On Mon, Aug 04, 2014 at 05:43:47AM +0000, Mitra, Rituparna (STSD) wrote:
> 1. app1: sends a CGI POST request to app2 ? the POST request has the UN
> (username).
>
> 2. app2: does a CGI GET to receive the UN within app1?s POST request.
>
> 3. app2: has app1?s x509 certificate already stored, since it has to
> allow SSO from app1 ? gets verification ctx from here.
>
> 4. app2: uses the UN (containing ! character) to form a hashdata,
>
> 5. app2: passes hashdata to EVP_VerifyUpdate(ctx, .. )
>
> 6. app2: calls EVP_VerifyFinal -- this eventually fails during public
> key check (EVP_PKEY_verify), due to the ! character in UN
Sorry, that's not the reason. Your mistake is elsewhere. In
particular the signature is likely incorrect or signed something
other than what you expected.
Also the SSO protocol design is deeply flawed. It is not sufficient
to send a signature of the username alone.
If the two applications are communicating directly, app1 should
authenticate the channel with a client certificate, and can
then just send the username unsigned in the request, since
all the data sent is authenticated with app1's certificate.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
