On Tue, Oct 02, 2007, Benjamin Fleckenstein wrote: > Hi all, > > I'm trying to verify a PDF that was signed with S-Trust Sign-IT. Thats a > software sold by a german bank and used for qualified digital signatures. > >From a technical point of view its just an SMIME Signature. > > I'm running this command: > > [EMAIL PROTECTED]:~/test/openssl/strust$ openssl smime -binary -verify -in > rechnung.pdf.p7s -inform der -out /dev/null -content rechnung.pdf > -CAfile strustx.pem > > Where rechnung.pdf.p7s contains the signature, and strustx.pem the root > and subcertificates. I'm getting this error, also the Sign-IT Software > confirms the signature as valid: > > Verification failure > 19424:error:04077064:rsa routines:RSA_verify:algorithm > mismatch:rsa_sign.c:228: > 19424:error:21071069:PKCS7 routines:PKCS7_signatureVerify:signature > failure:pk7_doit.c:961: > 19424:error:21075069:PKCS7 routines:PKCS7_verify:signature > failure:pk7_smime.c:299: > > > I searched the web for quite a long time, but I can't find anything > explaining the errormessage to me. Did I miss an argument that has to be > passed to openssl or is it more likly that Sign-IT isn't compatible to > OpenSSL? >
Looks like the signature format is non-standard and the algorithm in the PKCS#7 structure doesn't match that in the RSA signature. Try compiling OpenSSL with RSA_DEBUG set and it should print out the two different types it is seeing. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
