On 4 Jul 2011, at 7:47 AM, Roland Flury wrote: > At the moment I use the PHP function openssl_pkcs7_verify() to verify > the signature (I also could use the openssl command line tool with a > system command). But verify is not enough, because I need to send back > the digest. > > Is there any way to extract the digest from the signature. I couldn't > find a solution for that after hours of searching the internet an all > my encryption books.
Not using the command-line tools, I think. You could write a simple C program to parse the signature (d2i_PKCS7_fp()) and look through the authenticated attributes of the PKCS7_SIGNER_INFO structures for a pkcs-9-at-messageDigest attribute. It's optional, but I think most signing tools include it. See RFC2318 (PKCS#7, which S/MIME uses) and RFC2985 (PKCS#9). Alternately you could just compute the message digest a second time. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
