openssl/openssl
Vedi su GitHubopenssl smime verify fails on checking files bigger than 1.8G in size
Open
#26.208 aperta il 18 dic 2024
branch: masterhelp wantedtriaged: feature
Metriche repository
- Star
- (30.157 star)
- Metriche merge PR
- (Nessuna PR mergiata in 30 g)
Descrizione
We have a flow when encrypting some binary bundles, signing them and pushing to another system where verification and decryption are happening.
We faced issues once our bundles crossed some file size, the openssl smime -verify reports Verification failure.
Please see the details below.
OK case (with smaller file)
- get file size:
$ stat -c%s ./file_1.b64
1745229635
- sign the file and get signed file size:
$ openssl smime -sign -md sha256 -inkey ./caroot.key -signer ./ca.crt -passin pass:$KEY_PASS -in ./file_1.b64 -out ./file_1.signed
$ stat -c%s ./file_1.signed
1772083225
- verify (we're not interested in actual data here, so redirecting output to
/dev/null):
$ openssl smime -verify -md sha256 -in ./file_1.signed -CAfile ./ca.crt >/dev/null
Verification successful
FAIL case (with bigger file)
- get file size:
$ stat -c%s ./file_2.b64
1893771060
- sign the file and get signed file size:
$ openssl smime -sign -md sha256 -inkey ./caroot.key -signer ./ca.crt -passin pass:$KEY_PASS -in ./file_2.b64 -out ./file_2.signed
$ stat -c%s ./file_2.signed
1922909903
- verify:
$ openssl smime -verify -md sha256 -in ./file_2.signed -CAfile ./ca.crt >/dev/null
Verification failure
400764AE187F0000:error:10800065:PKCS7 routines:PKCS7_signatureVerify:digest failure:../crypto/pkcs7/pk7_doit.c:1096:
400764AE187F0000:error:10800069:PKCS7 routines:PKCS7_verify:signature failure:../crypto/pkcs7/pk7_smime.c:361:
OS and OpenSSL version
Ubuntu 22.04 with "official" openssl package:
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.5 LTS"
$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
The issue was also noticed for own built version of OpenSSL 3.0 branch with the same error codes but slightly different C-line numbers:
$ openssl version
OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)
Verification failure
C0F1635A5D7F0000:error:10800065:PKCS7 routines:PKCS7_signatureVerify:digest failure:crypto/pkcs7/pk7_doit.c:1089:
C0F1635A5D7F0000:error:10800069:PKCS7 routines:PKCS7_verify:signature failure:crypto/pkcs7/pk7_smime.c:363: