part of the stack trace, it looks like openssl still thinks
the algorithm
is RSA_PKCS1_PADDING instead of RSA_PKCS1_PSS_PADDING:
CMS_verify() {
cms_signerinfo_verify() {
EVP_DigestVerifyInit() {
do_sigver_init() {
EVP_PKEY_CTX_set_signature_md() {
...
pkey_rsa_ctrl() {
// type == EVP_PKEY_CTRL_DIGESTINIT
EVP_DigestVerifyFinal() {
...
pkey_rsa_verify(EVP_PKEY_CTX *ctx, ...) {
RSA_PKEY_CTX *rctx = ctx->data;
// rctx->pad_mode == RSA_PKCS1_PADDING (???)
// and EVP_MD_type(rctx->md) = NID_sha256 (OK)
Someone knows if the problem is with the encoding of the signature algo
in the file, or with openssl itself?
Thanks!
Stef
0 119: [APPLICATION 23] {
4 48: SEQUENCE {
8 6: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
19 160: [0] {
23 48: SEQUENCE {
27 2: INTEGER 3
30 49: SET {
32 48: SEQUENCE {
34 6: OBJECT IDENTIFIER '2 16 840 1 101 3 4 2 1'
(SHA256)
: }
: }
45 48: SEQUENCE {
48 6: OBJECT IDENTIFIER '2 23 136 1 1 1'
56 160: [0] {
59 4: OCTET STRING, encapsulates {
62 48: SEQUENCE {
65 2: INTEGER 0
68 48: SEQUENCE {
70 6: OBJECT IDENTIFIER '2 16 840 1 101 3 4 2 1'
(SHA256)
: }
81 48: SEQUENCE {
83 48: SEQUENCE {
85 2: INTEGER 1
88 4: OCTET STRING
: 2C 51 36 2F 0B 0D DC 58 C1 67 FB EC AE B3 6B EC
: 51 DA 1C FC 97 23 4A 72 9E AB 2C AE 89 F8 C5 2B
(hash 0x01)
: }
122 48: SEQUENCE {
124 2: INTEGER 13
127 4: OCTET STRING
: BF 2C 0F 06 DB DB D5 F9 0C C7 8E CB 76 02 5C 9D
: D1 04 F1 C0 21 D2 57 4F 57 1B 66 F1 15 43 0F 5E
(hash 0x13)
: }
161 48: SEQUENCE {
163 2: INTEGER 11
166 4: OCTET STRING
: 9D 83 2F 80 A0 82 D0 29 F3 64 0F 2F 62 78 6F AF
: 89 2E 1A 6F 4A FA F0 AE 29 42 5E 51 C4 AC B2 62
(hash 0x11)
: }
: }
: }
: }
: }
: }
200 49: SET {
204 48: SEQUENCE {
208 2: INTEGER 1
211 128: [0]
: 2D B6 81 D6 A3 72 D3 A2 27 53 03 E3 F2 90 33 36
SubjectKeyIdentifier
: 2C C7 00 9D
233 48: SEQUENCE {
235 6: OBJECT IDENTIFIER '2 16 840 1 101 3 4 2 1'
(SHA256)
: }
246 160: [0] {
248 48: SEQUENCE {
250 6: OBJECT IDENTIFIER contentType (1 2 840 113549 1 9 3)
261 49: SET {
263 6: OBJECT IDENTIFIER '2 23 136 1 1 1'
: }
: }
271 48: SEQUENCE {
273 6: OBJECT IDENTIFIER
: messageDigest (1 2 840 113549 1 9 4)
284 49: SET {
286 4: OCTET STRING
: 43 D2 E0 C5 3C ED DF F9 3A D9 1B 26 72 D1 16 90
(hash over
: F5 3B 26 04 86 F0 7F 05 0A CB 6A 25 D8 2A 7B C3
the eContent)
: }
: }
: }
320 48: SEQUENCE {
322 6: OBJECT IDENTIFIER '1 2 840 113549 1 1 10'
(id-RSASSA-PSS)
333 48: SEQUENCE {
335 160: [0] {
337 48: SEQUENCE {
339 6: OBJECT IDENTIFIER '2 16 840 1 101 3 4 2 1'
(SHA256)
: }
: }
350 161: [1] {
352 48: SEQUENCE {
354 6: OBJECT IDENTIFIER '1 2 840 113549 1 1 8'
(id-mgf1)
365 48: SEQUENCE {
367 6: OBJECT IDENTIFIER '2 16 840 1 101 3 4 2 1'
(SHA256)
: }
: }
: }
378 162: [2] {
380 2: INTEGER 32
(salt length)
: }
: }
: }
383 4: OCTET STRING
: 09 27 B6 73 5B 82 E1 3E C5 9D 1E D5 69 1C D0 F5
: FD 3C D7 08 7D B6 6F EC 6D 1A 8B D1 52 2A 7F 92
: F7 87 54 9E 1B 66 9F 8C 5D 4B C8 EF C3 1D 66 69
: 14 43 10 70 08 AB 0E 20 03 AD 22 47 51 A4 8F 8C
: A2 2A 2F B3 87 AA A3 D0 0C 79 25 9C 8D D2 81 91
: 96 2E 32 A9 45 49 53 99 7B 44 6B AA 44 F7 C2 1B
: EC 26 C1 90 C4 80 BF D9 00 8C 9A 64 61 B3 1B A5
: A8 2F 28 60 20 31 89 E7 A9 C6 0B 88 85 BD 5A DC
: B5 83 F3 36 53 D4 BA 14 20 0D 53 30 C4 46 7A 8A
: 81 E7 86 F7 17 B1 57 3C E1 5F 14 D9 4E BF 0C 03
: C7 9F 52 AA 3F C2 39 5F A9 FA 88 8A 39 E8 F7 98
: 0B 3C 4B 5B 29 62 51 AC 40 7C 71 75 91 22 23 1B
: 22 8D 1B C7 45 90 37 5A 78 A0 FB 50 3C C4 78 05
: 2A A3 1B DB 97 53 AA 1B 24 CD 41 85 EA 8E 8F 57
: 86 8D 22 02 90 9C 12 56 4A 60 97 6F 8B 46 4C 71
: EC A0 69 BE 82 B1 86 ED 4F A2 3C E4 BF 16 0F 69
: }
: }
: }
: }
: }
: }
