[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OpenSSL S/MIME validation against draft-ietf-smime-examples?



Mats,

We used the S/MIME Freeware Library to successfully verify the 5.1 and 5.9
samples.  We have not tried to use OpenSSL's S/MIME implementation to verify
any of the samples.

===========================================
John Pawling, John.Pawling@xxxxxxxxxxxxxxxx
Getronics Government Solutions, LLC
===========================================


-----Original Message-----
From: Mats Nilsson [mailto:mats.nilsson@xxxxxxxx]
Sent: Thursday, March 22, 2001 10:29 AM
To: openssl-dev@xxxxxxxxxxx; ietf-smime-examples@xxxxxxx
Subject: OpenSSL S/MIME validation against draft-ietf-smime-examples?


Hi

[openssl-0.9.6, WinNT4sp6]

I tried to verify OpenSSL's S/MIME implementation using the sample messages
in
http://www.ietf.org/internet-drafts/draft-ietf-smime-examples-06.txt

First I ran into problems with their base64 encoding, which was rejected by 
OpenSSL due to long lines. To make OpenSSL decode these files, I 
reformatted the contents to fit into the 80 character/line restriction.

Then I tried the tests 5.1 and 5.9 (Basic DH-DSS signed contents, CMS and 
S/MIME formatted).

No matter what I tried (different certificates, different options) I 
couldn't make OpenSSL verify the document signature. The certificate chain 
verification works, though. I tried something like the following (after 
having converted the supplied certificates to pem):

$ openssl smime -verify -certfiles AliceDss.pem -CAfile CarlDssSelf.pem -in 
5.9.eml
This is some sample content.Verification Failure
386:error:0A071003::lib(10) :DSA_do_verify:BN
lib:.\crypto\dsa\dsa_ossl.c:288:
386:error:21071069:PKCS7 routines:PKCS7_signatureVerify:signature 
failure:.\cryp
to\pkcs7\pk7_doit.c:815:
386:error:21075069:PKCS7 routines:PKCS7_verify:signature 
failure:.\crypto\pkcs7\
pk7_smime.c:248:


A side comment, I tried the first basic validation test of the NIST X.509 
Path Validation suite (http://csrc.nist.gov/pki/testing/x509paths.html), 
which works. That one uses RSA.


Has anyone successfully verified the OpenSSL S/MIME implementation with 
these samples?
Are the samples incorrect? Am I using OpenSSL incorrectly?

Regards,
Mats Nilsson