G'day OpenSSL users, I am involved in a project to use OpenSSL sign mail with personal certificate and verify with CA's one. I did it according to the steps in OpenSSL smime document. But I just cann't figure out what's wrong with I've done while the signature verification keeps failed. Following are the detailed steps what I did: 1. get CA certificate: ---------------------- [terrence@igloo /tmp]$ cat CAcert.pem -----BEGIN CERTIFICATE----- MIICgzCCAeygAwIBAgICAacwDQYJKoZIhvcNAQEEBQAwUzELMAkGA1UEBhMCQVUx JDAiBgNVBAoTG1RoZSBVbml2ZXJzaXR5IG9mIE1lbGJvdXJuZTEeMBwGA1UECxMV Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAwMDQyNjA0MDAwMFoXDTAzMDQyNjA0 MDAwMFowUzELMAkGA1UEBhMCQVUxJDAiBgNVBAoTG1RoZSBVbml2ZXJzaXR5IG9m IE1lbGJvdXJuZTEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDuPy1yB3VZoTWbjYdzlgBjPaicXYkXfjAi Aeec7iKY9Sep9HVdIkKHw8MsF5F78536Tdv6Fw6Whxe/nqKC6U/ItC7+Zu8kjcic PwGcpXBxmqcZHu+xeQ49OZH+pvY5KF1gnGYbGzdBN8M3qoCnnQlvTDWVLQHwwBxs uhXWtLOSpQIDAQABo2YwZDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUw AwEB/zAfBgNVHSMEGDAWgBS4t/KTvRcJoV+WofiYO7l8uvZxaDAdBgNVHQ4EFgQU uLfyk70XCaFflqH4mDu5fLr2cWgwDQYJKoZIhvcNAQEEBQADgYEAMvHwe2IIcs9L s7nwdX8WyC5MC09xOYIopcE//y/T+s3CfAKkXXqgxQdgjynqKngbKch5p4s+v21i ydqM5ofN6tb8HoA3o7/7bzvc68TZEWFx0ULT2r0czuo2aTmKroktihgv+qNPMaYM TzLvrtbDC6FNa3hqryFSnMDp9SJ6An8= -----END CERTIFICATE----- [terrence@igloo /tmp]$ /usr/local/ssl/bin/openssl x509 -noout -text -in CAcert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 423 (0x1a7) Signature Algorithm: md5WithRSAEncryption Issuer: C=AU, O=The University of Melbourne, OU=Certificate Authority Validity Not Before: Apr 26 04:00:00 2000 GMT Not After : Apr 26 04:00:00 2003 GMT Subject: C=AU, O=The University of Melbourne, OU=Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ee:3f:2d:72:07:75:59:a1:35:9b:8d:87:73:96: 00:63:3d:a8:9c:5d:89:17:7e:30:22:01:e7:9c:ee: 22:98:f5:27:a9:f4:75:5d:22:42:87:c3:c3:2c:17: 91:7b:f3:9d:fa:4d:db:fa:17:0e:96:87:17:bf:9e: a2:82:e9:4f:c8:b4:2e:fe:66:ef:24:8d:c8:9c:3f: 01:9c:a5:70:71:9a:a7:19:1e:ef:b1:79:0e:3d:39: 91:fe:a6:f6:39:28:5d:60:9c:66:1b:1b:37:41:37: c3:37:aa:80:a7:9d:09:6f:4c:35:95:2d:01:f0:c0: 1c:6c:ba:15:d6:b4:b3:92:a5 Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: keyid:B8:B7:F2:93:BD:17:09:A1:5F:96:A1:F8:98:3B:B9:7C:BA:F6:71:68 X509v3 Subject Key Identifier: B8:B7:F2:93:BD:17:09:A1:5F:96:A1:F8:98:3B:B9:7C:BA:F6:71:68 Signature Algorithm: md5WithRSAEncryption 32:f1:f0:7b:62:08:72:cf:4b:b3:b9:f0:75:7f:16:c8:2e:4c: 0b:4f:71:39:82:28:a5:c1:3f:ff:2f:d3:fa:cd:c2:7c:02:a4: 