On Wed, Apr 07, 2004, Spencer Yost wrote:
> First, as to my previous question: Thanks to Dr Hanson for figuring out my
> sender sent a file with an extra data(really a second message) stuck on the
> end.
>
> I'll cut to the chase: I need to come up with a set of openssl commands
> that will decrypt and verify an incoming SMIME message and just end up with
> the data payload. The message is a two part, signed, encrypted message. I
> can decrypt but can't seem to verify. I apologize for being so ignorant but
> this is only my second project with Openssl SMIME and the first was canceled
> (-;
>
> In short, I think I am approaching this wrong - I don't think there is
> anything wrong with the signature itself. But I digress: First, I could
> have sworn you could decrypt and verify in one step but it didn't work.
> Here is the command I used to decrypt and verify
>
> openssl -decrypt -verify -in {filename} -recip {mycert} -signer {theircert}
> -inkey {mykey.pem}
>
> This doesn't work and throws a content-type" error. I suspect verify is
> looking at the message Content-type" and not the signature part
> content-type. So I decide to decrypt first and then verify. When I
> decrypt I get the following output:
>
> Content-Type: multipart/signed; protocol="application/pkcs7-signature";
> micalg=sha1;
> boundary="=_IPNet_20040405135357409_44" Content-Disposition: attachment
>
> --=_IPNet_20040405135357409_44 Content-Type: APPLICATION/EDI-X12
> Content-Transfer-Encoding: binary Content-Disposition: attachment;
> filename="01006203210P-000000002.edi"
>
> ...snip one data part ...
>
> --=_IPNet_20040405135357409_44^M Content-Type: application/pkcs7-signature;
> name=smime.p7s^M Content-Transfer-Encoding: binary^M Content-Disposition:
> attachment; filename=smime.p7s^M ^M
>
> ...snip signature
>
> and then push this through "openssl smime -verify -signer {theircert.pem}",
> I get the following
>
> Error reading S/MIME message 9970:error:0D07207B:asn1 encoding
> routines:ASN1_get_object:header too long:asn1_ lib.c:140:
> 9970:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode
> error:pk7_mime.c:142: 9970:error:2107A08C:PKCS7
> routines:SMIME_read_PKCS7:pkcs7 sig parse error:pk7_mi me.c:289:
>
> I suspected because it wasn't a fully compliant email message (ie no
> headers). But if I pipe to formail first to get some headers, I get the
> same message.
>
> Any idea as to why I am not able to verify and just end up with the data
> part? Can anyone help this newbie?
>
> Thanks in advance to everyone for your help and time,
>
There isn't a command to decrypt and verify all in one go. For one thing there
are various ways to do that.
You seem to be OK with the decryption part its the actual signed message
that's causing problems.
It looks like the signature is not base64 encoded and the initial part isn't
text either. OpenSSLs MIME parser is a rather primitive thing and not designed
for more complex forms: its basically just enough to tolerate the typical stuff an
S/MIME mail clients will throw out.
So what I suspect you have to do is to take the S/MIME data and extract the
content and signature parts and then feed the result into the OpenSSL smime
command with the "-inform DER -content whatever" switches.
If you can send me a zipped version of the data you are trying to verify I'll
see if the MIME parser can be updated to work on that form.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
