<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Update: So I had an assumption which was wrong when I was testing
OpenSSL. I can get openssl to add multiple signatures (however it
strangely includes the whole chain (with 3 elements in chain) for
one sig but leaves out the root in the second one ???), I was
assuming that when I did the verify that it should verify if any of
the signatures were valid, but it apparently checks that they are <i>all</i>
valid. That is, when I verified I was only giving it the root of
one of the signatures and not both. When I gave it both root certs
in the -CAfile argument it passed.<br>
<br>
So that raises the question: Is that correct? I checked RFC 5752
(around section 4.6 and following) but it wasn't clear to me exactly
how it should work. And it sounded like there might be a variety of
possibilities many of which openssl cms doesn't do. And in
another place it sound like it might ought to be application
specific.<br>
<br>
I was hoping that it was possible to sign in such a way that any of
the signatures being valid was considered successful (not nesting
signatures here, but signing independently, in parallel). If that's
what I need then I'm guessing I need to do multiple detached
signatures and just verify them as I need.<br>
<br>
Thanks for the info.<br>
<br>
As for -resign: Running "openssl cms -sign" once given two -signer
and -inkey args, and running "openssl cms -sign" followed by
"openssl cms -resign" both produce files which verify (only when
given both roots), they produce slightly different output. The only
difference I can spot in the asn1 (other than some reordering) is
that the former has a single signing time field. I guess that makes
sense.<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 01/27/2016 11:54 AM, Dmitry
Belyavsky wrote:<br>
</div>
<blockquote
cite="mid:CADqLbzJsLbyMmGmt-NPH=7WM=LXp4kJhmnby8ZDzyf4oGj9eMw@mail.gmail.com"
type="cite">
<div dir="ltr">Dear Davy,
<div><br>
</div>
<div>On Wed, Jan 27, 2016 at 9:24 AM, Davy Durham <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:ddurham@davyandbeth.com" target="_blank">ddurham@davyandbeth.com</a>></span>
wrote:<br>
</div>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Question.. <br>
Hopefully, this won't be terribly off topic, and maybe
those playing with the standards have run into the same
problem in the past... I have searched high and low for
some open source tool (running on linux here) that can
generate cms/smime/pkcs7 messages with multiple
signatures, but without much success.<br>
<br>
1) <b>OpenSSL</b>'s smime/cms documentation says it
supports it, but the same page says it's not allowed
(just search for "multiple" in the docs for either of
the cms or smime commands). I have managed to get it to
sign a file and the signature contains multiple certs
(either by using -resign or -sign with two -signer
args), but when I dump the signature data it seems to be
missing some parts of either chain. Maybe that's
fine, but openssl fails to validate the signed content
with either cert used to sign it (It gives a 'self
signed certificate' error (and the two certs I'm
experimenting with are) even though I can sign and
verify with either of the two certs when not trying to
sign with both at the same time.. but I've seen other
errors too when using a chain instead of a self-signed).<br>
</div>
</blockquote>
<div><br>
</div>
<div>man cms:</div>
<div> -resign</div>
<div> resign a message: take an existing message
and one or more new</div>
<div> signers.</div>
<div><br>
</div>
<div>smime has the same option.</div>
</div>
<div><br>
</div>
-- <br>
<div class="gmail_signature">SY, Dmitry Belyavsky</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
The cryptography mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a>
<a class="moz-txt-link-freetext" href="http://www.metzdowd.com/mailman/listinfo/cryptography">http://www.metzdowd.com/mailman/listinfo/cryptography</a></pre>
</blockquote>
<br>
</body>
</html>