On Wednesday June 25th javierm wrote: > ... > > So I did another test that I would like you guys to do, to illustrate us > mortals on what's going on. > Take any text: "This is a test for checksums or messagedigests" included the > quotes and no endofline or carriagereturn. > It has the SHA1 = [b33490ef86874904c7fc38bb92122665540fd7ce] or > [szSQ74aHSQTH/Di7khImZVQP184=] same SHA1 in base64 > > Now put that quoted text in a textfile and sign it with your cert and > private key > Then you get a multipart smime output to a file say signedmsg.txt
The way you should calculate the message digest (using SHA1) is complicated because RFC 4130 specifies that the message digest (the checksum) has to be calculated not just over your textfile but it should also include the MIME headers of the attachment. Have a look at appendix A: Message Examples in RFC 4130 to see examples. In your testcase we would get as inner MIME attachment something like this: --boundary-of-whole-multipart-message Content-Type: plain/text "This is a test for checksums or messagedigests" --boundary-of-whole-multipart-message Content-Type: application/pkcs7-signature [omitted binary pkcs7 signature data] --boundary-of-whole-multipart-message The message digest in the signature is calculated starting from and including the 'C' of "Content-Type: plain/text" and includes all bytes until the boundary of the next attachment (the "\r\n" before "--boundary-of-whole-multipart-message" is part of that boundary so is not included in the checksum. In this case the last quote character of your testmessage is the last byte. If you add these MIME headers to your text file you should get the same MIC. Note also that the exact form of the line endings is significant. With "\n" line endings you get a different MIC than with "\r\n" line endings. Officially (according to RFC 4130) you should always "normalize" the line endings of the MIME headers to "\r\n" but in practice everyone always uses the exact form in which it was sent; this corresponds to the "--binary" option of the smime(3) utility. So summarizing: the way you calculated the MDN is correct, you just calculated if over too few bytes. -- Marco Roeland ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
