"三崎 友明" wrote: > > Hello all, > > I am using openssl-0.9.6b. > It does not operate well by smime of openssl. > Is usage wrong? > > $ openssl smime -sign -inkey key.pem -signer cert.pem -certfile cacert.pem -in >mail.txt -out mail.p7m > $ openssl smime -verify -CAfile cacert.pem -in mail.p7m > THIS IS TEST. > Verification Successful > > $ openssl smime -sign -inkey key.pem -signer cert.pem -in mail.txt -outform pem -out >mail.p7c > $ openssl smime -verify -CAfile cacert.pem -inform pem -in mail.p7c -content mail.txt > THIS IS TEST. > Verification Failure > 23894:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest >failure:pk7_doit.c:762: > 23894:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:pk7_smime.c:256: >
This is a text translation issue. By default all data signed and verified gets translated to "canonical" format which is basically CR+LF for EOL. In the first case the actual translated form is included in the message. As a result when it verifies it uses the same data it signed with. In the second case the signed data is translated but it isn't included with the message. When you verify you are then verifying against the original instead of the translated form so you get the error. There are a couple of ways to fix this. You can turn off the translation using the -binary option or you can include the signed content using the -nodetach option. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
