|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
How to verify a SignedData (CMS, RFC3369) object?I have a SignedData object (RFC3369 - Cryptographic Message Syntax, CMS) and want to verify that the digital signature is valid. This is the structure of the SidnedData: SignedData -version -digestAlgorithms --algorithms --parameters -encapContentInfo --eContentType --eContent <--- message used for the signing -certificates <--- certificate that has the public key -crls -signerInfos --signerInfo ---version ---sid ---digestAlgorithm ---signedAttrs ---signatureAlgorithm ---signature <--- signature to verify ---unsignedAttrs The PKI schema it would use is PKCS #1 V1.5 (RSA 1024 with SHA-1). Is there an application that will do the verification of a SignedData signature? How would I do this in Crypto++? Any other libraries that would do this? Samples? Thank you. Christian openssl smime --help
JLC greatx <x@greatx.net> wrote: Show quoteHide quote > Hi, > I have a SignedData object (RFC3369 - Cryptographic Message Syntax, > CMS) and want to verify that the digital signature is valid. > This is the structure of the SidnedData: > SignedData > -version > -digestAlgorithms > --algorithms > --parameters > -encapContentInfo > --eContentType > --eContent <--- message used for the signing > -certificates <--- certificate that has the public key > -crls > -signerInfos > --signerInfo > ---version > ---sid > ---digestAlgorithm > ---signedAttrs > ---signatureAlgorithm > ---signature <--- signature to verify > ---unsignedAttrs > The PKI schema it would use is PKCS #1 V1.5 (RSA 1024 with SHA-1). > Is there an application that will do the verification of a SignedData > signature? > How would I do this in Crypto++? > Any other libraries that would do this? Samples? > Thank you. > Christian -- Will the smime option work even if it is not an e-mail?
This is the error I got: C:\OpenSSL\bin>openssl smime -in sample.bin -verify Error reading S/MIME message 2092:error:2107A087:PKCS7 routines:SMIME_read_PKCS7:no content type:.\crypto\pkcs7\pk7_mime.c:296: Hello!
You wrote on 11 Jul 2005 09:20:56 -0700: g> Any other libraries that would do this? Samples? You can use PKIBlackbox ( http://www.eldos.com/sbb/desc-pki.php ) and it's TElMessageVerifier class. With best regards, Eugene Mayevski Using PKIBlackbox sample, I passed the SignedData file I need to verify
and it came back with error 8198 (0x2006): The message passed to Decrypt/Verify routine is not valid PKCS7 message. What can I do now? Hello!
You wrote on 11 Jul 2005 12:18:11 -0700: g> Using PKIBlackbox sample, I passed the SignedData file I need to verify g> and it came back with error 8198 (0x2006): The message passed to g> Decrypt/Verify routine is not valid PKCS7 message. Please consider using newsgroups to post your questions about SecureBlackbox. NNTP: news://news.eldos.com/eldos.public.secureblackbox WWW: http://www.eldos.com/myNewsGroups/ With best regards, Eugene Mayevski CAPICOM exposes useful CryptoAPI capability to verify SignedData :
http://www.jensign.com/JavaScience/verify Of course, capi provides functions to do that .. at various levels. - Mitch Gallant Show quoteHide quote "greatx" <x@greatx.net> wrote in message news:1121098856.930707.138230@z14g2000cwz.googlegroups.com... > Hi, > > I have a SignedData object (RFC3369 - Cryptographic Message Syntax, > CMS) and want to verify that the digital signature is valid. > > This is the structure of the SidnedData: > > SignedData > -version > -digestAlgorithms > --algorithms > --parameters > -encapContentInfo > --eContentType > --eContent <--- message used for the signing > -certificates <--- certificate that has the public key > -crls > -signerInfos > --signerInfo > ---version > ---sid > ---digestAlgorithm > ---signedAttrs > ---signatureAlgorithm > ---signature <--- signature to verify > ---unsignedAttrs > > The PKI schema it would use is PKCS #1 V1.5 (RSA 1024 with SHA-1). > > Is there an application that will do the verification of a SignedData > signature? > How would I do this in Crypto++? > Any other libraries that would do this? Samples? > > Thank you. > Christian > I tried all the options recomended so far.
I found that the binary file I was using that has the SignedData had an extra header, so stripped it out. After running the tools with the good SignedData this is what I get: For http://www.jensign.com/JavaScience/verify/VerifyAll.vbs: Error: 800B010A An internal certificate chaining error has occurred. For PKIBlackbox: 8200 (0x2008): ElMessageDecryptor/ElMessageVerifier: The incoming message contains data encrypted using unsupported algorithm For OpenSSL: C:\OpenSSL\bin>openssl smime -verify -in sample.bin -inform DER Verification failure 464:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:.\crypto \pkcs7\pk7_smime.c:231:Verify error:unable to get local issuer certificate What can be still wrong?? I changed the vbs sample so that the last parameter from Verify() is 0
- CAPICOM_VERIFY_SIGNATURE_ONLY SignedData.Verify Message, False, 0 And now it verifies the Signature!!! I now have a file (authority.cer) that is the certificate authority that signed the cerificate that was included inside the SignedData. How can I use the CAPICOM to take this certificate as an input and verify the certificate inside the SignedData? Thanks!!!! You are interested in verifying the certificate issuer itself (i.e. the issuers signature on the signers
certificate). See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cryptverifycertificatesignature.asp - Mitch "greatx" <x@greatx.net> wrote in message news:1121122811.307210.265300@g43g2000cwa.googlegroups.com... I changed the vbs sample so that the last parameter from Verify() is 0- CAPICOM_VERIFY_SIGNATURE_ONLY SignedData.Verify Message, False, 0 And now it verifies the Signature!!! I now have a file (authority.cer) that is the certificate authority that signed the cerificate that was included inside the SignedData. How can I use the CAPICOM to take this certificate as an input and verify the certificate inside the SignedData? Thanks!!!! 
Other interesting topics
SecureString suggestion
how can I run .net logon script application Windows Service Log on How to block SSL Security Alert in IE Code Access Security How Should Clients trust Strong Named Assemblies? Act as part of the operating system for ASPNET - a bad idea??? No-touch deployment: SecurityException on First Use Determine whether user is authenticated against a Domain / AD C# windows service blues |
|||||||||||||||||||||||
