Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 455870 - SMIME -sign from non-seekable input does not work with DER and PEM output formats
Summary: SMIME -sign from non-seekable input does not work with DER and PEM output for...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openssl
Version: 5.0
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL: http://www.mail-archive.com/openssl-d...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-18 14:27 UTC by rob_ewald
Modified: 2009-10-08 15:27 UTC (History)
1 user (show)

Fixed In Version: openssl-0.9.8e-12.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-08 15:27:18 UTC
Target Upstream Version:


Attachments (Terms of Use)
Patch to openssl-0.9.8b-10.el5.src.rpm (deleted)
2008-07-18 14:27 UTC, rob_ewald
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
CentOS 2998 None None None Never

Description rob_ewald 2008-07-18 14:27:37 UTC
This is a copy/paste from the original report someone else made to the OpenSSL
list. In short when signing SMIME the data must come from a seekable input. If,
say, a pipe is used then then the input is ignored.

From http://www.mail-archive.com/openssl-dev@openssl.org/msg21440.html [^]

---------------------------------------------------------------------------

[EMAIL PROTECTED] - Wed May 11 17:37:29 2005]:

> Current snapshots (checked on 20050503 and 20050511) and 0.9.7e do not
> work when asked to sign non-seekable input. 0.9.6c in Debian woody
> (package version 0.9.6c-2.woody.7) does work.
>
> That is,
>
> echo hello|openssl smime -sign -inkey privkey.pem -signer cert.crt
> -outform der
>
> fails with a message "Can't rewind input file".
>
> The failing code is at line 638 (as of 20050511) of apps/smime.c:
>
> if ((flags & PKCS7_DETACHED) && (outformat == FORMAT_SMIME))
> flags |= PKCS7_STREAM;
> p7 = PKCS7_sign(signer, key, other, in, flags);
> /* Don't need to rewind for partial signing */
> if (!(flags & PKCS7_STREAM) && (BIO_reset(in) != 0))
> {
> BIO_printf(bio_err, "Can't rewind input file\n");
> goto end;
> }
>
> When signing to DER or PEM flags are not PKCS7_STREAM (and signature
> is
> really generated in PKCS7_sign) and then it tries to rewind input, so
> failing if it is not seekable. But why it needs to rewind the input?
> I
> cannot see any reason from the user's point of view.

There is no case it needs to rewind the input now in 0.9.8+ because the
content is either stored in a memory BIO (non-detached data), not needed
(detached and PEM, DER) or streamed (detached and SMIME).

In 0.9.7 there is only one case which is detached and SMIME output
format where the signature is computed on one pass and the content
output on the second.

Patch applied.
______________________________________________________________________
OpenSSL Project http://www.openssl.org [^]
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]

---------------------------------------------------------------------------

Comment 1 rob_ewald 2008-07-18 14:27:37 UTC
Created attachment 312143 [details]
Patch to openssl-0.9.8b-10.el5.src.rpm


Note You need to log in before you can comment on or make changes to this bug.