On Fri, Feb 26, 2010, Alexei Soloview wrote:
> Hello!
>
>
>
> I try to check signature on PKCS7-structure(see attached file pkcs7.bin).
>
> The following sequence of commands is performed:
>
> openssl pkcs7 -in pkcs7.bin -inform DER -outform PEM -out pkcs7.PEM
>
> openssl smime -verify -in pkcs7.PEM -inform pem -noverify 1>pkcs7.data
>
> Verification failure
>
> 3980:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not
> found:.\crypto\pkcs7\pk7_smime.c:378:
>
>
>
> OpenSSL says that it cannot find signer certificate. But output of command
>
> openssl asn1parse -inform DER -in pkcs7.bin
>
> shows that certificate is present.
>
> What's wrong?
>
The PKCS#7 structure is broken. In OpenSSL 1.0 you can see this clearly with
the command:
openssl -cmsout -in pkcs7.bin -inform DER -noout -print
The signerInfo structure points to the signer's certificate:
signerInfos:
version: 1
d.issuerAndSerialNumber:
issuer: CN=CSCA, O=assa abloy itg, C=de
serialNumber: 1
While the certificate itself has:
issuer: C=de, O=assa abloy itg, CN=CSCA
The ordering is reversed: order is significant in DNs so the two do not match.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
