On Thu, Sep 28, 2017, ch wrote: > Hello! > > I am working on a tool for verifying SMIME-messages. > Because cms and smime is only able to verify base64 pkcs7-signatures > I try to do it "manually" and I now have a problem with the > signing-timestamp. > I'm not sure what you mean by "only able to verify base64 pkcs7-signatures" it can handle PEM and DER forms too. > Lets do an example: > > openssl smime -sign -md sha1 -in plain.txt -inkey mykey -signer > mycert -noattr -outform der | openssl asn1parse -inform der > > If I put plain.txt and the 128 byte signature (from asn1parse out of > the pkcs7) into RSA_verify it works perfectly. > Every call would produce the same signature-hexdump. > > But if I remove the -noattr the signature-value will be different > every second and then RSA_verify it not working anymore. > > How can I handle this? > When you don't use attributes the signature is over performed over the content. If you use attributes then the signature is over the encoding of a bunch of attributes including a signing time and the digest of the content. Because the signing time changes the data being signed in the attributes changes too. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
