> From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
> Sent: Monday, August 04, 2014 11:21
> On Mon, Aug 04, 2014 at 05:43:47AM +0000, Mitra, Rituparna (STSD) wrote:
>
> > 1. app1: sends a CGI POST request to app2 ? the POST request has
the
> UN (username).
> >
> > 2. app2: does a CGI GET to receive the UN within app1?s POST
request.
> >
> > 3. app2: has app1?s x509 certificate already stored, since it has
to allow
> SSO from app1 ? gets verification ctx from here.
> >
> > 4. app2: uses the UN (containing ! character) to form a hashdata,
> >
> > 5. app2: passes hashdata to EVP_VerifyUpdate(ctx, .. )
> >
If you mean app2 hashes UN and passes that hash to VerifyUpdate, that's
wrong.
If you mean it passes the data *to be hashed*, that's good.
EVP_Verify{Init,Update,Final} does the hash of the data as part of verifying
a signature
just as EVP_Sign{Init,Update,Final} does the hash of the data to be signed.
In fact {Sign,Verify}{Init,Update} are just macros for Digest{Init,Update},
the PK operations are done only in Final.
> > 6. app2: calls EVP_VerifyFinal -- this eventually fails during
public key
> check (EVP_PKEY_verify), due to the ! character in UN
>
<snip broader points>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