5d:7a:a0:c5:07:60:8f:29:ea:2a:78:1b:29:c8:79:a7:8b:3e: bf:6d:62:c9:da:8c:e6:87:cd:ea:d6:fc:1e:80:37:a3:bf:fb: 6f:3b:dc:eb:c4:d9:11:61:71:d1:42:d3:da:bd:1c:ce:ea:36: 69:39:8a:ae:89:2d:8a:18:2f:fa:a3:4f:31:a6:0c:4f:32:ef: ae:d6:c3:0b:a1:4d:6b:78:6a:af:21:52:9c:c0:e9:f5:22:7a: 02:7f 2. export personal certificate issued by Melbounrne University CA to terrence.p12. Then convert terrence.p12 to terrence.pem format: ---------------------------------------------------------------------------------- [terrence@igloo /tmp]$ /usr/local/ssl/bin/openssl pkcs12 -in terrence.p12 -out terrence.pem -clcerts Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: [terrence@igloo /tmp]$ cat terrence.pem Bag Attributes friendlyName: Tianxi (Terrence) Miao's The University of Melbourne ID localKeyID: <for security reason I cann't publish here, blah, blah...> Key Attributes: <No Attributes> -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,1EBD651FAD388C26 for security reason I cann't publish here, blah, blah... -----END RSA PRIVATE KEY----- Bag Attributes friendlyName: Tianxi (Terrence) Miao's The University of Melbourne ID localKeyID: <for security reason I cann't publish here, blah, blah...> subject=/C=AU/O=The University of Melbourne/0.9.2342.19200300.100.1.1=terrence/CN=Tianxi (Terrence) Miao issuer= /C=AU/O=The University of Melbourne/OU=Certificate Authority -----BEGIN CERTIFICATE----- MIICfjCCAeegAwIBAgICA18wDQYJKoZIhvcNAQEEBQAwUzELMAkGA1UEBhMCQVUx JDAiBgNVBAoTG1RoZSBVbml2ZXJzaXR5IG9mIE1lbGJvdXJuZTEeMBwGA1UECxMV Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAwMTAyMzAzMTA1NloXDTAxMTAyMzAz MTA1NlowbjELMAkGA1UEBhMCQVUxJDAiBgNVBAoTG1RoZSBVbml2ZXJzaXR5IG9m IE1lbGJvdXJuZTEYMBYGCgmSJomT8ixkAQETCHRlcnJlbmNlMR8wHQYDVQQDExZU aWFueGkgKFRlcnJlbmNlKSBNaWFvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQCsH/ctQhHQZJwuE5nQTnMjAHOJ6AZGacbDtDMRFxWeFgirwaYtgtTJmKMLDG08 skDih5C7v1a+ChVzNFCa3Da+AYDCjue+EmZ6B/9lpKquVRWp2BpVRFwd24zJcrC2 csHbXbEuDaq8YXaKYmwPYxd4hv7CnkSz9sRfp7YSj/UU4wIDAQABo0YwRDARBglg hkgBhvhCAQEEBAMCBaAwDgYDVR0PAQH/BAQDAgXgMB8GA1UdIwQYMBaAFLi38pO9 FwmhX5ah+Jg7uXy69nFoMA0GCSqGSIb3DQEBBAUAA4GBAFwS1FXeiSyWkRB0hzKK ITylWCKklabecqFOKl453e7m8NsDB4apS7ta4eQLktmjtDd+fo1nGt4g+A/3tGs5 ldfxj4koER1Uq7cmsStyU101PjYNqQXtpdoyisqoeGbMJcMHT74K0W2VODUwbho8 ISkKt6/DkAGnN1BCtRbJNqlX -----END CERTIFICATE----- [terrence@igloo /tmp]$ /usr/local/ssl/bin/openssl x509 -noout -text -in terrence.pem Certificate: Data: Version: 3 (0x2) Serial Number: 863 (0x35f) Signature Algorithm: md5WithRSAEncryption Issuer: C=AU, O=The University of Melbourne, OU=Certificate