On Fri, Feb 26, 2010, Alexei Soloview wrote: > Hello! > > > > I try to check signature on PKCS7-structure(see attached file pkcs7.bin). > > The following sequence of commands is performed: > > openssl pkcs7 -in pkcs7.bin -inform DER -outform PEM -out pkcs7.PEM > > openssl smime -verify -in pkcs7.PEM -inform pem -noverify 1>pkcs7.data > > Verification failure > > 3980:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not > found:.\crypto\pkcs7\pk7_smime.c:378: > > > > OpenSSL says that it cannot find signer certificate. But output of command > > openssl asn1parse -inform DER -in pkcs7.bin > > shows that certificate is present. > > What's wrong? >
The PKCS#7 structure is broken. In OpenSSL 1.0 you can see this clearly with the command: openssl -cmsout -in pkcs7.bin -inform DER -noout -print The signerInfo structure points to the signer's certificate: signerInfos: version: 1 d.issuerAndSerialNumber: issuer: CN=CSCA, O=assa abloy itg, C=de serialNumber: 1 While the certificate itself has: issuer: C=de, O=assa abloy itg, CN=CSCA The ordering is reversed: order is significant in DNs so the two do not match. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org