Re: Using OpenSSL to verify a FireFox signed form

Thu, 26 May 2005 02:13:44 -0700 

Hello there, thanks for taking the time to help !

> Have you tried the -binary option too?

Yes I have tried using binary... to no avail !

I have now gone back to basics and writen a short web page that just
asks for a signature and then writes the signature (with -----BEGIN
PKCS7----- header and footer) to a file. The content of the signature
is very simple with no CR/LF.

I use FireFox on a Linux box to sign the form.

I then try to verify the signature using:

openssl smime -verify -binary -inform PEM -in /tmp/sig95552 -CAfile
development_cm.pem -content test_content.txt
 
and get the result:

[EMAIL PROTECTED] sbs]$ openssl smime -verify -binary -inform PEM -in
/tmp/sig95552 -CAfile development_cm.pem -content test_content.txt
sign test
Verification failure
20036:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest
failure:pk7_doit.c:804:
20036:error:21075069:PKCS7 routines:PKCS7_verify:signature
failure:pk7_smime.c:265:

> I had no problems verifying signatures from the old signText function.

Did you use the same openssl command as above ?
 
> If you look at the PKCS#7 structure using:
> 
> openssl asn1parse -in p7.pem

OK...

> and look for a line with 'messageDigest' and an OCTET STRING following it that
> will give you the message digest value the content should be.

[EMAIL PROTECTED] sbs]$ openssl asn1parse -in /tmp/sig95552

---snip---

2916:d=7  hl=2 l=   9 prim: OBJECT            :signingTime
 2927:d=7  hl=2 l=  15 cons: SET
 2929:d=8  hl=2 l=  13 prim: UTCTIME           :050526085914Z
 2944:d=6  hl=2 l=  35 cons: SEQUENCE
 2946:d=7  hl=2 l=   9 prim: OBJECT            :messageDigest
 2957:d=7  hl=2 l=  22 cons: SET
 2959:d=8  hl=2 l=  20 prim: OCTET STRING
 2981:d=5  hl=2 l=  13 cons: SEQUENCE
 2983:d=6  hl=2 l=   9 prim: OBJECT            :rsaEncryption
 2994:d=6  hl=2 l=   0 prim: NULL
 2996:d=5  hl=3 l= 128 prim: OCTET STRING

These are the last few lines, I can see the messageDigest line, how
would I interpret the OCTET STRING ?

I am sure I am missing something here, I am sure this should be simple !

Thanks again for your help.

Chris...
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to