I'm unable to verify detached PEM signatures with the -content option to 'openssl smime'. I've weaseled what I'm trying to do to a simple script (see attached).
The script first uses an smime inline signature ...
openssl smime -sign -in ${FILE} -signer ${CERT} -inkey ${KEY} -out
${FILE}.signed
openssl smime -verify -noverify -in ${FILE}.signed >/dev/null
all this works OK, but when I try using a detached signature:
FORM=PEM
openssl smime -sign -in ${FILE} -signer ${CERT} -inkey ${KEY} \
-outform ${FORM} -out ${FILE}.pemsigned
openssl smime -verify -noverify -inform ${FORM} -content ${FILE} \
-in ${FILE}.pemsigned >/dev/null
I get these errors:
Verification failure
20873:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest
failure:pk7_doit.c:948:
20873:error:21075069:PKCS7 routines:PKCS7_verify:signature
failure:pk7_smime.c:312:
Examining the signature of the inline and detached methods show they are
the same.
Can someone point out my error (or suggest another mailing list where
this question is more appropriate?).
TIA
--
Keith Hellman #include <disclaimer.h>
[email protected] from disclaimer import standard
[email protected]
-*-
public key @ pgp.mit.edu 9FCF40FD
Y!M: mcprogramming AIM/ICQ: 485403897
gtalk (xmpp jabber): [email protected], [email protected]
-*-
I would point out that linked lists, mark-and-copy garbage collection, and the
Tab key are all patented too. Somebody who always carefully checked first for
software patents would never write anything at all.
-- Martin Pool (rsync developer)
http://rsync.samba.org/rsync-and-debian/rsync-and-debian.html
: ${CERT:=./sign-script.crt}
: ${KEY:=./sign-script.key}
: ${FILE:=./sign-script}
if ! test -r "${CERT}" -a -r "${KEY}" ; then
echo >&2 "Generating key and s/signed cert in ${KEY} ${CERT}..."
echo -n >&2 'Continue? [Yes/*]: '
read line
if ! test ${line} = Yes ; then
exit 1
fi
echo >&2 "Generating '${KEY}'..."
openssl genrsa -out ${KEY} 1024
echo >&2 "Generating self-sign request '${KEY}'..."
openssl req -new -key ${KEY} -out ${KEY}.csr
echo >&2 "Signing self-sign request '${KEY}'..."
openssl x509 -req -days 1 -in ${KEY}.csr -signkey ${KEY} -out ${CERT}
echo >&2 "Removing self-sign request '${KEY}.csr'..."
fi
set -x
openssl smime -sign -in ${FILE} \
-signer ${CERT} -inkey ${KEY} \
-out ${FILE}.signed
openssl smime -verify \
-noverify \
-in ${FILE}.signed >/dev/null
: ${FORM:=PEM}
openssl smime -sign -in ${FILE} \
-signer ${CERT} -inkey ${KEY} \
-outform ${FORM} -out ${FILE}.pemsigned
openssl smime -verify \
-noverify \
-inform ${FORM} \
-content ${FILE} \
-in ${FILE}.pemsigned >/dev/null
set +x
signature.asc
Description: Digital signature
