CMS re-sign is broken for at least CMS_NO_ATTR and/or CMS_KEY_PARAM

Description

When trying to re-sign a CMS using CMS_NO_ATTR and/or CMS_KEY_PARAM via command-line or directly the output CMS does not contain the new signature and is corrupted.

A full reproduction code is available https://github.com/alonbl/openssl-cms-pss.

I believe the root cause is that when resign is executed the CMS_final() is not called and instead the i2d_CMS_bio() is called, while its logic is incomplete.

References

Discussion

openssl-users

Tested Branches

Branch	Head
OpenSSL_1_1_1-stable	8df5cc3339
master	f16e52b67c

Reproduction

Repo

https://github.com/alonbl/openssl-cms-pss

Script

#!/bin/sh

die() {
        echo "FATAL: $1" >&2
        exit 1
}

doit() {
        local args="$1"
        rm -f 1.cms 2.cms
        echo "cms -sign ${args} 1.cms"
        openssl \
                cms \
                -sign \
                -signer test1.crt \
                -inkey test1.key \
                -binary \
                -nosmimecap \
                -keyid \
                -in data.txt \
                -out 1.cms \
                -outform DER \
                ${args} \
                || die "sign to 1.cms failed"
        echo "cms -verify 1.cms"
        openssl \
                cms \
                -verify \
                -binary \
                -in 1.cms \
                -inform DER \
                -content data.txt \
                -noverify \
                || die "verify 1.cms failed"
        echo "cms -resign ${args} 1.cms to 2.cms"
        openssl \
                cms \
                -resign \
                -signer test2.crt \
                -inkey test2.key \
                -binary \
                -nosmimecap \
                -keyid \
                -in 1.cms \
                -inform DER \
                -out 2.cms \
                -outform DER \
                ${args} \
                || die "resign to 2.cms failed"
        echo "cms -verify 2.cms"
        openssl \
                cms \
                -verify \
                -binary \
                -in 2.cms \
                -inform DER \
                -content data.txt \
                -noverify \
                || die "verify 2.cms failed"
}

openssl version

echo "==============="
echo "CMS without padding mode and with attributes"
echo "==============="
( doit )
echo "==============="
echo "CMS without padding mode and without attributes"
echo "==============="
( doit "-noattr" )
echo "==============="
echo "CMS with PKCS1 padding mode"
echo "==============="
( doit "-keyopt rsa_padding_mode:pkcs1" )
echo "==============="
echo "CMS with PSS"
echo "==============="
( doit "-keyopt rsa_padding_mode:pss" )

Output

./demo.sh
OpenSSL 3.0.0-alpha12-dev  (Library: OpenSSL 3.0.0-alpha12-dev )
===============
CMS without padding mode and with attributes
===============
cms -sign  1.cms
cms -verify 1.cms
CMS Verification successful
hello world
cms -resign  1.cms to 2.cms
cms -verify 2.cms
CMS Verification successful
hello world
===============
CMS without padding mode and without attributes
===============
cms -sign -noattr 1.cms
cms -verify 1.cms
CMS Verification successful
hello world
cms -resign -noattr 1.cms to 2.cms
cms -verify 2.cms
Verification failure
80529D2D497F0000:error:02000077:rsa routines:int_rsa_verify:wrong signature length:crypto/rsa/rsa_sign.c:340:
80529D2D497F0000:error:1C880004:Provider routines:rsa_verify:RSA lib:providers/implementations/signature/rsa.c:736:
80529D2D497F0000:error:1700009E:CMS routines:CMS_SignerInfo_verify_content:verification failure:crypto/cms/cms_sd.c:975:
80529D2D497F0000:error:1700006D:CMS routines:CMS_verify:content verify error:crypto/cms/cms_smime.c:452:
hello world
FATAL: verify 2.cms failed
===============
CMS with PKCS1 padding mode
===============
cms -sign -keyopt rsa_padding_mode:pkcs1 1.cms
cms -verify 1.cms
CMS Verification successful
hello world
cms -resign -keyopt rsa_padding_mode:pkcs1 1.cms to 2.cms
cms -verify 2.cms
Error reading SMIME Content Info
80325670717F0000:error:06800079:asn1 encoding routines:asn1_item_embed_d2i:field missing:crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR
80325670717F0000:error:0688010A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:641:Field=signatureAlgorithm, Type=CMS_SignerInfo
80325670717F0000:error:0688010A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:610:Field=signerInfos, Type=CMS_SignedData
80325670717F0000:error:0688010A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:641:
80325670717F0000:error:0688010A:asn1 encoding routines:asn1_template_ex_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:495:Field=d.signedData, Type=CMS_ContentInfo
FATAL: verify 2.cms failed
===============
CMS with PSS
===============
cms -sign -keyopt rsa_padding_mode:pss 1.cms
cms -verify 1.cms
CMS Verification successful
hello world
cms -resign -keyopt rsa_padding_mode:pss 1.cms to 2.cms
cms -verify 2.cms
Error reading SMIME Content Info
80C26475937F0000:error:06800079:asn1 encoding routines:asn1_item_embed_d2i:field missing:crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR
80C26475937F0000:error:0688010A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:641:Field=signatureAlgorithm, Type=CMS_SignerInfo
80C26475937F0000:error:0688010A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:610:Field=signerInfos, Type=CMS_SignedData
80C26475937F0000:error:0688010A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:641:
80C26475937F0000:error:0688010A:asn1 encoding routines:asn1_template_ex_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:495:Field=d.signedData, Type=CMS_ContentInfo
FATAL: verify 2.cms failed
make: *** [Makefile:7: check] Error 1

openssl / openssl

CMS re-sign is broken for at least CMS_NO_ATTR and/or CMS_KEY_PARAM #14257