Hello, I am struggling with using OpenSSL 1.1.1 to verify a PKCS #7/CMS structure. Verification succeeds when I use OpenSSL 1.0.2, but 1.1.0 and 1.1.1 fails with "bad signature". I initially had this problem when using the OpenSSL library but I see that the problem also applies to the OpenSSL CLI.
I am at loss and need some help with this issue. Please see the commands I used below. Thank you for any assistance you can provide! Notes: - "-noverify" was used because the certificates expired. - Verification succeeds when specifying "-nosigs". - "openssl cms -verify [...]" behaves the same way. - Since the files I am working with (test.der and test-data.bin) are part of a private project, I am not ready to share these in public. - I do not know exactly how the message structure was created but I guess either with some OpenSSL 1.0.2, Java with or without BouncyCastle. Commands used: # Environment: macOS 10.14.3 / Homebrew $ /usr/local/opt/openssl/bin/openssl version OpenSSL 1.0.2r 26 Feb 2019 $ /usr/local/opt/openssl/bin/openssl smime -verify -inform der -in test.der -content test-data.bin -noverify Verification successful $ /usr/local/opt/openssl\@1.1/bin/openssl version OpenSSL 1.1.1b 26 Feb 2019 $ /usr/local/opt/openssl\@1.1/bin/openssl smime -verify -inform der -in test.der -content test-data.bin -noverify Verification failure 4563408320:error:04091068:rsa routines:int_rsa_verify:bad signature:crypto/rsa/rsa_sign.c:220: 4563408320:error:21071069:PKCS7 routines:PKCS7_signatureVerify:signature failure:crypto/pkcs7/pk7_doit.c:1037: 4563408320:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:crypto/pkcs7/pk7_smime.c:353: