455870 – SMIME -sign from non-seekable input does not work with DER and PEM output formats

Bug 455870 - SMIME -sign from non-seekable input does not work with DER and PEM output formats

Summary: SMIME -sign from non-seekable input does not work with DER and PEM output for...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	openssl
Sub Component:
Version:	5.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	Brian Brock
Docs Contact:
URL:	http://www.mail-archive.com/openssl-d...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-07-18 14:27 UTC by rob_ewald
Modified:	2009-10-08 15:27 UTC (History)
CC List:	1 user (show)
Fixed In Version:	openssl-0.9.8e-12.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-10-08 15:27:18 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Patch to openssl-0.9.8b-10.el5.src.rpm (517 bytes, patch) 2008-07-18 14:27 UTC, rob_ewald	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
CentOS	2998	0	None	None	None	Never

Description rob_ewald 2008-07-18 14:27:37 UTC

This is a copy/paste from the original report someone else made to the OpenSSL
list. In short when signing SMIME the data must come from a seekable input. If,
say, a pipe is used then then the input is ignored.

From http://www.mail-archive.com/openssl-dev@openssl.org/msg21440.html [^]

---------------------------------------------------------------------------

[EMAIL PROTECTED] - Wed May 11 17:37:29 2005]:

> Current snapshots (checked on 20050503 and 20050511) and 0.9.7e do not
> work when asked to sign non-seekable input. 0.9.6c in Debian woody
> (package version 0.9.6c-2.woody.7) does work.
>
> That is,
>
> echo hello|openssl smime -sign -inkey privkey.pem -signer cert.crt
> -outform der
>
> fails with a message "Can't rewind input file".
>
> The failing code is at line 638 (as of 20050511) of apps/smime.c:
>
> if ((flags & PKCS7_DETACHED) && (outformat == FORMAT_SMIME))
> flags |= PKCS7_STREAM;
> p7 = PKCS7_sign(signer, key, other, in, flags);
> /* Don't need to rewind for partial signing */
> if (!(flags & PKCS7_STREAM) && (BIO_reset(in) != 0))
> {
> BIO_printf(bio_err, "Can't rewind input file\n");
> goto end;
> }
>
> When signing to DER or PEM flags are not PKCS7_STREAM (and signature
> is
> really generated in PKCS7_sign) and then it tries to rewind input, so
> failing if it is not seekable. But why it needs to rewind the input?
> I
> cannot see any reason from the user's point of view.

There is no case it needs to rewind the input now in 0.9.8+ because the
content is either stored in a memory BIO (non-detached data), not needed
(detached and PEM, DER) or streamed (detached and SMIME).

In 0.9.7 there is only one case which is detached and SMIME output
format where the signature is computed on one pass and the content
output on the second.

Patch applied.
______________________________________________________________________
OpenSSL Project http://www.openssl.org [^]
Development Mailing List openssl-dev
Automated List Manager [EMAIL PROTECTED]

---------------------------------------------------------------------------

Comment 1 rob_ewald 2008-07-18 14:27:37 UTC

Created attachment 312143 [details]
Patch to openssl-0.9.8b-10.el5.src.rpm

Note You need to log in before you can comment on or make changes to this bug.