On Thu, Oct 11, 2012, redpath wrote: > > I have a PKCS7 file with signature in the envelope. > What API function can I use to open the PKCS7 to extract the signature data > and length > and then verify the message digest? The verify is shown below assuming I got > the signature > data and length. > > int rc = ECDSA_verify(0, md, 20, signaturedata, signaturelength, pubeckey); > > Kinda hard to find the right functions which seems to be a pretty common > thing. > I did search the forum for this. >
It is not a good idea to try and verify the PKCS#7 signature manually as the signature is (usually) not the digest of the contents. Instead the content digest is contained in a set of attributes and the signature is performed on the digest of the attributes. PKCS7_verify or CMS_verify will both perform the necessary operations along with the cms and smime command line options. See the manual pages for more details there are also demo programs in demos/smime and demos/cms. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org