G'day OpenSSL users,
I am involved in a project to use OpenSSL sign mail with personal
certificate and verify with CA's one. I did it according to the steps
in OpenSSL smime document. But I just cann't figure out what's
wrong with I've done while the signature verification keeps failed.
Following are the detailed steps what I did:
1. get CA certificate:
----------------------
[terrence@igloo /tmp]$ cat CAcert.pem
-----BEGIN CERTIFICATE-----
MIICgzCCAeygAwIBAgICAacwDQYJKoZIhvcNAQEEBQAwUzELMAkGA1UEBhMCQVUx
JDAiBgNVBAoTG1RoZSBVbml2ZXJzaXR5IG9mIE1lbGJvdXJuZTEeMBwGA1UECxMV
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAwMDQyNjA0MDAwMFoXDTAzMDQyNjA0
MDAwMFowUzELMAkGA1UEBhMCQVUxJDAiBgNVBAoTG1RoZSBVbml2ZXJzaXR5IG9m
IE1lbGJvdXJuZTEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDuPy1yB3VZoTWbjYdzlgBjPaicXYkXfjAi
Aeec7iKY9Sep9HVdIkKHw8MsF5F78536Tdv6Fw6Whxe/nqKC6U/ItC7+Zu8kjcic
PwGcpXBxmqcZHu+xeQ49OZH+pvY5KF1gnGYbGzdBN8M3qoCnnQlvTDWVLQHwwBxs
uhXWtLOSpQIDAQABo2YwZDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUw
AwEB/zAfBgNVHSMEGDAWgBS4t/KTvRcJoV+WofiYO7l8uvZxaDAdBgNVHQ4EFgQU
uLfyk70XCaFflqH4mDu5fLr2cWgwDQYJKoZIhvcNAQEEBQADgYEAMvHwe2IIcs9L
s7nwdX8WyC5MC09xOYIopcE//y/T+s3CfAKkXXqgxQdgjynqKngbKch5p4s+v21i
ydqM5ofN6tb8HoA3o7/7bzvc68TZEWFx0ULT2r0czuo2aTmKroktihgv+qNPMaYM
TzLvrtbDC6FNa3hqryFSnMDp9SJ6An8=
-----END CERTIFICATE-----
[terrence@igloo /tmp]$ /usr/local/ssl/bin/openssl x509 -noout -text -in
CAcert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 423 (0x1a7)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=AU, O=The University of Melbourne, OU=Certificate
Authority
Validity
Not Before: Apr 26 04:00:00 2000 GMT
Not After : Apr 26 04:00:00 2003 GMT
Subject: C=AU, O=The University of Melbourne, OU=Certificate
Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ee:3f:2d:72:07:75:59:a1:35:9b:8d:87:73:96:
00:63:3d:a8:9c:5d:89:17:7e:30:22:01:e7:9c:ee:
22:98:f5:27:a9:f4:75:5d:22:42:87:c3:c3:2c:17:
91:7b:f3:9d:fa:4d:db:fa:17:0e:96:87:17:bf:9e:
a2:82:e9:4f:c8:b4:2e:fe:66:ef:24:8d:c8:9c:3f:
01:9c:a5:70:71:9a:a7:19:1e:ef:b1:79:0e:3d:39:
91:fe:a6:f6:39:28:5d:60:9c:66:1b:1b:37:41:37:
c3:37:aa:80:a7:9d:09:6f:4c:35:95:2d:01:f0:c0:
1c:6c:ba:15:d6:b4:b3:92:a5
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:B8:B7:F2:93:BD:17:09:A1:5F:96:A1:F8:98:3B:B9:7C:BA:F6:71:68
X509v3 Subject Key Identifier:
B8:B7:F2:93:BD:17:09:A1:5F:96:A1:F8:98:3B:B9:7C:BA:F6:71:68
Signature Algorithm: md5WithRSAEncryption
32:f1:f0:7b:62:08:72:cf:4b:b3:b9:f0:75:7f:16:c8:2e:4c:
0b:4f:71:39:82:28:a5:c1:3f:ff:2f:d3:fa:cd:c2:7c:02:a4:
5d:7a:a0:c5:07:60:8f:29:ea:2a:78:1b:29:c8:79:a7:8b:3e:
bf:6d:62:c9:da:8c:e6:87:cd:ea:d6:fc:1e:80:37:a3:bf:fb:
6f:3b:dc:eb:c4:d9:11:61:71:d1:42:d3:da:bd:1c:ce:ea:36:
69:39:8a:ae:89:2d:8a:18:2f:fa:a3:4f:31:a6:0c:4f:32:ef:
ae:d6:c3:0b:a1:4d:6b:78:6a:af:21:52:9c:c0:e9:f5:22:7a:
02:7f
2. export personal certificate issued by Melbounrne University CA to
terrence.p12.
