You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm struggling with creating a valid CMS signature when I try to use signed attributes. I tried to simplify my problem to rebuilding the cms-signed.der from the tests/fixtures directory.
What works:
I'm able to create the ASN.1 structure of ContentInfo, SignedData and SignerInfo. I'm using cryptography.hazmat... for signing my data = b'This is the message to encapsulate in PKCS#7/CMS\r\n' like this: signer_info['signature'] = key.sign(data, padding.PKCS1v15(), hashes.SHA256())
For validation I use "openssl cms -verify -in mytestdata.der -inform DER -CAfile myCA.crt" and get a "CMS Verification successful"
Instead of signing the data directly, I create and sign the signed_attrs like this:
The ASN.1 structure looks just like I expect it to and the md_value equals to the sha256 value of the data parameter. But I can't verify with openssl (Version 3.0.10):
CMS Verification failure
402789FF7C7F0000:error:02000068:rsa routines:ossl_rsa_verify:bad signature:../crypto/rsa/rsa_sign.c:430:
402789FF7C7F0000:error:1C880004:Provider routines:rsa_verify:RSA lib:../providers/implementations/signature/rsa_sig.c:774:
402789FF7C7F0000:error:1700009E:CMS routines:CMS_SignerInfo_verify:verification failure:../crypto/cms/cms_sd.c:899:
Many thanks for your help and asn1crypto
Michael
The text was updated successfully, but these errors were encountered:
Try replacing signer_info['signed_attrs'].dump() with signer_info['signed_attrs'].untag().dump() and see if that works. :)
You can also put the signed attrs in a variable, use that to compute the signature, and then assign it to signer_info.
(This often comes up because the signed attributes field has context-dependent tagging in SignerInfo, whereas the CMS spec requires the signature to be computed using universal tags)
Hi,
I'm struggling with creating a valid CMS signature when I try to use signed attributes. I tried to simplify my problem to rebuilding the cms-signed.der from the tests/fixtures directory.
What works:
I'm able to create the ASN.1 structure of ContentInfo, SignedData and SignerInfo. I'm using cryptography.hazmat... for signing my
data = b'This is the message to encapsulate in PKCS#7/CMS\r\n'
like this:signer_info['signature'] = key.sign(data, padding.PKCS1v15(), hashes.SHA256())
For validation I use "openssl cms -verify -in mytestdata.der -inform DER -CAfile myCA.crt" and get a "CMS Verification successful"
Instead of signing the data directly, I create and sign the signed_attrs like this:
The ASN.1 structure looks just like I expect it to and the md_value equals to the sha256 value of the data parameter. But I can't verify with openssl (Version 3.0.10):
CMS Verification failure
402789FF7C7F0000:error:02000068:rsa routines:ossl_rsa_verify:bad signature:../crypto/rsa/rsa_sign.c:430:
402789FF7C7F0000:error:1C880004:Provider routines:rsa_verify:RSA lib:../providers/implementations/signature/rsa_sig.c:774:
402789FF7C7F0000:error:1700009E:CMS routines:CMS_SignerInfo_verify:verification failure:../crypto/cms/cms_sd.c:899:
Many thanks for your help and asn1crypto
Michael
The text was updated successfully, but these errors were encountered: