I'm having a problem generating a signed SMIME message. I have to interface with a CAC card reader that implements a subset of the pkcs11 standard. I pass the message to the card API and it returns a signed digest and now I need to pass this signed digest to openSSL to create the SMIME message.
The approach I've taken is copying and pasting internal openSSL functions that create the signed PKCS7 object (PKCS7_dataFinal, PKCS7_add_signature, etc) and took out the code that uses the private key and replaced it with code that inserts the signed digest into the PKCS7_SIGNER_INFO taken from the PKCS7 object (p7->d.sign->signer_info). I'm using openSSL-fips-1.2.3. When I do this I get what appears to be a valid signed SMIME message, but when I run it through openSSL on the command line I get a "header too long" in the decoding of the asn1: $ openssl smime -verify -in test19.smime -noverify "Doug Sauder" <d...@example.com> To: "Jrgen Schmxen" <schmuer...@example.com> Subject: Die Hasen und die Frsche (Microsoft Outlook 00) Date: Wed, 17 May 2000 19:08:29 -0400 Message-ID: <ndbbiakopkhfgplcodigiekbchaa.d...@example.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 bghrbjfd Verification failure 72708:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/crypto/asn1/ asn1_lib.c:150: 72708:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/crypto/asn1/ tasn_dec.c:1302: 72708:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/crypto/asn1/ tasn_dec.c:379: Type=X509_SIG 72708:error:21071069:PKCS7 routines:PKCS7_signatureVerify:signature failure:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/crypto/pkcs7/ pk7_doit.c:978: 72708:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/crypto/pkcs7/ pk7_smime.c:312: I'm trying to understand what is causing this error, and how to fix it. But also wanted to check with the newsgroup if this approach is the best way to solve bridging the CAC card reader with openSSL. Has anyone on here dealt with smart card integration? We've gotten encryption/decryption working with this approach. This is the card reader we're using: http://www.biometricassociates.com/reader.html ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
