[openssl.org #2566] bug report: smime -verify and dsn order
I have a certificate (sod.pem) that openssl is unable to verify: openssl smime -verify -in sod.pem -inform pem -noverify sod.data Verification failure 2538:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:pk7_smime.c:378: the problem is that the dsn order: the problem is the dsn order: openssl cms -cmsout -in sod.pem -inform PEM -noout -print|grep issuer: issuer: C=IT, O=MINISTERO DELL'INTERNO, OU=PE, CN=CERTIFICATION AUTHORITY issuer: CN=CERTIFICATION AUTHORITY, OU=PE, O=MINISTERO DELL'INTERNO, C=IT the problem seems quite frequent: http://old.nabble.com/Problem-with-verifying-of-PKCS7-structure-signed-with-ECDSA-certificate-td27717780.html and I cannot find specifications that speak about dsn order, so I thinks this is an openssl bug, some closed software are able to verify the pem attached, this bug is present in openssl 1.0.0d and openssl 0.9.8o, no other versions tested, regards Nicola sod.pem Description: application/x509-ca-cert sod.bin Description: Binary data
Bug in smime -verify
Hi all I think I've encountered a bug in openssl smime. I try to verify a mail signed with outlook using the option not to include the certificate in the signature. From what I can figure out, this should be possible with openssl using the options: openssl smime -verify -signer tim.crt -in message.txt -nointern -CAfile cas.crt or openssl smime -verify -noverify -signer tim.crt -in message.txt -nointern However, I always get the error: 2278:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:pk7_smime.c:317: It seems openssl always tries to retrieve the signers certificate, althought I explicitely override this with -nointern. Is this a known bug and/or even already fixed in the openssl 0.9.7 betas? Attached is my test case. Bye Tin From: Tim Tassonis [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Eine sehr kurze Meldung Date: Fri, 27 Dec 2002 21:05:21 +0100 MIME-Version: 1.0 Content-Type: multipart/signed; protocol=application/x-pkcs7-signature; micalg=SHA1; boundary==_NextPart_000_000D_01C2ADEB.AAE04720 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 27 Dec 2002 20:04:18.0390 (UTC) FILETIME=[2375CF60:01C2ADE3] This is a multi-part message in MIME format. --=_NextPart_000_000D_01C2ADEB.AAE04720 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Hallo Tim Nur zum Test. Tim --=_NextPart_000_000D_01C2ADEB.AAE04720 Content-Type: application/x-pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAMYICQjCCAj4C AQEwgd4wgckxCzAJBgNVBAYTAkNIMRQwEgYDVQQKEwtUcml2YWRpcyBBRzEfMB0GA1UECxMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3 LnZlcmlzaWduLmNvbS9ycGEgKGMpMDIxMDAuBgNVBAsTJ0NsYXNzIDIgT25TaXRlIEluZGl2aWR1 YWwgU3Vic2NyaWJlciBDQTEUMBIGA1UEAxMLVHJpdmFkaXMgQ0ECEGx4jqcK2t21YlVqOLEtUhQw CQYFKw4DAhoFAKCBujAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0w MjEyMjcyMDA1MjFaMCMGCSqGSIb3DQEJBDEWBBR61aEMmfHlZiWDvkTAVDZClZT2qjBbBgkqhkiG 9w0BCQ8xTjBMMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUr DgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCHTANBgkqhkiG9w0BAQEFAASBgJFbghLQ2SajBoSP zb8M727Ix7/16CaADa/URESJLU74ovnB0vk3Z+WnX9tWx/42EZjj0E/IPQbZ8GBdjuHb14i/bOW4 Rtv4T+ad/LpihiEbDw0Zv4QRKUAcO76QcEWDKN+YmWBHharkbsVoXK00rexwzCyT4DvZvm6PeUXb nzG0 --=_NextPart_000_000D_01C2ADEB.AAE04720-- cas.crt Description: Binary data tim.crt Description: Binary data
Re: Bug in smime -verify
On Fri, Dec 27, 2002, Tim Tassonis wrote: Hi all I think I've encountered a bug in openssl smime. I try to verify a mail signed with outlook using the option not to include the certificate in the signature. From what I can figure out, this should be possible with openssl using the options: openssl smime -verify -signer tim.crt -in message.txt -nointern -CAfile cas.crt or openssl smime -verify -noverify -signer tim.crt -in message.txt -nointern However, I always get the error: 2278:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:pk7_smime.c:317: It seems openssl always tries to retrieve the signers certificate, althought I explicitely override this with -nointern. Is this a known bug and/or even already fixed in the openssl 0.9.7 betas? As mentioned in the manual page the -signer when used with -verify is the file to write the signers certificate to. One ore more possible candidate signer certificates should be presented to the -certfile option. So if you do: openssl smime -verify -certfile tim.crt -in message.txt -CAfile cas.crt it should be OK. You don't need -nointern that just means that it always ignores certificates in the message, without -nointern it wil still look in those mentioned in -certfile if the signer's certificate can't be found in the message itself. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
