1 (edited by bachelet_safi 2016-09-29 01:55:03)

Topic: PKCS#7 (CMS) - Failed to verify CMS signed-data with OpenSSL

Hi all,

I need to use CMS signed-data (RFC 5652 chapter 5) with signed attributes and parameters PKCS1 V1.5 for signature algorithm and SHA-256 for hash algorithm.

I make prototypes for testing this with your library and OpenSSL library. The CMS signed-data contain the same data to sign "This is data to test the CMS signed data", doesn't contain any signed attribute and are signed and verify respectively by client-key.der and client-cert.der found in the certs folder of the wolfSSL library.

wolfSSL CMS signed-data sample code:

    // Initialize CMS
    ret = wc_PKCS7_InitWithCert (&pkcs7, cert, (word32)cert_file_len);
    if (ret != 0) {
        printf ("wc_PKCS7_InitWithCert failed: %d\n", ret);
        goto error;
    }
    pkcs7.privateKey = key;
    pkcs7.privateKeySz = key_file_len;
    pkcs7.content = (byte*)data;
    pkcs7.contentSz = (word32)strlen (data);
    pkcs7.contentOID = DATA;
    pkcs7.hashOID = SHA256h; // SHAh
    pkcs7.encryptOID = RSAk;
    /*pkcs7.signedAttribs = attribs;
    pkcs7.signedAttribsSz = sizeof (attribs) / sizeof (PKCS7Attrib);*/
    pkcs7.rng = &rng;

    // Encode CMS signed-data
    int signed_data_size = wc_PKCS7_EncodeSignedData (&pkcs7, signed_data, 4096);
    if (signed_data_size <= 0) {
        printf ("wc_PKCS7_EncodeSignedData failed: %d\n", ret);
        goto error;
    }

OpenSSL verify sample code:

    // Load certificate (public key)
    STACK_OF (X509) *pcerts = sk_X509_new_null ();
    if (!sk_X509_push (pcerts, cert)) {
        printf ("sk_X509_push error");
        goto error;
    }

    // Load CMS signed-data
    bio_in_cms = BIO_new_file (CMS_SIGN_FILE, "rb");
    cms_content_info_signed_data = d2i_CMS_bio (bio_in_cms, NULL);
    if (!cms_content_info_signed_data) {
        printf ("d2i_CMS_bio error");
        goto error;
    }

    // Verify CMS signed-data
    if (!CMS_verify (cms_content_info_signed_data, pcerts, NULL, NULL, bio_stdout, CMS_NO_SIGNER_CERT_VERIFY)) {
        printf ("CMS_decrypt error");
        goto error;
    }

Below are the results:

  • wolfSSL PKCS7 encode signed-data -> wolfSSL PKCS7 verify signed-data: Works.

  • OpenSSL CMS sign -> OpenSSL CMS verify: Works.

  • wolfSSL PKCS7 encode signed-data -> OpenSSL CMS verify: Doesn't work.

OpenSSL errors:
"2648:error:04091068:rsa routines:int_rsa_verify:bad signature:crypto\rsa\rsa_sign.c:207:
2648:error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure:crypto\cms\cms_sd.c:839:
2648:error:2E09D06D:CMS routines:CMS_verify:content verify error:crypto\cms\cms_smime.c:393:"

  • OpenSSL CMS sign-> wolfSSL PKCS7 verify signed-data: Doesn't work.

wolfSSL error:
"wc_PKCS7_VerifySignedData failed: -173"
In error-crypt.h: "BAD_FUNC_ARG       = -173,  /* Bad function argument provided */"

You will found an archive file attached with :

  • wolfssl_cmsproject_main.c: code of CMS signed-data with wolfSSL ;

  • openssl_cmsproject_main.c: code of CMS signed-data with OpenSSL ;

  • wolfssl_data_sign.p7: CMS signed-data with wolfSSL (1806 bytes) ;

  • openssl_data_sign.p7: CMS signed-data with OpenSSL (1802 bytes) ;

  • wolfssl_data_sign_asn1parse.txt: CMS signed-data with wolfSSL parsed (openssl asn1parse -inform der -in wolfssl_data_sign.p7) ;

  • openssl_data_sign_asn1parse.txt: CMS signed-data with OpenSSL parsed (openssl asn1parse -inform der -in openssl_data_sign.p7).

This doesn't work with SHA-256 as well with SHA1.

The wolfSSL CMS signed-data has a different signature than the OpenSSL CMS signed-data. It has also 4 bytes more than OpenSSL with 2 bytes (0x0500) added 2 times after SHA-256 defined as you can see on wolfssl_data_sign_asn1parse.txt (41:d=5  hl=2 l=   0 prim: NULL and 1529:d=6  hl=2 l=   0 prim: NULL).
On wolfssl_data_sign_asn1parse.txt:
"   28:d=4  hl=2 l=  13 cons: SEQUENCE
   30:d=5  hl=2 l=   9 prim: OBJECT            :sha256
   41:d=5  hl=2 l=   0 prim: NULL
   43:d=3  hl=2 l=  51 cons: SEQUENCE
   45:d=4  hl=2 l=   9 prim: OBJECT            :pkcs7-data
...
1516:d=5  hl=2 l=  13 cons: SEQUENCE
1518:d=6  hl=2 l=   9 prim: OBJECT            :sha256
1529:d=6  hl=2 l=   0 prim: NULL
1531:d=5  hl=2 l=  13 cons: SEQUENCE
1533:d=6  hl=2 l=   9 prim: OBJECT            :rsaEncryption
1544:d=6  hl=2 l=   0 prim: NULL
1546:d=5  hl=4 l= 256 prim: OCTET STRING      [HEX DUMP]:7E100189F79F351F878EAAD159C14AF8B74C41A4C87FD48CFB24B244D49C6DF1A14F891D73D8C36B023883DAB2F8B81810A89D4FB269CD7F8AF5E3567DF0562C20E09D80FD9FD8C2C1596D3FD2B2B550C5DBC4E7A95992B31CED7BE44B9FD261333D4F76E10C78C1656EDE6E89A54EEB4C643DAD8D9F08C999694B877D34C3470D83FAC22CBAAC833174D9B118451157B048314C0A4E28BCEDE9D53BFA007FEAF38D757EF83454EE29CAD609D350075BF5F5D95083C9064C06C6675061C465DBA05B9902EC6C6F1289920826B377035730A7A71E2863E78C47E9873837DBACC0A778B3D1C3B40577E962E5F7B97B8432DABD6A9104A8173EE90B98E04CCA0A6A
"

On openssl_data_sign_asn1parse.txt:
"   28:d=4  hl=2 l=  11 cons: SEQUENCE
   30:d=5  hl=2 l=   9 prim: OBJECT            :sha256
   41:d=3  hl=2 l=  51 cons: SEQUENCE
   43:d=4  hl=2 l=   9 prim: OBJECT            :pkcs7-data
...
1514:d=5  hl=2 l=  11 cons: SEQUENCE
1516:d=6  hl=2 l=   9 prim: OBJECT            :sha256
1527:d=5  hl=2 l=  13 cons: SEQUENCE
1529:d=6  hl=2 l=   9 prim: OBJECT            :rsaEncryption
1540:d=6  hl=2 l=   0 prim: NULL
1542:d=5  hl=4 l= 256 prim: OCTET STRING      [HEX DUMP]:3FBB4D48720A6B9A92E2CA2D1E7EE3B484D4780A6DA973DA8800FC4D1F4153BD859D24E4015F9139D90BC8B26E9963223373A97D91CC0E53D4913F5DAC03802812AE4E83A7992481BB76B309497872DA12CB1EE950D053BBB0BBF827C75412EDF556FCF7C1643879E6C181BFA42496BA1F8DE5E7075DC364FF89A13FF9DB365776935C50E5E673E9AF99879D61EDA85902AB6D7179810760D8EA5E116F35389D2C8BF5C82646CD716B760AD35BFE2C1F742FF8A7ABE90B87C2F3A7F311EB001126CA7BF7443EE19928FAA006E3B15A2DFB696E17EB29AF1545ED0104C8E7BB3BC8CFD98577F4041C23212CA5CCE7592281812644BFF0093D9F93E0DA61E457E2
"

Does wolfSSL sign different data than OpenSSL? It should not be compatible?

Also, I see in your function wc_PKCS7_EncodeSignedData() that you use the macro SHA_DIGEST_SIZE which is specific to SHA1.

        wc_ShaUpdate(&esd->sha, pkcs7->content, pkcs7->contentSz);
        esd->contentDigest[0] = ASN_OCTET_STRING;
        esd->contentDigest[1] = SHA_DIGEST_SIZE;
        wc_ShaFinal(&esd->sha, &esd->contentDigest[2]);
        RsaKey stack_privKey;
        RsaKey* privKey = &stack_privKey;
        byte digestInfo[MAX_SEQ_SZ + MAX_ALGO_SZ +
                        MAX_OCTET_STR_SZ + SHA_DIGEST_SIZE];

Does this mean that you don't support CMS signed-data with SHA-256?

Best regards.

Post's attachments

cmssigneddataproject.zip 11.7 kb, 8 downloads since 2016-09-29 

You don't have the permssions to download the attachments of this post.

Share

Re: PKCS#7 (CMS) - Failed to verify CMS signed-data with OpenSSL

Hi,

Thanks for the detailed report and attached example code.  Let me look into this and get back to you shortly.

Thanks,
Chris

Re: PKCS#7 (CMS) - Failed to verify CMS signed-data with OpenSSL

Hi,

Do you have some news?

Best regards.

Share

Re: PKCS#7 (CMS) - Failed to verify CMS signed-data with OpenSSL

Hi,

Can you please retest this with the current version of the wolfSSL library?  We recently made several changes to wolfCrypt's PKCS#7 support, including a fix when using zero attributes:

https://github.com/wolfSSL/wolfssl/pull/635

Thanks,
Chris