Re: smime verify bug???

Wed, 20 Jul 2011 11:55:54 -0700 

Il 20/07/2011 19:09, Michael Ströder ha scritto:

Mailing List SVR wrote:

Il 20/07/2011 17:06, Dr. Stephen Henson ha scritto:

On Wed, Jul 20, 2011, Mailing List SVR wrote:


Il 20/07/2011 08:44, Mailing List SVR ha scritto:

Hi,

openssl seems unable to verify the attacched sod.pem, other pem
file works fine there is something strange with the one attached,
attached is also the binary cert from which I extracted the pem, I
have the following:

openssl smime -verify -in sod.pem -inform pem -noverify> sod.data
Verification failure
2538:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer
certificate not found:pk7_smime.c:378:

my problem seems similar to the one described here:
http://old.nabble.com/Problem-with-verifying-of-PKCS7-structure-signed-with-ECDSA-certificate-td27717780.html 



yes the problem is the dsn order:
openssl cms -cmsout -in EF_SOD.PEM -inform PEM -noout -print|grep issuer: 
issuer: C=IT, O=MINISTERO DELL'INTERNO, OU=PE,
CN=CERTIFICATION AUTHORITY
issuer: CN=CERTIFICATION AUTHORITY, OU=PE, O=MINISTERO
DELL'INTERNO, C=IT


so the order of the id of the signer is reverted in the id of the
certificate, can you please point me to the specs that said that the
dsn order must be the same?
Many places including the DN comparision algorithm description of RFC3280. 

Sorry can you point me to the exact paragraph, I read 4.1.2.4


Yes, there is:

   Name chaining is performed by matching the issuer
   distinguished name in one certificate with the subject name in a CA
   certificate.


and 5.1.2.3


This section refers to X.501:

   The issuer field is defined as the X.501
   type Name
So it inherits the matching rules defined for distinguished names in X.501. And Name is a SEQUENCE!
but the comparision seems to happen on the contents of the issuer field and 
not the order,
Where in RFC 5280 (or its predecessor RFC 3280) is wording which makes you think that? 

Especially in section 7. of RFC 5280:

   Two distinguished names DN1 and DN2 match if they
   have the same number of RDNs, for each RDN in DN1 there is a matching
   RDN in DN2, and the matching RDNs appear in the same order in both
   DNs.

Ciao, Michael.


Thanks Michael,

Nicola

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to