Bug 455870 - SMIME -sign from non-seekable input does not work with DER and PEM output formats
SMIME -sign from non-seekable input does not work with DER and PEM output for...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openssl (Show other bugs)
5.0
All Linux
low Severity low
: rc
: ---
Assigned To: Tomas Mraz
Brian Brock
http://www.mail-archive.com/openssl-d...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-18 10:27 EDT by rob_ewald
Modified: 2009-10-08 11:27 EDT (History)
1 user (show)

See Also:
Fixed In Version: openssl-0.9.8e-12.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-08 11:27:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to openssl-0.9.8b-10.el5.src.rpm (517 bytes, patch)
2008-07-18 10:27 EDT, rob_ewald
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
CentOS 2998 None None None Never

  None (edit)
Description rob_ewald 2008-07-18 10:27:37 EDT
This is a copy/paste from the original report someone else made to the OpenSSL
list. In short when signing SMIME the data must come from a seekable input. If,
say, a pipe is used then then the input is ignored.

From http://www.mail-archive.com/openssl-dev@openssl.org/msg21440.html [^]

---------------------------------------------------------------------------

[EMAIL PROTECTED] - Wed May 11 17:37:29 2005]:

> Current snapshots (checked on 20050503 and 20050511) and 0.9.7e do not
> work when asked to sign non-seekable input. 0.9.6c in Debian woody
> (package version 0.9.6c-2.woody.7) does work.
>
> That is,
>
> echo hello|openssl smime -sign -inkey privkey.pem -signer cert.crt
> -outform der
>
> fails with a message "Can't rewind input file".
>
> The failing code is at line 638 (as of 20050511) of apps/smime.c:
>
> if ((flags & PKCS7_DETACHED) && (outformat == FORMAT_SMIME))
> flags |= PKCS7_STREAM;
> p7 = PKCS7_sign(signer, key, other, in, flags);
> /* Don't need to rewind for partial signing */
> if (!(flags & PKCS7_STREAM) && (BIO_reset(in) != 0))
> {
> BIO_printf(bio_err, "Can't rewind input file\n");
> goto end;
> }
>
> When signing to DER or PEM flags are not PKCS7_STREAM (and signature
> is
> really generated in PKCS7_sign) and then it tries to rewind input, so
> failing if it is not seekable. But why it needs to rewind the input?
> I
> cannot see any reason from the user's point of view.

There is no case it needs to rewind the input now in 0.9.8+ because the
content is either stored in a memory BIO (non-detached data), not needed
(detached and PEM, DER) or streamed (detached and SMIME).

In 0.9.7 there is only one case which is detached and SMIME output
format where the signature is computed on one pass and the content
output on the second.

Patch applied.
______________________________________________________________________
OpenSSL Project http://www.openssl.org [^]
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]

---------------------------------------------------------------------------
Comment 1 rob_ewald 2008-07-18 10:27:37 EDT
Created attachment 312143 [details]
Patch to openssl-0.9.8b-10.el5.src.rpm

Note You need to log in before you can comment on or make changes to this bug.