<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Question.. <br>
Hopefully, this won't be terribly off topic, and maybe those
playing with the standards have run into the same problem in the
past... I have searched high and low for some open source tool
(running on linux here) that can generate cms/smime/pkcs7 messages
with multiple signatures, but without much success.<br>
<br>
1) <b>OpenSSL</b>'s smime/cms documentation says it supports it,
but the same page says it's not allowed (just search for "multiple"
in the docs for either of the cms or smime commands). I have
managed to get it to sign a file and the signature contains multiple
certs (either by using -resign or -sign with two -signer args), but
when I dump the signature data it seems to be missing some parts of
either chain. Maybe that's fine, but openssl fails to validate
the signed content with either cert used to sign it (It gives a
'self signed certificate' error (and the two certs I'm experimenting
with are) even though I can sign and verify with either of the two
certs when not trying to sign with both at the same time.. but I've
seen other errors too when using a chain instead of a self-signed).<br>
<br>
2) <b>gpgsm</b> (gog's smime variant) from what I can tell should
support it, but I've yet to find a system (tried several now) where
it can even generate a key without complaining about some error. Or
when trying to import certs & keys, it keeps saying it's
importing the private keys successfully, but they don't show up with
--list-secret-keys. That's just one of the problems. And when
searching on the interwebs for help, I find other's with the same
problem but no one ever seems to answer the questions. Also I'm
finding that some of the docs are missing information on what it can
really do. I get the feeling that it's been neglected as a project.<br>
<br>
3) <b>nss</b>'s cmsutil doesn't seem to support multiple signatures
(from looking at the code), and when I try to use its signver
utility to verify the file that I did manage to get openssl to
generate, it just hangs.<br>
<br>
<br>
Assuming I'm actually using these tools at intended, but that
they're buggy, are there other lesser known options out there that
anyone can speak to? AFAICT using the openssl or nss libs and
writing my own command line tool might be the only option I have. I
was hoping someone had done that already. But then again I'm not
sure how good the support in either of these libraries is.<br>
<br>
I also scanned through github projects without seeing anything
promising.<br>
<br>
I've yet to attempt to explore <gasp> java options.<br>
<br>
Any pointers would be appreciated.<br>
<br>
Thanks<br>
</body>
</html>