Then convert terrence.p12 to terrence.pem format:
----------------------------------------------------------------------------------
[terrence@igloo /tmp]$ /usr/local/ssl/bin/openssl pkcs12 -in
terrence.p12 -out terrence.pem -clcerts
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
[terrence@igloo /tmp]$ cat terrence.pem
Bag Attributes
friendlyName: Tianxi (Terrence) Miao's The University of Melbourne
ID
localKeyID: <for security reason I cann't publish here, blah,
blah...>
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,1EBD651FAD388C26
for security reason I cann't publish here, blah, blah...
-----END RSA PRIVATE KEY-----
Bag Attributes
friendlyName: Tianxi (Terrence) Miao's The University of Melbourne
ID
localKeyID: <for security reason I cann't publish here, blah,
blah...>
subject=/C=AU/O=The University of
Melbourne/0.9.2342.19200300.100.1.1=terrence/CN=Tianxi (Terrence) Miao
issuer= /C=AU/O=The University of Melbourne/OU=Certificate Authority
-----BEGIN CERTIFICATE-----
MIICfjCCAeegAwIBAgICA18wDQYJKoZIhvcNAQEEBQAwUzELMAkGA1UEBhMCQVUx
JDAiBgNVBAoTG1RoZSBVbml2ZXJzaXR5IG9mIE1lbGJvdXJuZTEeMBwGA1UECxMV
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAwMTAyMzAzMTA1NloXDTAxMTAyMzAz
MTA1NlowbjELMAkGA1UEBhMCQVUxJDAiBgNVBAoTG1RoZSBVbml2ZXJzaXR5IG9m
IE1lbGJvdXJuZTEYMBYGCgmSJomT8ixkAQETCHRlcnJlbmNlMR8wHQYDVQQDExZU
aWFueGkgKFRlcnJlbmNlKSBNaWFvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCsH/ctQhHQZJwuE5nQTnMjAHOJ6AZGacbDtDMRFxWeFgirwaYtgtTJmKMLDG08
skDih5C7v1a+ChVzNFCa3Da+AYDCjue+EmZ6B/9lpKquVRWp2BpVRFwd24zJcrC2
csHbXbEuDaq8YXaKYmwPYxd4hv7CnkSz9sRfp7YSj/UU4wIDAQABo0YwRDARBglg
hkgBhvhCAQEEBAMCBaAwDgYDVR0PAQH/BAQDAgXgMB8GA1UdIwQYMBaAFLi38pO9
FwmhX5ah+Jg7uXy69nFoMA0GCSqGSIb3DQEBBAUAA4GBAFwS1FXeiSyWkRB0hzKK
ITylWCKklabecqFOKl453e7m8NsDB4apS7ta4eQLktmjtDd+fo1nGt4g+A/3tGs5
ldfxj4koER1Uq7cmsStyU101PjYNqQXtpdoyisqoeGbMJcMHT74K0W2VODUwbho8
ISkKt6/DkAGnN1BCtRbJNqlX
-----END CERTIFICATE-----
[terrence@igloo /tmp]$ /usr/local/ssl/bin/openssl x509 -noout -text -in
terrence.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 863 (0x35f)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=AU, O=The University of Melbourne, OU=Certificate
Authority
Validity
Not Before: Oct 23 03:10:56 2000 GMT
Not After : Oct 23 03:10:56 2001 GMT
Subject: C=AU, O=The University of
Melbourne/0.9.2342.19200300.100.1.1=terrence, CN=Tianxi (Terrence) Miao
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ac:1f:f7:2d:42:11:d0:64:9c:2e:13:99:d0:4e:
