Hello!
Thanks for the support.
On 2017-09-28 01:06, Dr. Stephen Henson wrote:
On Thu, Sep 28, 2017, ch wrote:
Hello!
I am working on a tool for verifying SMIME-messages.
Because cms and smime is only able to verify base64 pkcs7-signatures
I try to do it "manually" and I now have a problem with the
signing-timestamp.
I'm not sure what you mean by "only able to verify base64 pkcs7-signatures"
it can handle PEM and DER forms too.
If the pkcs-signature is binary encoded it is not working for verifiying
a SMIME-message in my experience with
smime or cms-smime on the console. I tried to convert the binary ones to
base64 but that does not everytime the trick.
Lets do an example:
openssl smime -sign -md sha1 -in plain.txt -inkey mykey -signer
mycert -noattr -outform der | openssl asn1parse -inform der
If I put plain.txt and the 128 byte signature (from asn1parse out of
the pkcs7) into RSA_verify it works perfectly.
Every call would produce the same signature-hexdump.
But if I remove the -noattr the signature-value will be different
every second and then RSA_verify it not working anymore.
How can I handle this?
When you don't use attributes the signature is over performed over the
content. If you use attributes then the signature is over the encoding of a
bunch of attributes including a signing time and the digest of the content.
Because the signing time changes the data being signed in the attributes
changes too.
Would PKCS7_verify (or something else) handle that for me or do I need
to consider that different
content with RSA_verify?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Again, thanks for the support!
chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
