Search code examples
opensslcryptographyedi

Openssl verification does not work when the source message has unix line endings

I am building a system that receives AS2 messages from an external Partner. I am able to successfully decrypt and verify the signature of the message. However, I am unable to verify the signature when our partner sends us files with unix line endings:

Verification failure
140390438954304:error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure:../crypto/cms/cms_sd.c:847:
140390438954304:error:2E09D06D:CMS routines:CMS_verify:content verify error:../crypto/cms/cms_smime.c:393:

Any other source files that had dos line endings before signing, encryption, can be verified on my side.

Verify command:

openssl cms -verify -noverify -nointern -in message_dos_signed.txt -out verified.txt -certfile mb24arcesb.cer

I have uploaded the sample files with unix and dos line endings, there we can see that the sample file message_unix_signed.txt has unix line endings in the message part but dos line endings in the signature part because the source message had unix endings.

https://www.mediafire.com/folder/8svkcvq86elgg/Testfiles

There is no obvious reason why this could be happening. Our partner is using arcesb for AS2 communication. If he sends both files to another arcesb instance, both can be decrypted and verified. He used the same test cert and test key. With our real cert files, its the same behaviour. So maybe I am missing something on my verification step?

UPDATE

I am able to reproduce the issue locally. With these commands, it works with any line ending.

openssl cms -sign -in msg/RAW.edi -out msg/1_SIGNED.edi -inkey ../certs/mb24arcesb.pem -signer ../certs/mb24arcesb.cer 
openssl cms -encrypt -in msg/1_SIGNED.edi -out msg/2_ENCRYPTED.edi ../certs/mb24arcesb.cer 
openssl cms -decrypt -in msg/2_ENCRYPTED.edi -recip ../certs/mb24arcesb.cer -inkey ../certs/mb24arcesb.pem -out msg/3_DECRYPTED.edi 
openssl cms -verify -nointern -noverify -in msg/3_DECRYPTED.edi -out msg/4_EDIFACT.edi -certfile ../certs/mb24arcesb.cer

But when I sign the file with the -binary option, the verification will only work if the source file has dos line endings. So I guess our partner's software is signing it with the -binary option. How can I verify it this way? "verify -binary" does not work.

Solution

  • This is a bug in openssl version <= 1.1.1. https://github.com/openssl/openssl/issues/17797