Re: S/MIME support in 0.9.3a -where?

Sat, 19 Jun 1999 05:42:05 -0700 

Michael Konietzka wrote:
> 
> 
> i compiled it with example.c, but i get some trouble with self-signed
> certificates
> i added  some code to verify.c to add a cert from file with code like
> this:
> 
>          webde=X509_new();
>          if (webde==NULL) printf ("Creating of X509 failed\n");
>          if (webpo=fopen("webde.cert","r")) printf("Webde open\n");
>          webde=d2i_X509_fp(webpo,&webde);
>          fclose(webpo);
>          if (X509_STORE_add_cert(cert_store,webde)) printf("Webde
> added\n");
> 
> But verify does not work i thought.
>  "./myverify  -d ~/data.text ~/websmime.pkcs7" outputs:
> 
>         depth=1 /C=DE/ST=Germany/L=Karlsruhe/O=Cinetic Medientechnik
> GmbH/OU=http:[EMAIL PROTECTED]
>         verify return:1
>         depth=0 /C=DE/ST=Deutschland/L=76131/O=Karlsruhe/CN=Michael
> [EMAIL PROTECTED]
> verify return:1
> 18964:error:2106B065:PKCS7 routines:PKCS7_dataVerify:digest
> failure:pk7_doit.c:724:
> 
> When i verify the cert with "openssl verify" it works. Any hints
>  Bye Michael

This means the digest of the data doesn't match that of the PKCS#7
signature. If this came from an S/MIME message you have to format the
first part of the multipart/signed message *exactly* right.

There are two things to watch out for:

1. You must handle the MIME parsing properly:

----Boundary
Hello World
----Boundary

Should be parsed as "Hello World" NOT "Hello World\n".

2. The data needs to be converted into "canonical format" this basically
means DOS EOL (CR+LF) format.

3. You must *not* change anything in the signed data (other than EOL to
CR+LF conversion). It must be exactly as it appears in the message: if
you change one character or one character is changed in transit then
you'll break the signature.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to