Authority Validity Not Before: Oct 23 03:10:56 2000 GMT Not After : Oct 23 03:10:56 2001 GMT Subject: C=AU, O=The University of Melbourne/0.9.2342.19200300.100.1.1=terrence, CN=Tianxi (Terrence) Miao Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ac:1f:f7:2d:42:11:d0:64:9c:2e:13:99:d0:4e: 73:23:00:73:89:e8:06:46:69:c6:c3:b4:33:11:17: 15:9e:16:08:ab:c1:a6:2d:82:d4:c9:98:a3:0b:0c: 6d:3c:b2:40:e2:87:90:bb:bf:56:be:0a:15:73:34: 50:9a:dc:36:be:01:80:c2:8e:e7:be:12:66:7a:07: ff:65:a4:aa:ae:55:15:a9:d8:1a:55:44:5c:1d:db: 8c:c9:72:b0:b6:72:c1:db:5d:b1:2e:0d:aa:bc:61: 76:8a:62:6c:0f:63:17:78:86:fe:c2:9e:44:b3:f6: c4:5f:a7:b6:12:8f:f5:14:e3 Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment X509v3 Authority Key Identifier: keyid:B8:B7:F2:93:BD:17:09:A1:5F:96:A1:F8:98:3B:B9:7C:BA:F6:71:68 Signature Algorithm: md5WithRSAEncryption 5c:12:d4:55:de:89:2c:96:91:10:74:87:32:8a:21:3c:a5:58: 22:a4:95:a6:de:72:a1:4e:2a:5e:39:dd:ee:e6:f0:db:03:07: 86:a9:4b:bb:5a:e1:e4:0b:92:d9:a3:b4:37:7e:7e:8d:67:1a: de:20:f8:0f:f7:b4:6b:39:95:d7:f1:8f:89:28:11:1d:54:ab: b7:26:b1:2b:72:53:5d:35:3e:36:0d:a9:05:ed:a5:da:32:8a: ca:a8:78:66:cc:25:c3:07:4f:be:0a:d1:6d:95:38:35:30:6e: 1a:3c:21:29:0a:b7:af:c3:90:01:a7:37:50:42:b5:16:c9:36: a9:57 3. create in.txt file: ---------------------- [terrence@igloo /tmp]$ cat in.txt Terrence Miao <[EMAIL PROTECTED]> 4. sign in.txt file: -------------------- [terrence@igloo /tmp]$ /usr/local/ssl/bin/openssl smime -sign -in in.txt -text -signer terrence.pem | /usr/local/ssl/bin/openssl smime -pk7out -out out.pkcs7 Enter PEM pass phrase: [terrence@igloo /tmp]$ cat out.pkcs7 -----BEGIN PKCS7----- MIIEbQYJKoZIhvcNAQcCoIIEXjCCBFoCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3 DQEHAaCCAoIwggJ+MIIB56ADAgECAgIDXzANBgkqhkiG9w0BAQQFADBTMQswCQYD VQQGEwJBVTEkMCIGA1UEChMbVGhlIFVuaXZlcnNpdHkgb2YgTWVsYm91cm5lMR4w HAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDAxMDIzMDMxMDU2WhcN MDExMDIzMDMxMDU2WjBuMQswCQYDVQQGEwJBVTEkMCIGA1UEChMbVGhlIFVuaXZl cnNpdHkgb2YgTWVsYm91cm5lMRgwFgYKCZImiZPyLGQBARMIdGVycmVuY2UxHzAd BgNVBAMTFlRpYW54aSAoVGVycmVuY2UpIE1pYW8wgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAKwf9y1CEdBknC4TmdBOcyMAc4noBkZpxsO0MxEXFZ4WCKvBpi2C 1MmYowsMbTyyQOKHkLu/Vr4KFXM0UJrcNr4BgMKO574SZnoH/2Wkqq5VFanYGlVE XB3bjMlysLZywdtdsS4NqrxhdopibA9jF3iG/sKeRLP2xF+nthKP9RTjAgMBAAGj RjBEMBEGCWCGSAGG+EIBAQQEAwIFoDAOBgNVHQ8BAf8EBAMCBeAwHwYDVR0jBBgw FoAUuLfyk70XCaFflqH4mDu5fLr2cWgwDQYJKoZIhvcNAQEEBQADgYEAXBLUVd6J LJaREHSHMoohPKVYIqSVpt5yoU4qXjnd7ubw2wMHhqlLu1rh5AuS2aO0N35+jWca 3iD4D/e0azmV1/GPiSgRHVSrtyaxK3JTXTU+Ng2pBe2l2jKKyqh4ZswlwwdPvgrR