Hi Dave, >>If you mean app2 hashes UN and passes that hash to VerifyUpdate, that's wrong. >>If you mean it passes the data *to be hashed*, that's good.
Thanks. Yes I meant the 2nd one, it passes the data to be hashed. We are investigating further as problem seems to be leaning towards app1. Regards, Rituparna Mitra -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Friday, August 08, 2014 6:28 AM To: openssl-users@openssl.org Subject: RE: Query on X509 certificate validation- EVP_VerifyUpdate & EVP_VerifyFinal > From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni > Sent: Monday, August 04, 2014 11:21 > On Mon, Aug 04, 2014 at 05:43:47AM +0000, Mitra, Rituparna (STSD) wrote: > > > 1. app1: sends a CGI POST request to app2 ? the POST request has the > UN (username). > > > > 2. app2: does a CGI GET to receive the UN within app1?s POST request. > > > > 3. app2: has app1?s x509 certificate already stored, since it has to allow > SSO from app1 ? gets verification ctx from here. > > > > 4. app2: uses the UN (containing ! character) to form a hashdata, > > > > 5. app2: passes hashdata to EVP_VerifyUpdate(ctx, .. ) > > If you mean app2 hashes UN and passes that hash to VerifyUpdate, that's wrong. If you mean it passes the data *to be hashed*, that's good. EVP_Verify{Init,Update,Final} does the hash of the data as part of verifying a signature just as EVP_Sign{Init,Update,Final} does the hash of the data to be signed. In fact {Sign,Verify}{Init,Update} are just macros for Digest{Init,Update}, the PK operations are done only in Final. > > 6. app2: calls EVP_VerifyFinal -- this eventually fails during public key > check (EVP_PKEY_verify), due to the ! character in UN > <snip broader points> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
