Hello,
I have a small update in order to close this issue.
The identity provider that produced the invalid signatures have fixed their
signatures so that we can verify them using the latest LTS version of
OpenSSL. We use Bouncy Castle in some products and it does not catch the
invalid signatures
Hello,
I think the person I spoke with might have thought about another set of
signatures for an in-house identity provider. If that is the case then
those signatures were probably generated by OpenSSL 1.0.2 and are OK. I
heard from another person today that the bad files were produced by the
othe
On 02/04/2019 17:34, Steffen wrote:
> Hello,
>
>> What had produced the signatures?
>
> I received word from my end that the signatures may have been produced by
> OpenSSL 1.0.2 (no idea which letter release) in the Cygwin environment but I
> cannot confirm this.
>
If that's the case, I'd re
Hello,
> What had produced the signatures?
I received word from my end that the signatures may have been produced by
OpenSSL 1.0.2 (no idea which letter release) in the Cygwin environment but
I cannot confirm this.
Matt Caswell wrote:
> Using the cert/data files you provided me off-list (thanks), I was able to
> confirm the above and narrow it down further to the following commit:
What had produced the signatures?
> In some cases, the damage is permanent and the spec deviation and
> securi
On 02/04/2019 10:44, Matt Caswell wrote:
On 01/04/2019 22:23, Steffen wrote:
Hello,
I believe that I have narrowed the problem down to one specific version of
OpenSSL. Version 1.1.0b works as expected while OpenSSL 1.1.0c does not.
Using the cert/data files you provided me off-list (thanks),
Hello Matt,
Thank you for looking into this!
So it seems like I have to figure out why the signatures are incorrectly
formatted and then fix it at every source if possible, or convert the
structures somehow if it can be done correctly. The only immediate solution
I can see is to downgrade to Open
On 01/04/2019 22:23, Steffen wrote:
> Hello,
>
> I believe that I have narrowed the problem down to one specific version of
> OpenSSL. Version 1.1.0b works as expected while OpenSSL 1.1.0c does not.
Using the cert/data files you provided me off-list (thanks), I was able to
confirm the above an
Hello,
I believe that I have narrowed the problem down to one specific version of
OpenSSL. Version 1.1.0b works as expected while OpenSSL 1.1.0c does not.
I have currently only verified this using PKCS7_verify and CMS_verify since
I have no CLI at hand for these versions.
The changelog for 1.1.0
Hello Matt,
Thank you for your reply!
I am not quite sure if I should do something more but specifying "-binary"
alone does not seem to help:
# 1.0.2r
$ /usr/local/opt/openssl/bin/openssl cms -verify -inform der -in test.der
-content test-data.bin -noverify -binary > /dev/null
Verification succe
On 01/04/2019 14:46, Steffen wrote:
> Hello,
>
> I am struggling with using OpenSSL 1.1.1 to verify a PKCS #7/CMS structure.
> Verification succeeds when I use OpenSSL 1.0.2, but 1.1.0 and 1.1.1 fails with
> "bad signature". I initially had this problem when using the OpenSSL library
> but
> I
11 matches
Mail list logo
