unable to verify a CMS signature without signedattrs
16 views
Skip to first unread message
Thomas Anderson
Jan 18, 2026, 2:27:32 AMJan 18
to openss...@openssl.org
I'm trying to run this command:
openssl cms -verify -in cms.pem -inform PEM -CAfile ca.pem
ca.pem and cms.pem are attached.
The output of openssl cms -cmsout -in cms.pem -inform PEM -print is as follows:
CMS_ContentInfo:
contentType: pkcs7-signedData (1.2.840.113549.1.7.2)
d.signedData:
version: 1
digestAlgorithms:
algorithm: sha256 (2.16.840.1.101.3.4.2.1)
parameter: <ABSENT>
encapContentInfo:
eContentType: pkcs7-data (1.2.840.113549.1.7.1)
eContent:
0000 - 2e 2e 2e ...
certificates:
d.certificate:
cert_info:
version: 2
serialNumber: 0x2A668EBCB57D09D800C8E72902DCC249F876042B
signature:
algorithm: ecdsa-with-SHA256 (1.2.840.10045.4.3.2)
parameter: <ABSENT>
issuer: O=phpseclib CA
validity:
notBefore: Jan 18 01:17:18 2026 GMT
notAfter: Jan 18 01:17:18 2027 GMT
subject: O=phpseclib cert
key: X509_PUBKEY:
algor:
algorithm: id-ecPublicKey (1.2.840.10045.2.1)
parameter: OBJECT:prime256v1 (1.2.840.10045.3.1.7)
public_key: (0 unused bits)
0000 - 04 95 43 6b 3d d0 0c 4e-da fe c3 44 d0 b9 ..Ck=..N...D..
000e - f8 9e be 45 f1 be 8c e5-bf cd 58 9b 65 09 ...E......X.e.
001c - 01 e5 62 95 2f 98 e4 c2-bc f3 16 36 90 f4 ..b./......6..
002a - 77 ac 1d 57 e5 27 3b d9-45 70 43 3a 6b 9f w..W.';.EpC:k.
0038 - 02 e1 d5 4b d4 b4 f3 45-77 ...K...Ew
issuerUID: <ABSENT>
subjectUID: <ABSENT>
extensions:
object: X509v3 Key Usage (2.5.29.15)
critical: TRUE
value:
0000 - 03 02 07 80 ....
object: X509v3 Authority Key Identifier (2.5.29.35)
critical: BOOL ABSENT
value:
0000 - 30 16 80 14 b7 25 4c bf-31 20 0e df 2f 0....%L.1 ../
000d - 59 68 4b 17 bf 88 53 83-68 3c cd YhK...S.h<.
sig_alg:
algorithm: ecdsa-with-SHA256 (1.2.840.10045.4.3.2)
parameter: <ABSENT>
signature: (0 unused bits)
0000 - 30 45 02 21 00 de ca 85-4c 2f 16 4b 1c 88 2b 0E.!....L/.K..+
000f - e3 1f 07 41 df 2d 32 9e-68 52 16 47 49 ae df ...A.-2.hR.GI..
001e - 5f c2 bf d9 28 b3 ec 02-20 69 81 9c 56 31 04 _...(... i..V1.
002d - 9d 92 9f dd 97 d9 68 b9-bd 4e 96 7c d5 87 9e ......h..N.|...
003c - 84 3c 95 05 ad eb 1c 8a-0a 0a 83 .<.........
crls:
<EMPTY>
signerInfos:
version: 1
d.issuerAndSerialNumber:
issuer: O=phpseclib CA
serialNumber: 0x2A668EBCB57D09D800C8E72902DCC249F876042B
digestAlgorithm:
algorithm: sha256 (2.16.840.1.101.3.4.2.1)
parameter: <ABSENT>
signedAttrs:
<ABSENT>
signatureAlgorithm:
algorithm: ecdsa-with-SHA256 (1.2.840.10045.4.3.2)
parameter: <ABSENT>
signature:
0000 - 30 46 02 21 00 9f 3f ae-f4 eb d2 ad 12 33 11 0F.!..?......3.
000f - 6e 35 c4 47 6b 97 4c 62-24 dc a5 f2 d9 91 e3 n5.Gk.Lb$......
001e - 5f b4 be 98 40 0b 9f 02-21 00 fc ef 1f 07 e2 _...@...!......
002d - ea f9 51 70 85 81 b3 19-04 9c 76 f1 9c b4 9f ..Qp......v....
