Re: [openssl-users] PKCS7 and RSA_verify

2017-10-04 Thread lists 

On 10/01/2017 01:27 AM, Sam Roberts wrote:

On Thu, Sep 28, 2017 at 2:28 AM, ch  wrote:

Hi!

I thought the difference between PEM and DER is NOT ONLY a different
encoding of the string?
base64 vs. binary

So to understand that clear please let me ask:
If I convert a PEM-signature from base64 to binary then it is DER?

Yes. Well, technically it could be BER as well, but the main point is
PEM is just a wrapper to transport binary via email safe text, and you
can unwrap it if you want. PEM also includes a header, so you know if
the object is a cert, a key, an encrypted message, etc, meta-data
which is not known if you just have the binary chunk.


Indeed, PEM for S/MIME looks like

-BEGIN PKCS7-

-END PKCS7-

so you must add the header ("-BEGIN PKCS7-") and the trailer


Thanks
Chris

On 2017-09-28 11:23, Wouter Verhelst wrote:

On 28-09-17 01:19, ch wrote> If the pkcs-signature is binary encoded it
is not working for verifiying

a SMIME-message in my experience with
smime or cms-smime on the console. I tried to convert the binary ones to
base64 but that does not everytime the trick.

What you call "base64" is commonly known as "PEM" :-)

You can get it to parse binary, but to do so you need to specify
"-inform der".


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] PKCS7 and RSA_verify

2017-09-30 Thread Sam Roberts 
On Thu, Sep 28, 2017 at 2:28 AM, ch  wrote:
> Hi!
>
> I thought the difference between PEM and DER is NOT ONLY a different
> encoding of the string?
> base64 vs. binary
>
> So to understand that clear please let me ask:
> If I convert a PEM-signature from base64 to binary then it is DER?

Yes. Well, technically it could be BER as well, but the main point is
PEM is just a wrapper to transport binary via email safe text, and you
can unwrap it if you want. PEM also includes a header, so you know if
the object is a cert, a key, an encrypted message, etc, meta-data
which is not known if you just have the binary chunk.


>
> Thanks
> Chris
>
> On 2017-09-28 11:23, Wouter Verhelst wrote:
>>
>> On 28-09-17 01:19, ch wrote> If the pkcs-signature is binary encoded it
>> is not working for verifiying
>>>
>>> a SMIME-message in my experience with
>>> smime or cms-smime on the console. I tried to convert the binary ones to
>>> base64 but that does not everytime the trick.
>>
>> What you call "base64" is commonly known as "PEM" :-)
>>
>> You can get it to parse binary, but to do so you need to specify
>> "-inform der".
>>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] PKCS7 and RSA_verify

2017-09-28 Thread ch 

Hi!

I thought the difference between PEM and DER is NOT ONLY a different 
encoding of the string?

base64 vs. binary

So to understand that clear please let me ask:
If I convert a PEM-signature from base64 to binary then it is DER?

Thanks
Chris

On 2017-09-28 11:23, Wouter Verhelst wrote:

On 28-09-17 01:19, ch wrote> If the pkcs-signature is binary encoded it
is not working for verifiying

a SMIME-message in my experience with
smime or cms-smime on the console. I tried to convert the binary ones to
base64 but that does not everytime the trick.

What you call "base64" is commonly known as "PEM" :-)

You can get it to parse binary, but to do so you need to specify
"-inform der".



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] PKCS7 and RSA_verify

2017-09-28 Thread Wouter Verhelst 
On 28-09-17 01:19, ch wrote> If the pkcs-signature is binary encoded it
is not working for verifiying
> a SMIME-message in my experience with
> smime or cms-smime on the console. I tried to convert the binary ones to
> base64 but that does not everytime the trick.

What you call "base64" is commonly known as "PEM" :-)

You can get it to parse binary, but to do so you need to specify
"-inform der".

-- 
Wouter Verhelst
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] PKCS7 and RSA_verify

2017-09-27 Thread ch 

Hello!

Thanks for the support.

On 2017-09-28 01:06, Dr. Stephen Henson wrote:

On Thu, Sep 28, 2017, ch wrote:


Hello!

I am working on a tool for verifying SMIME-messages.
Because cms and smime is only able to verify base64 pkcs7-signatures
I try to do it "manually" and I now have a problem with the
signing-timestamp.


I'm not sure what you mean by "only able to verify base64 pkcs7-signatures"
it can handle PEM and DER forms too.
If the pkcs-signature is binary encoded it is not working for verifiying 
a SMIME-message in my experience with
smime or cms-smime on the console. I tried to convert the binary ones to 
base64 but that does not everytime the trick.





Lets do an example:

openssl smime -sign -md sha1  -in plain.txt  -inkey mykey -signer
mycert  -noattr  -outform der | openssl asn1parse -inform der

If I put plain.txt and the 128 byte signature (from asn1parse out of
the pkcs7) into RSA_verify it works perfectly.
Every call would produce the same signature-hexdump.

But if I remove the -noattr the signature-value will be different
every second and then RSA_verify it not working anymore.

How can I handle this?


When you don't use attributes the signature is over performed over the
content. If you use attributes then the signature is over the encoding of a
bunch of attributes including a signing time and the digest of the content.
Because the signing time changes the data being signed in the attributes
changes too.
Would PKCS7_verify (or something else) handle that for me or do I need 
to consider that different

content with RSA_verify?


Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org


Again, thanks for the support!
chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] PKCS7 and RSA_verify

2017-09-27 Thread Dr. Stephen Henson 
On Thu, Sep 28, 2017, ch wrote:

> Hello!
> 
> I am working on a tool for verifying SMIME-messages.
> Because cms and smime is only able to verify base64 pkcs7-signatures
> I try to do it "manually" and I now have a problem with the
> signing-timestamp.
> 

I'm not sure what you mean by "only able to verify base64 pkcs7-signatures"
it can handle PEM and DER forms too.

> Lets do an example:
> 
> openssl smime -sign -md sha1  -in plain.txt  -inkey mykey -signer
> mycert  -noattr  -outform der | openssl asn1parse -inform der
> 
> If I put plain.txt and the 128 byte signature (from asn1parse out of
> the pkcs7) into RSA_verify it works perfectly.
> Every call would produce the same signature-hexdump.
> 
> But if I remove the -noattr the signature-value will be different
> every second and then RSA_verify it not working anymore.
> 
> How can I handle this?
> 

When you don't use attributes the signature is over performed over the
content. If you use attributes then the signature is over the encoding of a
bunch of attributes including a signing time and the digest of the content.
Because the signing time changes the data being signed in the attributes
changes too.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] PKCS7 and RSA_verify

2017-09-27 Thread ch 

Hello!

I am working on a tool for verifying SMIME-messages.
Because cms and smime is only able to verify base64 pkcs7-signatures I 
try to do it "manually" and I now have a problem with the signing-timestamp.


Lets do an example:

openssl smime -sign -md sha1  -in plain.txt  -inkey mykey -signer 
mycert  -noattr  -outform der | openssl asn1parse -inform der


If I put plain.txt and the 128 byte signature (from asn1parse out of the 
pkcs7) into RSA_verify it works perfectly.

Every call would produce the same signature-hexdump.

But if I remove the -noattr the signature-value will be different every 
second and then RSA_verify it not working anymore.


How can I handle this?

Thanks!

Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users