Hello there,
I have a signature signed using FireFox browser and want to verify the signature using OpenSSL. The signature seems to be in PEM format (i.e. base 64 encoded). I can see the certificates that were used in the signature using: openssl pkcs7 -print_certs -noout -in signature.pk7 But if I try and verify the signature using (as described in the OpenSSL command line manual): openssl smime -verify -inform PEM -in signature.pk7 -signer signer_pub.key -certfile certs.pem -content content I get the message: Verification failure 1319:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:222:Verify error:unable to get local issuer certificate I am sure I am nearly there, can anyone help me please ? Chris... ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
On 2005.05.24 at 11:14:08 +0100, Chris Covell wrote:
> But if I try and verify the signature using (as described in the > OpenSSL command line manual): > > openssl smime -verify -inform PEM -in signature.pk7 -signer > signer_pub.key -certfile certs.pem -content content > > I get the message: > > Verification failure > 1319:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify > error:pk7_smime.c:222:Verify error:unable to get local issuer > certificate > > I am sure I am nearly there, can anyone help me please ? It asks for local (i.e. trusted) certificate of security authority, who've issued (i.e. signed) signer's certificate. Either provide path to the place where your trusted certificates are stored using -CAfile or -CAdir argument, or specify -noverify to prevent it from verifying certificate chain. OpenSSL understands two forms of CA certificate storage 1. CAfile - file where PEM-formatted certificates are just concatenated 2. CAdir - directory where there are individual PEM certificate files whose names are hashes obtained by openssl x509 -hash command. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Victor, many thanks, I have got a bit further !
> > I am sure I am nearly there, can anyone help me please ? > > It asks for local (i.e. trusted) certificate of security authority, > who've issued (i.e. signed) signer's certificate. > > Either provide path to the place where your trusted certificates are > stored using -CAfile or -CAdir argument, or specify -noverify to prevent > it from verifying certificate chain. I am now using this command: $ openssl smime -verify -inform PEM -in signature.pk7 -CAfile development_cm.pem -content content.txt And I get this output: content Verification failure 2788:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:pk7_doit.c:804: 2788:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:pk7_smime.c:265: It looks like it is all working, just that it is failing verification. But the content is so simple, that i can't believe that is the problem ! Is the problem CR/LF ? I am signing using FireFox on Windows to sign but using OpenSSL on Linux to verify. Any ideas ? Chris... ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
On 2005.05.24 at 14:33:29 +0100, Chris Covell wrote:
> I am now using this command: > > $ openssl smime -verify -inform PEM -in signature.pk7 -CAfile > development_cm.pem -content content.txt > > And I get this output: > > content > Verification failure > 2788:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest > failure:pk7_doit.c:804: > 2788:error:21075069:PKCS7 routines:PKCS7_verify:signature > failure:pk7_smime.c:265: > > It looks like it is all working, just that it is failing verification. > But the content is so simple, that i can't believe that is the problem > ! Is the problem CR/LF ? I am signing using FireFox on Windows to sign > but using OpenSSL on Linux to verify. > Yes, CR/LF can be a problem. Many MTA feel free to convert eol from CR/LF to LF and vice versa. Try to play with -text and -crlfeol options of openssl smime. For us there was more problems with generation of S/MIME messages which pass all the mail servers on the way to recipient. Other problem may be with Content-Transfer-Encoding. Typically S/MIME computes digest of message after applying content- encoding (such as Quoted-Printable or Base64) and including some mail headers. If you receive such a message it is better to verify it as SMIME format message passing it to openssl with all mail headers. If you've extracted content you might forget to extract those headers which was included in digest computation. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Victor,
> > $ openssl smime -verify -inform PEM -in signature.pk7 -CAfile > > development_cm.pem -content content.txt > Yes, CR/LF can be a problem. Many MTA feel free to convert eol from > CR/LF to LF and vice versa. Yeah, but I am not using an MTA, I am signing the data in FireFox browser and storing the resultant base64 encoded data in a database. > Try to play with -text and -crlfeol options of openssl smime. Does not seem to make any difference. > For us there was more problems with generation of S/MIME messages which pass > all the mail servers on the way to recipient. Yeah, I have seen that too. I can't believe other people have not seen this problem before, i.e. signing on the client browser and verifying on the server using OpenSSL ! Chris... ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
On Wed, May 25, 2005, Chris Covell wrote:
> Victor, > > > > $ openssl smime -verify -inform PEM -in signature.pk7 -CAfile > > > development_cm.pem -content content.txt > > > Yes, CR/LF can be a problem. Many MTA feel free to convert eol from > > CR/LF to LF and vice versa. > > Yeah, but I am not using an MTA, I am signing the data in FireFox > browser and storing the resultant base64 encoded data in a database. > > > Try to play with -text and -crlfeol options of openssl smime. > > Does not seem to make any difference. > > > For us there was more problems with generation of S/MIME messages which pass > > all the mail servers on the way to recipient. > > Yeah, I have seen that too. > > I can't believe other people have not seen this problem before, i.e. > signing on the client browser and verifying on the server using > OpenSSL ! > Have you tried the -binary option too? I had no problems verifying signatures from the old signText function. If you look at the PKCS#7 structure using: openssl asn1parse -in p7.pem and look for a line with 'messageDigest' and an OCTET STRING following it that will give you the message digest value the content should be. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
In reply to this post by Chris Covell
Are you exchanging messages between a windows client and a linux server? if
so have you considered the difference in linebreaks? UNIX and WINDOWS interpret the "enter to the next line" ascii code in a different way. You might want to replace the /\r\n|\r|\n/" sequence (in regex) with "\r\n". cheers Meint ----- Original Message ----- From: "Chris Covell" <[hidden email]> To: <[hidden email]> Sent: Wednesday, May 25, 2005 3:14 PM Subject: Re: Using OpenSSL to verify a FireFox signed form > Victor, > >> > $ openssl smime -verify -inform PEM -in signature.pk7 -CAfile >> > development_cm.pem -content content.txt > >> Yes, CR/LF can be a problem. Many MTA feel free to convert eol from >> CR/LF to LF and vice versa. > > Yeah, but I am not using an MTA, I am signing the data in FireFox > browser and storing the resultant base64 encoded data in a database. > >> Try to play with -text and -crlfeol options of openssl smime. > > Does not seem to make any difference. > >> For us there was more problems with generation of S/MIME messages which >> pass >> all the mail servers on the way to recipient. > > Yeah, I have seen that too. > > I can't believe other people have not seen this problem before, i.e. > signing on the client browser and verifying on the server using > OpenSSL ! > > Chris... > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [hidden email] > Automated List Manager [hidden email] > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
In reply to this post by Dr. Stephen Henson
Hello there, thanks for taking the time to help !