003c - 70 21 13 5e ee 29 83 d6-41 1a a7 1a p!.^.)..A...
unsignedAttrs:
<ABSENT>
contentType: pkcs7-signedData (1.2.840.113549.1.7.2)
d.signedData:
version: 1
digestAlgorithms:
algorithm: sha256 (2.16.840.1.101.3.4.2.1)
parameter: <ABSENT>
encapContentInfo:
eContentType: pkcs7-data (1.2.840.113549.1.7.1)
eContent:
0000 - 2e 2e 2e ...
certificates:
d.certificate:
cert_info:
version: 2
serialNumber: 0x2A668EBCB57D09D800C8E72902DCC249F876042B
signature:
algorithm: ecdsa-with-SHA256 (1.2.840.10045.4.3.2)
parameter: <ABSENT>
issuer: O=phpseclib CA
validity:
notBefore: Jan 18 01:17:18 2026 GMT
notAfter: Jan 18 01:17:18 2027 GMT
subject: O=phpseclib cert
key: X509_PUBKEY:
algor:
algorithm: id-ecPublicKey (1.2.840.10045.2.1)
parameter: OBJECT:prime256v1 (1.2.840.10045.3.1.7)
public_key: (0 unused bits)
0000 - 04 95 43 6b 3d d0 0c 4e-da fe c3 44 d0 b9 ..Ck=..N...D..
000e - f8 9e be 45 f1 be 8c e5-bf cd 58 9b 65 09 ...E......X.e.
001c - 01 e5 62 95 2f 98 e4 c2-bc f3 16 36 90 f4 ..b./......6..
002a - 77 ac 1d 57 e5 27 3b d9-45 70 43 3a 6b 9f w..W.';.EpC:k.
0038 - 02 e1 d5 4b d4 b4 f3 45-77 ...K...Ew
issuerUID: <ABSENT>
subjectUID: <ABSENT>
extensions:
object: X509v3 Key Usage (2.5.29.15)
critical: TRUE
value:
0000 - 03 02 07 80 ....
object: X509v3 Authority Key Identifier (2.5.29.35)
critical: BOOL ABSENT
value:
0000 - 30 16 80 14 b7 25 4c bf-31 20 0e df 2f 0....%L.1 ../
000d - 59 68 4b 17 bf 88 53 83-68 3c cd YhK...S.h<.
sig_alg:
algorithm: ecdsa-with-SHA256 (1.2.840.10045.4.3.2)
parameter: <ABSENT>
signature: (0 unused bits)
0000 - 30 45 02 21 00 de ca 85-4c 2f 16 4b 1c 88 2b 0E.!....L/.K..+
000f - e3 1f 07 41 df 2d 32 9e-68 52 16 47 49 ae df ...A.-2.hR.GI..
001e - 5f c2 bf d9 28 b3 ec 02-20 69 81 9c 56 31 04 _...(... i..V1.
002d - 9d 92 9f dd 97 d9 68 b9-bd 4e 96 7c d5 87 9e ......h..N.|...
003c - 84 3c 95 05 ad eb 1c 8a-0a 0a 83 .<.........
crls:
<EMPTY>
signerInfos:
version: 1
d.issuerAndSerialNumber:
issuer: O=phpseclib CA
serialNumber: 0x2A668EBCB57D09D800C8E72902DCC249F876042B
digestAlgorithm:
algorithm: sha256 (2.16.840.1.101.3.4.2.1)
parameter: <ABSENT>
signedAttrs:
<ABSENT>
signatureAlgorithm:
algorithm: ecdsa-with-SHA256 (1.2.840.10045.4.3.2)
parameter: <ABSENT>
signature:
0000 - 30 46 02 21 00 9f 3f ae-f4 eb d2 ad 12 33 11 0F.!..?......3.
000f - 6e 35 c4 47 6b 97 4c 62-24 dc a5 f2 d9 91 e3 n5.Gk.Lb$......
001e - 5f b4 be 98 40 0b 9f 02-21 00 fc ef 1f 07 e2 _...@...!......
002d - ea f9 51 70 85 81 b3 19-04 9c 76 f1 9c b4 9f ..Qp......v....
003c - 70 21 13 5e ee 29 83 d6-41 1a a7 1a p!.^.)..A...
unsignedAttrs:
<ABSENT>
Note how signedAttrs is <ABSENT>. When this happens https://www.rfc-editor.org/rfc/rfc5652#section-5.4 says the following:
When [signedAttrs] is absent, the result is just the message digest of the [the encapContentInfo eContent OCTET STRING].
Here's eContent:
eContent:
0000 - 2e 2e 2e
0000 - 2e 2e 2e
Here's the message digest algorithm from the signerInfos:
digestAlgorithm:
algorithm: sha256 (2.16.840.1.101.3.4.2.1)
parameter: <ABSENT>
algorithm: sha256 (2.16.840.1.101.3.4.2.1)
parameter: <ABSENT>
So taken together I'd think that the signature subject should be sha256(0x2e2e2e), but it isn't.
Like based on my understanding it should basically be doing the equiv of this:
openssl dgst -sha256 -binary subject.txt > subject.bin
openssl dgst -sha256 -verify public.pem -signature signature.bin subject.bin
(public.pem, signature.bin and subject.txt have all been extracted from the CMS and are attached)
The thing is... when I do all that openssl dgst -verify says the signature is valid whereas openssl cms -verify does not.
So what am I misunderstanding?
Reply all
Reply to author
Forward
0 new messages