On Wed, Feb 07, 2007, Jean-Claude Repetto wrote:
Hi,
I am trying to use openssl to sign documents and store detached
signatures in PKCS7 format.
First, I sign the document :
openssl smime -sign -in document.txt -out document.txt.sign -signer
certs/jcr.crt -certfile certs/ca.crt -inkey private/jcr.key
When I check the signature, it is OK :
openssl smime -verify -CAfile certs/ca.crt -in document.txt.sign
/dev/null
Verification successful
Then I create a PKCS7 structure :
openssl smime -pk7out -in document.txt.sign -out document.txt.pkcs7
But the verification fails :
openssl smime -verify -CAfile certs/ca.crt -inform PEM -content
document.txt -in document.txt.pkcs7 /dev/null
Verification failure
30871:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest
failure:pk7_doit.c:928:
30871:error:21075069:PKCS7 routines:PKCS7_verify:signature
failure:pk7_smime.c:299:
Somebody has an idea of what is wrong ?
The text being signed gets translated into canonical format before the
signature is calculated or verificate when the format is SMIME.
If you output the content in the working smime -verify command and check the
signature against that it should be OK.
Alternatively use smime -sign with the -outform PEM and -binary options to
generate the signature and no translation will occur.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]