[dev] [commits] Horde branch master updated. 900790ecbb506e850e5e6f03823ad293dc2d370d

Michael J Rubinsky mrubinsk at horde.org
Fri Apr 28 01:07:23 UTC 2017 

Quoting Jan Schneider <jan at horde.org>:

> Zitat von Michael J. Rubinsky <mrubinsk at horde.org>:
>
>> The branch "master" has been updated.
>> The following is a summary of the commits.
>>
>> from: 076b00cfe4db6a0fa44b8b1b7d07e96996ab1b33
>>
>> 76c0d9d Set the micalg header parameter correctly when using SHA-256.
>> fa2dca3 Pass the openssl path too.
>> 900790e BFN
>>
>> Summary:  
>> http://github.com/horde/horde/compare/076b00cfe4db6a0fa44b8b1b7d07e96996ab1b33...900790ecbb506e850e5e6f03823ad293dc2d370d
>>
>> -----------------------------------------------------------------------
>>
>> commit 76c0d9d3f2af854e8b34e3536af68100332a203c
>> Author: Michael J Rubinsky <mrubinsk at horde.org>
>> Date:   Thu Apr 27 00:42:20 2017 -0400
>>
>>    Set the micalg header parameter correctly when using SHA-256.
>>
>>    This took me the better part of a day to research and figure out,
>>    so would appreciate a second pair of eyes and/or some testing.
>>
>>    New-ish versions of openssl use SHA-256 as the message digest alg.
>>    when smime signing while other versions use SHA-1. This causes some
>>    clients to reject the signature, which I believe to  be the correct
>>    behavior.
>>
>>    PHP's openssl_pkcs7_* methods don't allow setting or reading the md
>>    method so we are left with either parsing the entire DER binary
>>    stream using something like phpseclib and pulling out the digest
>>    method, forgoing the openssl_* methods and call the openssl executable's
>>    smime tool to directly to do the signature, or we can use  
>> openssl executable's
>>    asn1parse command  and search for a known string indicating  
>> SHA-256 is being used.
>>
>>    The first option is overkill, the second option would defeat the
>>    purpose of having the more efficient openssl_* methods and would
>>    require writing out a copy of the private key to temporary storage, so
>>    I went with the third option.
>>
>> framework/Crypt/lib/Horde/Crypt/Smime.php | 18 +++++++++++++++++-
>> 1 file changed, 17 insertions(+), 1 deletion(-)
>>
>> http://github.com/horde/horde/commit/76c0d9d3f2af854e8b34e3536af68100332a203c
>>
>> -----------------------------------------------------------------------
>
> According to the OpenSSL documentation at the latest stable version  
> (https://www.openssl.org/docs/man1.1.0/crypto/PKCS7_sign.html) but  
> also at the current master version  
> (https://www.openssl.org/docs/manmaster/man3/PKCS7_sign.html) is says:
>
> "If a signer is specified it will use the default digest for the  
> signing algorithm. This is SHA1 for both RSA and DSA keys."
>
> The source tells a different story though:
> https://github.com/openssl/openssl/blob/6f0ac0e2f27d9240516edb9a23b7863e7ad02898/crypto/dsa/dsa_ameth.c#L499
>
> And this is the commit that changed the behavior:
> https://github.com/openssl/openssl/commit/44e0c2bae4bfd87d770480902618dbccde84fd81
>
> If we could find out what the default digest method for the used  
> public keys is, we can use that. I would prefer a solution without  
> using the openssl binary, because we are actually trying to get rid  
> of it: https://github.com/horde/horde/pull/218


Agreed. I'll take another look at this during my next time block.


> -- 
> Jan Schneider
> The Horde Project
> https://www.horde.org/
>
> -- 
> dev mailing list
> Frequently Asked Questions: http://wiki.horde.org/FAQ
> To unsubscribe, mail: dev-unsubscribe at lists.horde.org



-- 
mike
The Horde Project
http://www.horde.org
https://www.facebook.com/hordeproject
https://www.twitter.com/hordeproject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 9272 bytes
Desc: PGP Public Key
URL: <https://lists.horde.org/archives/dev/attachments/20170428/c7c48bbf/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 821 bytes
Desc: PGP Digital Signature
URL: <https://lists.horde.org/archives/dev/attachments/20170428/c7c48bbf/attachment-0001.bin>

More information about the dev mailing list