[openssl-users] PKCS7 and RSA_verify

ch ch at coderhacks.com
Wed Sep 27 23:19:30 UTC 2017


Thanks for the support.

On 2017-09-28 01:06, Dr. Stephen Henson wrote:
> On Thu, Sep 28, 2017, ch wrote:
>> Hello!
>> I am working on a tool for verifying SMIME-messages.
>> Because cms and smime is only able to verify base64 pkcs7-signatures
>> I try to do it "manually" and I now have a problem with the
>> signing-timestamp.
> I'm not sure what you mean by "only able to verify base64 pkcs7-signatures"
> it can handle PEM and DER forms too.
If the pkcs-signature is binary encoded it is not working for verifiying 
a SMIME-message in my experience with
smime or cms-smime on the console. I tried to convert the binary ones to 
base64 but that does not everytime the trick.

>> Lets do an example:
>> openssl smime -sign -md sha1  -in plain.txt  -inkey mykey -signer
>> mycert  -noattr  -outform der | openssl asn1parse -inform der
>> If I put plain.txt and the 128 byte signature (from asn1parse out of
>> the pkcs7) into RSA_verify it works perfectly.
>> Every call would produce the same signature-hexdump.
>> But if I remove the -noattr the signature-value will be different
>> every second and then RSA_verify it not working anymore.
>> How can I handle this?
> When you don't use attributes the signature is over performed over the
> content. If you use attributes then the signature is over the encoding of a
> bunch of attributes including a signing time and the digest of the content.
> Because the signing time changes the data being signed in the attributes
> changes too.
Would PKCS7_verify (or something else) handle that for me or do I need 
to consider that different
content with RSA_verify?
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org

Again, thanks for the support!

More information about the openssl-users mailing list