Different S/MIME signature between OpenSSL and C#

Question

I'm trying to use an OpenSSL code in my .Net program. Here's the code:

openssl pkcs12 -in "My PassKit Cert.p12" -clcerts -nokeys -out certificate.pem
openssl pkcs12 -in "My PassKit Cert.p12" -nocerts -out key.pem
smime -binary -sign -signer certificate.pem -inkey key.pem -in manifest.json -out signature -outform DER

I tried to use .Net OpenSSL, but I absolutely have no idea how to use it, and I couldn't find a good documentation for it. I decided to use .Net to perform the same sign process, here's the code:

var dataToSign = System.IO.File.ReadAllBytes(filePathToSign);
ContentInfo contentInfo = new ContentInfo(dataToSign);

X509Certificate2 signerCert = new X509Certificate2(System.IO.File.ReadAllBytes(signerPfxCertPath), signerPfxCertPassword);

var signedCms = new SignedCms(contentInfo, true);
var signer = new CmsSigner(SubjectIdentifierType.IssuerAndSerialNumber, signerCert);

signer.IncludeOption = X509IncludeOption.EndCertOnly;
signedCms.ComputeSignature(signer);

var myCmsMessage = signedCms.Encode();

var buf = Encoding.Convert(Encoding.UTF7, Encoding.UTF8, myCmsMessage);

return Encoding.UTF8.GetString(buf, 0, buf.Length);

But the results between C# and OpenSSL are not the same. Can someone please help me out?

Thanks in advance!

I'm having the same issue. I can work out the manifest calculations easily but this bit isn't working for me either. I suspect you need to sign with the full certificate, not just the bit you get back, but I'm not sure (yet) — Nic Wise, Jul 26 '12 at 13:25

score 4 · Accepted Answer · answered Jul 26 '12 at 14:47

I got this working in the end!

First, you must go here, and install the apple ROOT cert:

http://www.apple.com/certificateauthority/

(it's the first one). Install it into your trusted root authority. A Mac already has this.

Second, install the developer cert as a trusted root authority, which is in the developer portal, where you go to add devices, make passkit keys, all that

https://developer.apple.com/ios/manage/certificates/team/index.action

(you need a login for that)

then you need to generate your passkit key in the dev portal, download it, install it on your mac, then export it WITH the private key as a .p12 file.

you can then move this file to the windows machine and use it. I used this code, after generating the manifest:

var cert = new X509Certificate2(@"path-to-your.p12", "password");

var buffer = File.ReadAllBytes(Path.Combine(basePath, "manifest.json"));

ContentInfo cont = new ContentInfo(buffer);
var cms = new SignedCms(cont, true);
var signer = new CmsSigner(SubjectIdentifierType.SubjectKeyIdentifier, cert);

signer.IncludeOption = X509IncludeOption.ExcludeRoot;

cms.ComputeSignature(signer);

var myCmsMessage = cms.Encode();


File.WriteAllBytes(Path.Combine(basePath, "signature"), myCmsMessage);

Sorry, this is rather messy code, but it works :)

Don't forget to set

"passTypeIdentifier" : "pass.com.yourcompany.NameOfYourPass", "teamIdentifier" : "YOUR TEAM ID",

in the pass.json!

I also had to install the World Wide developer relations certificate, in order to get the passkit chain properly to the root — Nathan, Aug 02 '12 at 13:16
do you have any idea on how we can include this WWDR Intermediate cert ? — Arian Sharifian, Sep 13 '12 at 04:24
Yes I had to add the WWDR cert as well before it worked but otherwise all good. — Jeff - Software Results, Dec 02 '13 at 01:22

Different S/MIME signature between OpenSSL and C#

1 Answers1

Linked