bZU4NTBuGjwhKQq3r8OQAac3UEK1Fsk2qVcxggGzMIIBrwIBATBZMFMxCzAJBgNV BAYTAkFVMSQwIgYDVQQKExtUaGUgVW5pdmVyc2l0eSBvZiBNZWxib3VybmUxHjAc BgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eQICA18wCQYFKw4DAhoFAKCBsTAY BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMTA1MDMw MjA0MjVaMCMGCSqGSIb3DQEJBDEWBBS5xefThrOIDjDC7JX1VtHzZd5nmDBSBgkq hkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG 9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASB gJ0B4563ULkOsYc7rQD0/qpL3qwFt7Gk0tUjvHsLkJ3yZFY4BKWOH21oJ23XggN5 eqaQqwDBwJ1dFKMcsKEomNXFvG8uY7p5SndgYXZgVozoNRFP/kBGajjTK49Zetzn IEq/d/PxmEj9+evbITQ9oNEIaaIs3mUjt0E3EX9jqNyS -----END PKCS7----- [terrence@igloo /tmp]$ /usr/local/ssl/bin/openssl pkcs7 -in out.pkcs7 -print_certs subject=/C=AU/O=The University of Melbourne/0.9.2342.19200300.100.1.1=terrence/CN=Tianxi (Terrence) Miao issuer= /C=AU/O=The University of Melbourne/OU=Certificate Authority -----BEGIN CERTIFICATE----- MIICfjCCAeegAwIBAgICA18wDQYJKoZIhvcNAQEEBQAwUzELMAkGA1UEBhMCQVUx JDAiBgNVBAoTG1RoZSBVbml2ZXJzaXR5IG9mIE1lbGJvdXJuZTEeMBwGA1UECxMV Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAwMTAyMzAzMTA1NloXDTAxMTAyMzAz MTA1NlowbjELMAkGA1UEBhMCQVUxJDAiBgNVBAoTG1RoZSBVbml2ZXJzaXR5IG9m IE1lbGJvdXJuZTEYMBYGCgmSJomT8ixkAQETCHRlcnJlbmNlMR8wHQYDVQQDExZU aWFueGkgKFRlcnJlbmNlKSBNaWFvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQCsH/ctQhHQZJwuE5nQTnMjAHOJ6AZGacbDtDMRFxWeFgirwaYtgtTJmKMLDG08 skDih5C7v1a+ChVzNFCa3Da+AYDCjue+EmZ6B/9lpKquVRWp2BpVRFwd24zJcrC2 csHbXbEuDaq8YXaKYmwPYxd4hv7CnkSz9sRfp7YSj/UU4wIDAQABo0YwRDARBglg hkgBhvhCAQEEBAMCBaAwDgYDVR0PAQH/BAQDAgXgMB8GA1UdIwQYMBaAFLi38pO9 FwmhX5ah+Jg7uXy69nFoMA0GCSqGSIb3DQEBBAUAA4GBAFwS1FXeiSyWkRB0hzKK ITylWCKklabecqFOKl453e7m8NsDB4apS7ta4eQLktmjtDd+fo1nGt4g+A/3tGs5 ldfxj4koER1Uq7cmsStyU101PjYNqQXtpdoyisqoeGbMJcMHT74K0W2VODUwbho8 ISkKt6/DkAGnN1BCtRbJNqlX -----END CERTIFICATE----- 5. verify the signature file: ----------------------------- [terrence@igloo /tmp]$ /usr/local/ssl/bin/openssl smime -verify -inform PEM -CAfile CAcert.pem -in out.pkcs7 -content in.txt Terrence Miao <[EMAIL PROTECTED]> Verification Failure 8835:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:pk7_doit.c:765: 8835:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:pk7_smime.c:256: OpenSSL 0.9.6a is running on RedHat 7.0 Linux box with gcc version 2.96 20000731. Cheers, -- Terrence Miao The University of Melbourne ... __o +61 3 8344 0361 [EMAIL PROTECTED] ... -\<, http://igloo.its.unimelb.edu.au ... (_)/(_) .. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]