On Wed, Feb 07, 2007, Jean-Claude Repetto wrote: > Hi, > > I am trying to use openssl to sign documents and store detached > signatures in PKCS7 format. > First, I sign the document : > openssl smime -sign -in document.txt -out document.txt.sign -signer > certs/jcr.crt -certfile certs/ca.crt -inkey private/jcr.key > > When I check the signature, it is OK : > openssl smime -verify -CAfile certs/ca.crt -in document.txt.sign > >/dev/null > Verification successful > > Then I create a PKCS7 structure : > openssl smime -pk7out -in document.txt.sign -out document.txt.pkcs7 > > But the verification fails : > openssl smime -verify -CAfile certs/ca.crt -inform PEM -content > document.txt -in document.txt.pkcs7 >/dev/null > Verification failure > 30871:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest > failure:pk7_doit.c:928: > 30871:error:21075069:PKCS7 routines:PKCS7_verify:signature > failure:pk7_smime.c:299: > > Somebody has an idea of what is wrong ? >
The text being signed gets translated into canonical format before the signature is calculated or verificate when the format is SMIME. If you output the content in the working smime -verify command and check the signature against that it should be OK. Alternatively use smime -sign with the -outform PEM and -binary options to generate the signature and no translation will occur. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]