On Thu, Jan 30, 2003, Gerd Schering wrote: > Hi, > > I use the smime utility to sign a message and output it in PEM format: > > openssl smime -sign -in req.csr -outform PEM -out mail.pem -signer \ > mycert.pem -inkey mykey.pem > > When trying to verify it, I get a failure: > > openssl smime -verify -inform PEM -in mail.pem -CAfile CAstore > Verification failure > 17732:error:2107507A:PKCS7 routines:PKCS7_verify:no \ > content:pk7_smime.c:172: > > The CAstore file contains the necessary CA certs. > When I drop the inform/outform PEM in both commands, everything works > smoothly - so what did I get wrong? >
The data being signed in PKCS#7 in 'detached' mode which is the default needs to be obtained from somewhere in order to verify the signature on it. In SMIME mode the content is included in a multipart/signed type, so smime -verify can obtain it from there. In PEM mode the content needs to be supplied separately with the -content argument. This only applies to detached data. If you include the -nodetach command line option the content is included in the PKCS#7 structure so it will not need to be supplied separately. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
