Hi,
I am trying to write a script to verify a PKCS#7 signature (it is
actually an Authenticode signature) using commonly available UNIX
tools such as perl and the openssl command line interface.
For testing, I use the openssl 0.9.8o (plus security patches) from
Debian Squeeze. This means that "openssl cms" is not an available
command.
Extracting the relevant PKCS7 DER blob and the indirectly signed
data was not a problem (I know the formats involved), and I have
confirmed that sha1 of my content blob file is the same hex string
as found in the output of openssl asn1parse -inform DER -in
sigblob.der.
However for some strange reason, openssl smime -verify keeps
reporting "digest_failure". I have tried all of the following
commands:
openssl smime -verify -inform DER -in sig.tmp -binary -content data.tmp
-noverify -out /dev/null
openssl smime -verify -inform DER -in sig.tmp -content data.tmp
-noverify -out /dev/null
openssl smime -verify -inform DER -in sig.tmp -binary -noverify -out
/dev/null
openssl smime -verify -inform DER -in sig.tmp -noverify -out /dev/null
All 4 return
<PID>:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest
failure:pk7_doit.c:948:
<PID>:error:21075069:PKCS7 routines:PKCS7_verify:signature
failure:pk7_smime.c:312:
The signature is valid according to other tools, and I am using the
-noverify option to avoid the CA and chain verification at this stage
of testing.
So what might I be doing wrong.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
