Home / server / Questions / 715836
In Process
neubert
Asked: 2015-08-22 06:23:50 +0800 CST

openssl cms not finding signer certificate

  • 772

So I created a PKCS7 signed message and am trying to validate it with OpenSSL with the following command:

openssl cms -in demo.p7m -inform DER -verify

Doing so returns me the following error:

140653850015376:error 2E09D08A:CMS routines:CMS_verify:signer certificate not found:cms_smime.c:353:

I don't understand this error. Here's the output of openssl asn1parse -in demo.p7m -i -inform DER:

http://pastebin.com/AgkVbQjS

Here's the base64 encoded PKCS7:

http://pastebin.com/92mMPVw6

The X509 cert is as follows:

-----BEGIN CERTIFICATE-----
MIIB4zCCAU6gAwIBAgIAMAsGCSqGSIb3DQEBBTA5MRwwGgYDVQQKDBNwaHBzZWNsaWIgZGVtbyBj
ZXJ0MRkwFwYDVQQDDBB3d3cud2hhdGV2ZXIuY29tMCIYDzIwMTIwNjA0MDMxMDMxWhgPMjAxMzA2
MDQwMzEwMzFaMDkxHDAaBgNVBAoME3BocHNlY2xpYiBkZW1vIGNlcnQxGTAXBgNVBAMMEHd3dy53
aGF0ZXZlci5jb20wgZ0wCwYJKoZIhvcNAQEBA4GNADCBiQKBgQCtYr+TcpSQ043ZZi+akC1LR5Q6
MJPJ6/0MQ7IFPt/SCywaxsdFsNQ40+TOSFNkG68nscyB5nEPDkNzLJ7AklNSRHItqxTwohuW4a+f
BfzAi0vXS9IrM2iep13cHE9r5QW9pouRQiYfbi5FegEWbtIc5SrmAxHAH9K3KGRaXEeufwIDAQAB
MAsGCSqGSIb3DQEBBQOBgQBYEsMuWBA9ie4ulXxeLhLoQvEo6vgl5LDRFMuP+AhkKzfXUo2yEMWP
/QxbSglcPT/ycb+5+FhYGWxGatM5V+sB43ZBHZD14ZWPN35ePmDIfqXdRmphhXuhdNU7DWwp97ZR
c26CQXzHurRf29VloV8k5JKwsfnLRPVCrbJySMB6dg==
-----END CERTIFICATE-----

The cert parses just fine with openssl x509 -in cert.txt -text -noout.

The cert is a self-signed cert. The issuer DN is as follows:

   92:d=6  hl=2 l=  57 cons:       SEQUENCE          
   94:d=7  hl=2 l=  28 cons:        SET               
   96:d=8  hl=2 l=  26 cons:         SEQUENCE          
   98:d=9  hl=2 l=   3 prim:          OBJECT            :organizationName
  103:d=9  hl=2 l=  19 prim:          UTF8STRING        :phpseclib demo cert
  124:d=7  hl=2 l=  25 cons:        SET               
  126:d=8  hl=2 l=  23 cons:         SEQUENCE          
  128:d=9  hl=2 l=   3 prim:          OBJECT            :commonName
  133:d=9  hl=2 l=  16 prim:          UTF8STRING        :www.whatever.com

That matches the issuer DN in the SignerInfo:

  782:d=14 hl=2 l=  57 cons:               SEQUENCE          
  784:d=15 hl=2 l=  28 cons:                SET               
  786:d=16 hl=2 l=  26 cons:                 SEQUENCE          
  788:d=17 hl=2 l=   3 prim:                  OBJECT            :organizationName
  793:d=17 hl=2 l=  19 prim:                  UTF8STRING        :phpseclib demo cert
  814:d=15 hl=2 l=  25 cons:                SET               
  816:d=16 hl=2 l=  23 cons:                 SEQUENCE          
  818:d=17 hl=2 l=   3 prim:                  OBJECT            :commonName
  823:d=17 hl=2 l=  16 prim:                  UTF8STRING        :www.whatever.com

Here's the serial number of the SignerInfo:

  841:d=12 hl=2 l=   1 prim:             INTEGER           :00

This matches the serial number of the of the X509 cert:

   77:d=6  hl=2 l=   0 prim:       INTEGER           :00

So why isn't it finding the signing cert?

openssl

2 Answers

  1. I generated my own self-signed cert to test this, but I didn't get the same error. Comparing the ASN.1 structures of my working PKCS#7 object and your non-working one, the differences I saw were:

    • Your signing certificate expired on 2013-06-04
    • The signed attributes of your PKCS#7 object contained an id-aa-signingCertificateV2 attribute, which mine did not.
    • The signed attributes of my PKCS#7 object contained signingTime and S/MIME Capabilities attributes, which yours did not.

    My best guess is the expired cert was disregarded when looking for signer certificates, leading to the error.

    • 0

  2. What you don't understand in the "can not find signer certificate" message? Your signed message does not contain a certificate.

    Or, perhaps, you don't understand, what "cms -verify" command do. It does not veryfy the message integrity, it verifies the authenticity, and for that, it needs a certificate.

    • -3