73:23:00:73:89:e8:06:46:69:c6:c3:b4:33:11:17:
15:9e:16:08:ab:c1:a6:2d:82:d4:c9:98:a3:0b:0c:
6d:3c:b2:40:e2:87:90:bb:bf:56:be:0a:15:73:34:
50:9a:dc:36:be:01:80:c2:8e:e7:be:12:66:7a:07:
ff:65:a4:aa:ae:55:15:a9:d8:1a:55:44:5c:1d:db:
8c:c9:72:b0:b6:72:c1:db:5d:b1:2e:0d:aa:bc:61:
76:8a:62:6c:0f:63:17:78:86:fe:c2:9e:44:b3:f6:
c4:5f:a7:b6:12:8f:f5:14:e3
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Authority Key Identifier:
keyid:B8:B7:F2:93:BD:17:09:A1:5F:96:A1:F8:98:3B:B9:7C:BA:F6:71:68
Signature Algorithm: md5WithRSAEncryption
5c:12:d4:55:de:89:2c:96:91:10:74:87:32:8a:21:3c:a5:58:
22:a4:95:a6:de:72:a1:4e:2a:5e:39:dd:ee:e6:f0:db:03:07:
86:a9:4b:bb:5a:e1:e4:0b:92:d9:a3:b4:37:7e:7e:8d:67:1a:
de:20:f8:0f:f7:b4:6b:39:95:d7:f1:8f:89:28:11:1d:54:ab:
b7:26:b1:2b:72:53:5d:35:3e:36:0d:a9:05:ed:a5:da:32:8a:
ca:a8:78:66:cc:25:c3:07:4f:be:0a:d1:6d:95:38:35:30:6e:
1a:3c:21:29:0a:b7:af:c3:90:01:a7:37:50:42:b5:16:c9:36:
a9:57
3. create in.txt file:
----------------------
[terrence@igloo /tmp]$ cat in.txt
Terrence Miao <[EMAIL PROTECTED]>
4. sign in.txt file:
--------------------
[terrence@igloo /tmp]$ /usr/local/ssl/bin/openssl smime -sign -in in.txt
-text -signer terrence.pem | /usr/local/ssl/bin/openssl smime -pk7out
-out out.pkcs7
Enter PEM pass phrase:
[terrence@igloo /tmp]$ cat out.pkcs7
-----BEGIN PKCS7-----
MIIEbQYJKoZIhvcNAQcCoIIEXjCCBFoCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3
DQEHAaCCAoIwggJ+MIIB56ADAgECAgIDXzANBgkqhkiG9w0BAQQFADBTMQswCQYD
VQQGEwJBVTEkMCIGA1UEChMbVGhlIFVuaXZlcnNpdHkgb2YgTWVsYm91cm5lMR4w
HAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDAxMDIzMDMxMDU2WhcN
MDExMDIzMDMxMDU2WjBuMQswCQYDVQQGEwJBVTEkMCIGA1UEChMbVGhlIFVuaXZl
cnNpdHkgb2YgTWVsYm91cm5lMRgwFgYKCZImiZPyLGQBARMIdGVycmVuY2UxHzAd
BgNVBAMTFlRpYW54aSAoVGVycmVuY2UpIE1pYW8wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAKwf9y1CEdBknC4TmdBOcyMAc4noBkZpxsO0MxEXFZ4WCKvBpi2C
1MmYowsMbTyyQOKHkLu/Vr4KFXM0UJrcNr4BgMKO574SZnoH/2Wkqq5VFanYGlVE
XB3bjMlysLZywdtdsS4NqrxhdopibA9jF3iG/sKeRLP2xF+nthKP9RTjAgMBAAGj
RjBEMBEGCWCGSAGG+EIBAQQEAwIFoDAOBgNVHQ8BAf8EBAMCBeAwHwYDVR0jBBgw
FoAUuLfyk70XCaFflqH4mDu5fLr2cWgwDQYJKoZIhvcNAQEEBQADgYEAXBLUVd6J
LJaREHSHMoohPKVYIqSVpt5yoU4qXjnd7ubw2wMHhqlLu1rh5AuS2aO0N35+jWca
3iD4D/e0azmV1/GPiSgRHVSrtyaxK3JTXTU+Ng2pBe2l2jKKyqh4ZswlwwdPvgrR
bZU4NTBuGjwhKQq3r8OQAac3UEK1Fsk2qVcxggGzMIIBrwIBATBZMFMxCzAJBgNV
BAYTAkFVMSQwIgYDVQQKExtUaGUgVW5pdmVyc2l0eSBvZiBNZWxib3VybmUxHjAc
BgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eQICA18wCQYFKw4DAhoFAKCBsTAY
BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMTA1MDMw
MjA0MjVaMCMGCSqGSIb3DQEJBDEWBBS5xefThrOIDjDC7JX1VtHzZd5nmDBSBgkq
hkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG
9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASB
gJ0B4563ULkOsYc7rQD0/qpL3qwFt7Gk0tUjvHsLkJ3yZFY4BKWOH21oJ23XggN5
eqaQqwDBwJ1dFKMcsKEomNXFvG8uY7p5SndgYXZgVozoNRFP/kBGajjTK49Zetzn
IEq/d/PxmEj9+evbITQ9oNEIaaIs3mUjt0E3EX9jqNyS
-----END PKCS7-----
[terrence@igloo /tmp]$ /usr/local/ssl/bin/openssl pkcs7 -in out.pkcs7
-print_certs
subject=/C=AU/O=The University of
Melbourne/0.9.2342.19200300.100.1.1=terrence/CN=Tianxi (Terrence) Miao
issuer= /C=AU/O=The University of Melbourne/OU=Certificate Authority
-----BEGIN CERTIFICATE-----
MIICfjCCAeegAwIBAgICA18wDQYJKoZIhvcNAQEEBQAwUzELMAkGA1UEBhMCQVUx
JDAiBgNVBAoTG1RoZSBVbml2ZXJzaXR5IG9mIE1lbGJvdXJuZTEeMBwGA1UECxMV
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAwMTAyMzAzMTA1NloXDTAxMTAyMzAz
MTA1NlowbjELMAkGA1UEBhMCQVUxJDAiBgNVBAoTG1RoZSBVbml2ZXJzaXR5IG9m
IE1lbGJvdXJuZTEYMBYGCgmSJomT8ixkAQETCHRlcnJlbmNlMR8wHQYDVQQDExZU
aWFueGkgKFRlcnJlbmNlKSBNaWFvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCsH/ctQhHQZJwuE5nQTnMjAHOJ6AZGacbDtDMRFxWeFgirwaYtgtTJmKMLDG08
skDih5C7v1a+ChVzNFCa3Da+AYDCjue+EmZ6B/9lpKquVRWp2BpVRFwd24zJcrC2
csHbXbEuDaq8YXaKYmwPYxd4hv7CnkSz9sRfp7YSj/UU4wIDAQABo0YwRDARBglg
hkgBhvhCAQEEBAMCBaAwDgYDVR0PAQH/BAQDAgXgMB8GA1UdIwQYMBaAFLi38pO9
FwmhX5ah+Jg7uXy69nFoMA0GCSqGSIb3DQEBBAUAA4GBAFwS1FXeiSyWkRB0hzKK
ITylWCKklabecqFOKl453e7m8NsDB4apS7ta4eQLktmjtDd+fo1nGt4g+A/3tGs5
ldfxj4koER1Uq7cmsStyU101PjYNqQXtpdoyisqoeGbMJcMHT74K0W2VODUwbho8
ISkKt6/DkAGnN1BCtRbJNqlX
-----END CERTIFICATE-----
5. verify the signature file:
-----------------------------
[terrence@igloo /tmp]$ /usr/local/ssl/bin/openssl smime -verify -inform
PEM -CAfile CAcert.pem -in out.pkcs7 -content in.txt
Terrence Miao <[EMAIL PROTECTED]>
Verification Failure
8835:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest
failure:pk7_doit.c:765:
8835:error:21075069:PKCS7 routines:PKCS7_verify:signature
failure:pk7_smime.c:256:
OpenSSL 0.9.6a is running on RedHat 7.0 Linux box with gcc version 2.96
20000731.
Cheers,
--
Terrence Miao
The University of Melbourne ... __o
+61 3 8344 0361 [EMAIL PROTECTED] ... -\<,
http://igloo.its.unimelb.edu.au ... (_)/(_) ..
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
