[openssl-users] PKCS7 and RSA_verify

ch ch at coderhacks.com
Wed Sep 27 23:19:30 UTC 2017


Hello!

Thanks for the support.

On 2017-09-28 01:06, Dr. Stephen Henson wrote:
> On Thu, Sep 28, 2017, ch wrote:
>
>> Hello!
>>
>> I am working on a tool for verifying SMIME-messages.
>> Because cms and smime is only able to verify base64 pkcs7-signatures
>> I try to do it "manually" and I now have a problem with the
>> signing-timestamp.
>>
> I'm not sure what you mean by "only able to verify base64 pkcs7-signatures"
> it can handle PEM and DER forms too.
If the pkcs-signature is binary encoded it is not working for verifiying 
a SMIME-message in my experience with
smime or cms-smime on the console. I tried to convert the binary ones to 
base64 but that does not everytime the trick.

>
>> Lets do an example:
>>
>> openssl smime -sign -md sha1  -in plain.txt  -inkey mykey -signer
>> mycert  -noattr  -outform der | openssl asn1parse -inform der
>>
>> If I put plain.txt and the 128 byte signature (from asn1parse out of
>> the pkcs7) into RSA_verify it works perfectly.
>> Every call would produce the same signature-hexdump.
>>
>> But if I remove the -noattr the signature-value will be different
>> every second and then RSA_verify it not working anymore.
>>
>> How can I handle this?
>>
> When you don't use attributes the signature is over performed over the
> content. If you use attributes then the signature is over the encoding of a
> bunch of attributes including a signing time and the digest of the content.
> Because the signing time changes the data being signed in the attributes
> changes too.
Would PKCS7_verify (or something else) handle that for me or do I need 
to consider that different
content with RSA_verify?
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org

Again, thanks for the support!
chris


More information about the openssl-users mailing list