Dear folks, I created X.509 signed mail by an application then I tried to verify signature by 'openssl smime -verify ...' command.
It did not work first time. S/MIME standard RFC 3851 and predecessors show a sample multipart/signed message in section 3.4.3.3.: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary=boundary42 --boundary42 --> Content-Type: text/plain This is a clear-signed message. --boundary42 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 7GhIGfHfYT64VQbnj756 --boundary42-- See the marked MIME sub-header in part2. My application that uses MIME::Tools PERL library produces similar format: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="----------=_1215093708-16004-0" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.420 (Entity 5.420) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Hello, nurse! This is an S/MIME signed message ------------=_1215093708-16004-0 --> Content-Type: text/plain --> Content-Disposition: inline --> Content-Transfer-Encoding: binary --> This is a message ------------=_1215093708-16004-0 Content-Type: application/pkcs7-signature; name="signature-cr.p7s" Content-Disposition: attachment; filename="signature-cr.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIFbjCCBWowggRSoAMCAQICAgNWMA0GCSqGSIb3DQEBBQUAMFUxCzAJ ... I found that 'openssl smime' refuses to verify signature until I delete the marked lines. Probably it computes hash not only the cleartext but on header and separator too. Is this normal? Why openssl could not figure out where the cleartext begins? Gabor ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]