Man page of CMS_verify says the following CMS_get0_signers() retrieves the signing certificate(s) from *cms*, it must be called after a successful CMS_verify() operation.
So, CMS_get0_signers should be called after CMS_verify but you seem to do it the other way round. Secondly, why do you need to build the X509 cert from the DSA parameters? When your C# application creates the CMS signed message, does it not use a Certificate and its Private Key? Your stack of certs should include this certificate. I also presume that the signing certificate isn't included in the contentInfo message as you have set the CMS_NOINTERN flag for CMS_verify. Thanks, Sandeep On Wed, Jan 27, 2010 at 5:36 AM, Ujwal Chinthala <ujwal_chinth...@net.com>wrote: > Hi, > > > > Thanks for all the help. I modified the code based on your comments. > > > > Basically, I am trying to verify a CMS data signed by a C# program. So I > have the base 64 decoded CSM data stored as nBytes a BYTE array. > > > > I have to verify the data(nBytes) using the DSA params and public key which > is hard coded in the code as const char arrays(uLicenseCheckG, > > uLicenseCheckP, uLicenseCheckQ and uLicenseCheckY). > > > > I tried to verify even using the *CMS_NO_CONTENT_VERIFY* flag. > CMS_verify() fails with error “*signer certificate not found*”. > > > > I digged in to the code and found that CMS_Verify() tries to copy the > st(stack of x509 certs) to cms and fails? I am copying the skid value from > the > > cms and creating the x509Cert using that so they match. I have notices that > the x509Cert->skid is becoming NULL after the call to CMS_verify(). > > Is there anything wrong with the above x509 cert created above with the > public key and DSA params and skid. Am I missing something? > > What else do I need to verify correctly? > > > > Please find the modified code below. > > > > -Ujwal > > > > > > > > //COPY the DSA params and public keys from const char arrays into DSA > structure > > DSA *dsaParams= DSA_new(); > > dsaParams->g = BN_new(); > > dsaParams->p = BN_new(); > > dsaParams->q = BN_new(); > > dsaParams->pub_key = BN_new(); > > BN_bin2bn((const unsigned char *)uLicenseCheckG, sizeof( > uLicenseCheckG), dsaParams->g); > > BN_bin2bn((const unsigned char *)uLicenseCheckP, sizeof( > uLicenseCheckP), dsaParams->p); > > BN_bin2bn((const unsigned char *)uLicenseCheckQ, sizeof( > uLicenseCheckQ), dsaParams->q); > > BN_bin2bn((const unsigned char *)uLicenseCheckY, sizeof( > uLicenseCheckY), dsaParams->pub_key); > > > > //Create a EVP_PKEY to use in creating a certificate > > EVP_PKEY *evpTemp = EVP_PKEY_new(); > > EVP_PKEY_assign_DSA(evpTemp, dsaParams); > > > > //Create a CMS content info structure out of the license key > > CMS_ContentInfo *cms = NULL; > > BIO *bioBuff = BIO_new_mem_buf((char *)nBytes, nCountOfBytes); > > BIO_set_mem_eof_return(bioBuff,0); > > cms = d2i_CMS_bio(bioBuff, NULL);// i believe this finds the end of > ASN1 data > > > > > > STACK_OF(CMS_SignerInfo) *sinfos; > > CMS_SignerInfo *si; > > sinfos = CMS_get0_SignerInfos(cms); > > si = sk_CMS_SignerInfo_value(sinfos, 0); > > ASN1_OCTET_STRING* keyid; > > X509_NAME* issuer; > > ASN1_INTEGER* sno; > > int rc = CMS_SignerInfo_get0_signer_id(si, &keyid, &issuer, &sno); > > //USE THIS KEYID TO SET THE x509Cert->skid VALUE > > printf ("si: %d %p %p %p\n", rc, keyid, issuer, sno); > > > > //create a x509 cert with above DSA params and public key and skid > > X509 *x509Cert = X509_new(); > > X509_set_version(x509Cert, 2); > > ASN1_INTEGER_set(X509_get_serialNumber(x509Cert), 0); > > x509Cert->skid = ASN1_OCTET_STRING_dup(keyid); > > X509_gmtime_adj(X509_get_notBefore(x509Cert),0); > > X509_gmtime_adj(X509_get_notAfter(x509Cert), (long) 60*60*24*365); > > > > int error = X509_set_pubkey(x509Cert, evpTemp); > > if (error) { > > printf("set public key error: %s", ERR_error_string( > ERR_get_error(), NULL)); > > } > > X509_print_fp(stdout, x509Cert); > > > > //create a stack of x509 cert to use it in CMS_verify > > STACK_OF(X509) *st=sk_X509_new_null(); > > sk_X509_push(st, x509Cert); > > > > //x509Cert->skid is valid here > > printf ("skid: %p\n", x509Cert->skid); > > > > //It fails here with “signer certificate not found” error > > //Also tried using the CMS_NO_CONTENT_VERIFY > > int cmsVerify = CMS_verify(cms, st, NULL, NULL, NULL, CMS_NOINTERN| > CMS_NO_SIGNER_CERT_VERIFY); > > > > errortemp = ERR_get_error(); > > ERR_error_string(errortemp, errorbuff); > > printf("countofbytes = %d, error num = %d, and error = %s\n", > nCountOfBytes,errortemp, errorbuff); > > //x509Cert->skid is in-valid here > > printf ("skid: %p\n", x509Cert->skid); > > > > > > >