On Mon, Jan 07, 2013, Massimiliano Masi wrote: > Hello All, > > I am facing some issues with 1.0.1c and 0.9.8r (default of Mac Os X). > > max@spirit6 ~/ $ openssl > OpenSSL> version > OpenSSL 0.9.8r 8 Feb 2011 > OpenSSL> max@spirit6 ~/ $ ./openssl > OpenSSL> version > OpenSSL 1.0.1c 10 May 2012 > OpenSSL> > > As you can see, if I try to sign the following: > > max@spirit6 ~/ $ cat message.txt > Hi, This is an encrypted message > > max@spirit6~/Documents/workspace_2.5/SpiritDirectClient/test/testData/openssl-interop > $ ./openssl smime -sign -in message.txt -out message.txt.signed -signer > cert.pem -inkey key.pem > max@spirit6~/Documents/workspace_2.5/SpiritDirectClient/test/testData/openssl-interop > $ cat message.txt.signed | grep Content-Type > Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; > micalg="sha1"; boundary="----15AF590F4F2CE14F1BD8D5A914A69A20" > Content-Type: application/x-pkcs7-signature; name="smime.p7s" > > The file obtained with 1.0.1c contains wrong Content-Type (it SHOULD be > without x-, AFAIK). > > If I do the same with 0.9.8r, I have a correct Content-Type, > > max@spirit6~/Documents/workspace_2.5/SpiritDirectClient/test/testData/openssl-interop > $ openssl smime -sign -in message.txt -out message.txt.signed -signer > cert.pem -inkey key.pem > max@spirit6~/Documents/workspace_2.5/SpiritDirectClient/test/testData/openssl-interop > $ cat message.txt.signed | grep Content-Type > Content-Type: multipart/signed; protocol="application/pkcs7-signature"; > micalg="sha1"; boundary="----D9D7BC3E20B4CA6A5984C900395DC5A6" > Content-Type: application/pkcs7-signature; name="smime.p7s" > max@spirit6~/Documents/workspace_2.5/SpiritDirectClient/test/testData/openssl-interop > $ ./openssl smime -sign -in message.txt -out message.txt.signed -signer > cert.pem -inkey key.pem >
It's actually a bug in OpenSSL 0.9.8. The x- version was retained for compatibility with some older software and the option -nooldmime to the smime utility uses the standard version with the x-. However due to a bug in 0.9.8 the opposite happens. So if you specify -nooldmime in 1.0 and later you'll get the version without the x-. > When verifying I have different behaviors: > > max@spirit6~/Documents/workspace_2.5/SpiritDirectClient/test/testData/openssl-interop > $ ./openssl smime -verify -CApath cacert.pem -in message.txt.signed > Verification failure > 2897402476:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify > error:pk7_smime.c:342:Verify error:unable to get local issuer certificate > max@spirit6~/Documents/workspace_2.5/SpiritDirectClient/test/testData/openssl-interop > $ openssl smime -verify -CApath cacert.pem -in message.txt.signed > Hi, This is an encrypted message > Verification successful > That's expected with the -CApath option. OpenSSL 1.0.0 uses a different hash format so you need to call c_rehash or equivalent with 1.0.0 on that directory for it to work. > > None of them can be verified with Java (due to an invalid hash value). > > Do you have suggestions? > The output you're creating isn't in valid MIME format because there are no MIME headers in the signed portion. Either supply data to be signed including MIME headers or use the -text option for plain text input. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
