Thanks for that advice. Your suggestion led me to try the -nodetach option on both the verify and the sign operation, and I can vouch for success.
I think my confusion stems from two places: - I didn't see enough of the definitions of terms to quite understand what "opaque signing" was. - Some of the documents aren't quite as clear as they could be about possible data formats. For example, I initially confused the data formats taken by the "rsautl" function (they need raw keys) and "dgst" and "smime", which need certificates or other formats. I'm sure it's just that I'm sort of new to this. Thanks for your efforts. At 05:03 PM 11/11/2001 +0000, you wrote: >david wrote: > > > > Folks > > > > As part of an exploration, I have used the openssl command line tool in > > Redhat 7.1 and successfully: > > - created a self-signed ca cert > > - created an end-entity cert > > - Using openssl smime, I've signed a text message. > > - Using openssl smime, I've verified the text message > > And that took some doing (the doc's are far from clear). > > > >In what way aren't the docs clear? There are extensive examples in the >smime manual page. > > > I am unable do to this, however, with a binary file. I tried to append the > > word "-binary" to my > > openssl smime -sign .... > > command, but the verification step always fails with a message digest > > error. The exact message that shows up is: > > > > 5644:error:21071065:PKCS7 > > routines:PKCS7_signatureVerify:digest failure:pk7_doit.c:762 > > followed by another message about verify failure. > > > > Is there a way to use the command line tool for signing binary data? > > > >Since you haven't included the complete command line I'm assuming you >are using the default cleartext MIME format. This may have problems with >binary data. You may have more luck using opaque signing (the -nodetach >option) or using DER or PEM format and either distributing the signed >content separately or including it with the signature (again the >-nodetach option). > >Steve. >-- >Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ >Personal Email: [EMAIL PROTECTED] >Senior crypto engineer, Gemplus: http://www.gemplus.com/ >Core developer of the OpenSSL project: http://www.openssl.org/ >Business Email: [EMAIL PROTECTED] PGP key: via homepage. > >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
