<div dir="ltr">Dear Davy, <div><br></div><div>On Wed, Jan 27, 2016 at 9:24 AM, Davy Durham <span dir="ltr"><<a href="mailto:ddurham@davyandbeth.com" target="_blank">ddurham@davyandbeth.com</a>></span> wrote:<br></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Question.. <br>
Hopefully, this won't be terribly off topic, and maybe those
playing with the standards have run into the same problem in the
past... I have searched high and low for some open source tool
(running on linux here) that can generate cms/smime/pkcs7 messages
with multiple signatures, but without much success.<br>
<br>
1) <b>OpenSSL</b>'s smime/cms documentation says it supports it,
but the same page says it's not allowed (just search for "multiple"
in the docs for either of the cms or smime commands). I have
managed to get it to sign a file and the signature contains multiple
certs (either by using -resign or -sign with two -signer args), but
when I dump the signature data it seems to be missing some parts of
either chain. Maybe that's fine, but openssl fails to validate
the signed content with either cert used to sign it (It gives a
'self signed certificate' error (and the two certs I'm experimenting
with are) even though I can sign and verify with either of the two
certs when not trying to sign with both at the same time.. but I've
seen other errors too when using a chain instead of a self-signed).<br></div></blockquote><div><br></div><div>man cms:</div><div> -resign</div><div> resign a message: take an existing message and one or more new</div><div> signers.</div><div><br></div><div>smime has the same option.</div></div><div><br></div>-- <br><div class="gmail_signature">SY, Dmitry Belyavsky</div>
</div></div>