SMIME signed message verification

[Harald Koch]

Dear Michael,

> Am 29.10.2020 um 22:55 schrieb Michael Richardson <mcr at sandelman.ca>:
> 
>> Yes, the signed message is contained in a HTTP(S) multipart request
>> with more payload and header information, sure. The only different part
>> is the signed content, all other content has been manually checked,
>> they are exactly the same. May it be possible that the CMS data which
>> openSSL generates is much bigger due to unneeded certificate
>> information, which makes the Java process stumble over the input?
> so, do have detached content then?
Yes.

> And MIME and HTTP is involved?  My bet is that you have CRLF/LF issues, which
> you might not see unless you look at the raw packets --- after the TLS is
> removed, which is a hassle, but there is a way in openssl to get that data
> put somewhere, but I can't recall what it is.

The CRLF issue known to me, and the used „vi“ editor is showing them good in blue color with „^M“ at every line ending, so there is no error here (since I use the flag PKCS7_CRLFEOL / CMS_CRLFEOL for correct encoding of line endings for HTTP(S) transmission).
I’ve obtained the raw message via netcat and examined it in detail, the only difference seems to be the signed content. One big difference in the contained ASN1 data is that openSSL includes much more information from the used certificate, i.e. the X509v3 extensions, which Java doesn’t do. Perhaps it’s a matter of what certificate information is included in the signed data?