Error Validating Cms Signature

openssl cms -verify doesn't work with external certificate

The issue I'm investigating is part of a larger context, and it turns out the problem I encountered in this specific test case is rather silly: I was using the wrong parameter to indicate the signing cert. One shouldn't use -signer to indicate the signing certificate when verifying, but -certfile:

$ openssl cms -verify -CAfile ca-crt.pem -inform der -certfile server-crt.pem -in sample.cms-der -nointern
Verification successful

And it works with SMIME as well:

$ openssl smime -verify -CAfile ca-crt.pem -inform der -certfile server-crt.pem -in sample.cms-der -nointern
Verification successful

I would typically delete the question altogether, but maybe somebody will find this useful in the future.

Unable to get SignerCertificate from CMSSigned data

You're missing to add the certificates to your signature data structure, this is probably why you're getting the signerInformation but you're not getting the certificates using Collection certs = certStore.getCertificates( s.getSID() );. To solve this add the certificates to your CMSSignedData using addCertificates() method:

gen.addSignerInfoGenerator(
            new JcaSignerInfoGeneratorBuilder(
                 new JcaDigestCalculatorProviderBuilder().setProvider("BC").build())
                 .build(sha1Signer, certificate));

// use this to add the certificates to your signature
gen.addCertificates(certs);

signedData = gen.generate(cmsBytes, true);

Hope this helps,

Related Topics