0

I've signed a file like this, using LibreSSL 2.8.3 on macOS:

openssl smime -binary -sign -certfile WWDR.pem -signer passcertificate.pem \
              -inkey passkey.pem -in manifest.json -out signature \
              -outform DER -passin pass:12345

and now I want to just immediately verify that same file. I am trying the following command

openssl smime -binary -verify -certfile WWDR.pem -signer passcertificate.pem \
              -inkey passkey.pem -in manifest.json -content signature \
              -inform DER -passin pass:12345

but that fails with the below error. What's the proper syntax to verify the signature?

Error reading S/MIME message
4550921836:error:0DFFF0A8:asn1 encoding routines:CRYPTO_internal:wrong tag:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.11.1/libressl-2.8/crypto/asn1/tasn_dec.c:1144:
4550921836:error:0DFFF03A:asn1 encoding routines:CRYPTO_internal:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.11.1/libressl-2.8/crypto/asn1/tasn_dec.c:317:Type=PKCS7

I'm basically doing this because I want to try and implement the signing in swift. I know the above sign command works properly, and so if I can figure out how to verify a file then I can properly test whether or not my Swift implementation works.

The WWDR.pem file comes from http://www.apple.com/certificateauthority, and is the Worldwide Developer Relations certificate.

To get the passcertificate.pem and passkey.pem files I went to the Apple Developer portal and generated the pass certificate, imported it into the mac Keychain Access, exported it to Certificates.p12, then ran these two commands:

 openssl pkcs12 -in Certificates.p12 -clcerts -nokeys \
                 -out passcertificate.pem -passin pass:
 openssl pkcs12 -in Certificates.p12 -nocerts -out passkey.pem \
                -passin pass: -passout pass:12345
Gargoyle
  • 9,590
  • 16
  • 80
  • 145
  • You've got it backwards. To verify a detached signature, `-in` is the _signature_ file (`-out` from `-sign`) and `-content` is the _data_ (`-in` from `-sign` or usually a copy). Also `-signer -certfile -inkey` are not used on verifying and are ignored; generally the verifier should not ever _have_ the signing privatekey. OTOH depending on the details of your certs you didn't tell us you may need to modify the truststore, either for one command by specifying `-CAfile` and/or `-CApath`, or externally/permanently. – dave_thompson_085 Dec 01 '19 at 10:35
  • Thanks, Dave. Which file do I point at for `-CAfile`? I still can't make it work. There's nothing in the truststore. These are all just files that exist locally in the directory which came from Apple's PassKit instructions. – Gargoyle Dec 01 '19 at 16:35
  • As I said it depends on the details of your certs -- what (who) each cert is for and by whom (and how) it was issued, which you didn't tell us. Where are you looking for the truststore? It varies depending on the build -- at least for OpenSSL and TTBOMK not changed in LibreSSL -- and you didn't tell us that either. – dave_thompson_085 Dec 02 '19 at 22:08
  • I added more details to the question about how I get the files. I'm not sure what you mean by the build...When I run `openssl version` it just says LibreSSL 2.8.3 – Gargoyle Dec 02 '19 at 22:21
  • (1) That Apple page has 3 'WWDR' intermediate certs, all in DER (not PEM) format; ignoring the expired one, the remaining two are for distinct entities (Subject names) and issued by (Issuer name) different roots which are both among the roots on that page. Assuming your WWDR.pem is the intermediate that matches your 'entity' (personal) cert, converted to PEM, then get the root from that page the WWDR.pem Issuer name matches, convert _it_ to PEM, and either use it for `-CAfile` on `-verify` or add it to the truststore; the former is probably easier. ... – dave_thompson_085 Dec 04 '19 at 04:41
  • (2) open-source or otherwise portable software generally is configured, compiled, and linked for each type of platform it runs on, and occasionally for more specific or unusual environments; this is generically called building and is often combined with or subsumed into packaging. OpenSSL in particular, unless Libre changed this after forking, has a build-time configuration for a directory that contains its (runtime) default config and truststore; you should be able to see the directory with `openssl version -d` and the truststore is the file cert.pem and/or subdir certs in that dir, ... – dave_thompson_085 Dec 04 '19 at 04:46
  • ... unless overridden by environment variables or code, and most commandline functions including `smime` have such code that is invoked by the commandline options `-CAfile -CApath` and sometimes others. – dave_thompson_085 Dec 04 '19 at 04:49

0 Answers0