Bug 455870

Summary: SMIME -sign from non-seekable input does not work with DER and PEM output formats
Product: Red Hat Enterprise Linux 5 Reporter: rob_ewald
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: low Docs Contact:
Priority: low    
Version: 5.0CC: pasteur
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.mail-archive.com/openssl-dev@openssl.org/msg21440.html
Whiteboard:
Fixed In Version: openssl-0.9.8e-12.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-08 15:27:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch to openssl-0.9.8b-10.el5.src.rpm none

Description rob_ewald 2008-07-18 14:27:37 UTC 
This is a copy/paste from the original report someone else made to the OpenSSL
list. In short when signing SMIME the data must come from a seekable input. If,
say, a pipe is used then then the input is ignored.

From http://www.mail-archive.com/openssl-dev@openssl.org/msg21440.html [^]

---------------------------------------------------------------------------

[EMAIL PROTECTED] - Wed May 11 17:37:29 2005]:

> Current snapshots (checked on 20050503 and 20050511) and 0.9.7e do not
> work when asked to sign non-seekable input. 0.9.6c in Debian woody
> (package version 0.9.6c-2.woody.7) does work.
>
> That is,
>
> echo hello|openssl smime -sign -inkey privkey.pem -signer cert.crt
> -outform der
>
> fails with a message "Can't rewind input file".
>
> The failing code is at line 638 (as of 20050511) of apps/smime.c:
>
> if ((flags & PKCS7_DETACHED) && (outformat == FORMAT_SMIME))
> flags |= PKCS7_STREAM;
> p7 = PKCS7_sign(signer, key, other, in, flags);
> /* Don't need to rewind for partial signing */
> if (!(flags & PKCS7_STREAM) && (BIO_reset(in) != 0))
> {
> BIO_printf(bio_err, "Can't rewind input file\n");
> goto end;
> }
>
> When signing to DER or PEM flags are not PKCS7_STREAM (and signature
> is
> really generated in PKCS7_sign) and then it tries to rewind input, so
> failing if it is not seekable. But why it needs to rewind the input?
> I
> cannot see any reason from the user's point of view.

There is no case it needs to rewind the input now in 0.9.8+ because the
content is either stored in a memory BIO (non-detached data), not needed
(detached and PEM, DER) or streamed (detached and SMIME).

In 0.9.7 there is only one case which is detached and SMIME output
format where the signature is computed on one pass and the content
output on the second.

Patch applied.
______________________________________________________________________
OpenSSL Project http://www.openssl.org [^]
Development Mailing List openssl-dev
Automated List Manager [EMAIL PROTECTED]

---------------------------------------------------------------------------
Comment 1 rob_ewald 2008-07-18 14:27:37 UTC 
Created attachment 312143 [details]
Patch to openssl-0.9.8b-10.el5.src.rpm