> Have you tried the -binary option too? Yes I have tried using binary... to no avail ! I have now gone back to basics and writen a short web page that just asks for a signature and then writes the signature (with -----BEGIN PKCS7----- header and footer) to a file. The content of the signature is very simple with no CR/LF. I use FireFox on a Linux box to sign the form. I then try to verify the signature using: openssl smime -verify -binary -inform PEM -in /tmp/sig95552 -CAfile development_cm.pem -content test_content.txt and get the result: [chris@internal sbs]$ openssl smime -verify -binary -inform PEM -in /tmp/sig95552 -CAfile development_cm.pem -content test_content.txt sign test Verification failure 20036:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:pk7_doit.c:804: 20036:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:pk7_smime.c:265: > I had no problems verifying signatures from the old signText function. Did you use the same openssl command as above ? > If you look at the PKCS#7 structure using: > > openssl asn1parse -in p7.pem OK... > and look for a line with 'messageDigest' and an OCTET STRING following it that > will give you the message digest value the content should be. [chris@internal sbs]$ openssl asn1parse -in /tmp/sig95552 ---snip--- 2916:d=7 hl=2 l= 9 prim: OBJECT :signingTime 2927:d=7 hl=2 l= 15 cons: SET 2929:d=8 hl=2 l= 13 prim: UTCTIME :050526085914Z 2944:d=6 hl=2 l= 35 cons: SEQUENCE 2946:d=7 hl=2 l= 9 prim: OBJECT :messageDigest 2957:d=7 hl=2 l= 22 cons: SET 2959:d=8 hl=2 l= 20 prim: OCTET STRING 2981:d=5 hl=2 l= 13 cons: SEQUENCE 2983:d=6 hl=2 l= 9 prim: OBJECT :rsaEncryption 2994:d=6 hl=2 l= 0 prim: NULL 2996:d=5 hl=3 l= 128 prim: OCTET STRING These are the last few lines, I can see the messageDigest line, how would I interpret the OCTET STRING ? I am sure I am missing something here, I am sure this should be simple ! Thanks again for your help. Chris... ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
OK, I have sorted this out ! Thanks for those who have taken the time
to look at my problem. The issue in the end was that vi was putting a "\n" at the end of my content file. [chris@internal sbs]$ cat test_content.txt sign test [chris@internal sbs]$ hexdump -c test_content.txt 0000000 s i g n t e s t \n 000000a So if I made sure that the content that was signed also had a "\n" character it verified fine. [chris@internal sbs]$ openssl smime -verify -inform PEM -in /tmp/sig151839 -CAfile development_cm.pem -content test_content.txt sign test Verification successful Many thanks Chris... ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
I just sucesfully compiled library for ARM using evc4.0 compiler. Here is what I had to do: 1. in C:\Program Files\Microsoft eMbedded C++ 4.0\EVC\wce420\bin I had to change WCEARMV4.BAT so that set TARGETCPU=ARM instead of ARMV4 2. compiler reported internal error in openssl-0.9.7d\crypto\rc2\rc2_skey.c I had to add this line: ";ki = &c;" before "ki= &(key->data[63]);" doesn't make sense but compiler was crashing in ki= &(key->data[63]); 3. rand\rand_win.c #if defined(OPENSSL_SYS_WINCE) && (WCEPLATFORM!=MS_HPC_PRO) - error was changed to #if defined(OPENSSL_SYS_WINCE) #if defined(WCEPLATFORM) && defined(MS_HPC_PRO) #if (WCEPLATFORM!=MS_HPC_PRO) with corespodning endifs 4. apps/apps.c had following code at 3 places if (stat(dbfile,&sb) < 0) { if (errno != ENOENT #ifdef ENOTDIR && errno != ENOTDIR) #endif goto err; } so if ENOTDIR was not defined ) was missing so it was changed to: if (stat(dbfile,&sb) < 0) { if (errno != ENOENT #ifdef ENOTDIR && errno != ENOTDIR #endif ) // PARENTHESIS is outside if def goto err; } regards Milan -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 266.11.17 - Release Date: 5/25/2005 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Free forum by Nabble | Edit this page |