[Cryptography] cms with multiple signatures

Davy Durham ddurham at davyandbeth.com
Wed Jan 27 01:24:30 EST 2016


Question..
   Hopefully, this won't be terribly off topic, and maybe those playing 
with the standards have run into the same problem in the past...  I have 
searched high and low for some open source tool (running on linux here) 
that can generate cms/smime/pkcs7 messages with multiple signatures, but 
without much success.

1) *OpenSSL*'s smime/cms documentation says it supports it, but the same 
page says it's not allowed (just search for "multiple" in the docs for 
either of the cms or smime commands).  I have managed to get it to sign 
a file and the signature contains multiple certs (either by using 
-resign or -sign with two -signer args), but when I dump the signature 
data it seems to be missing some parts of either chain.    Maybe that's 
fine, but openssl fails to validate the signed content with either cert 
used to sign it (It gives a 'self signed certificate' error (and the two 
certs I'm experimenting with are) even though I can sign and verify with 
either of the two certs when not trying to sign with both at the same 
time.. but I've seen other errors too when using a chain instead of a 
self-signed).

2) *gpgsm* (gog's smime variant) from what I can tell should support it, 
but I've yet to find a system (tried several now) where it can even 
generate a key without complaining about some error.  Or when trying to 
import certs & keys, it keeps saying it's importing the private keys 
successfully, but they don't show up with --list-secret-keys.  That's 
just one of the problems.  And when searching on the interwebs for help, 
I find other's with the same problem but no one ever seems to answer the 
questions.  Also I'm finding that some of the docs are missing 
information on what it can really do. I get the feeling that it's been 
neglected as a project.

3) *nss*'s cmsutil doesn't seem to support multiple signatures (from 
looking at the code), and when I try to use its signver utility to 
verify the file that I did manage to get openssl to generate, it just hangs.


Assuming I'm actually using these tools at intended, but that they're 
buggy, are there other lesser known options out there that anyone can 
speak to?  AFAICT using the openssl or nss libs and writing my own 
command line tool might be the only option I have.  I was hoping someone 
had done that already.  But then again I'm not sure how good the support 
in either of these libraries is.

I also scanned through github projects without seeing anything promising.

I've yet to attempt to explore <gasp> java options.

Any pointers would be appreciated.

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160127/1f1e350c/attachment.html>


More information about the cryptography mailing list