How to check if the .sig file is correct?

I issued the following commands to create a signature for a file (Linux kernel) :

openssl req -newkey rsa -keyout codesign.key -out codesign.req
openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt

openssl cms -sign -binary -noattr -in vmlinuz -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER -out vmlinuz.sig

The ca.cnf file is for my own private CA infrastructure and it has digitalSignature key usage extension and the codeSigning extended key usage extension enabled.

Ca.cnf format:

[ ca ]

default_ca = ca_default

[ ca_default ]

certificate = ca.crt

private_key = ca.key

serial = ca.srl

database = ca.idx

new_certs_dir = /home/apoorv/projects/signed

default_md = default

policy = policy_anything

preserve = yes

default_days = 90

unique_subject = no

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = optional

emailAddress = optional

[ cross ]

basicConstraints = critical,CA:true

keyUsage = critical,cRLSign,keyCertSign

[ codesigning ]

keyUsage = digitalSignature

extendedKeyUsage = codeSigning

Command : openssl cms -verify -binary -content vmlinuz -inform DER -in vmlinuz.sig -CAfile ca.crt

Output:

Verification failure 140187569694352:error:2E099064:CMS routines:CMS_SIGNERINFO_VERIFY_CERT:certificate verify error:cms_smime.c:287:Verify error:unsupported certificate purpose

Could you please provide any input ?? Thanks a lot.

entropy

Posted 2016-04-08T14:38:24.503

Reputation: 113

Answers

As should be clear from the manpage on your system or online assuming the CA cert specified in your ca.cnf is ca.crt and is the root cert, the basic function you want is

openssl cms -verify -binary -content vmlinuz -inform der -in vmlinuz.sig -CAfile ca.crt

except by default it requires ExtendedKeyUsage if present includes "emailProtection" id-pkix 3 4 not (solely) codeSigning; to override that add -purpose any.

If the cert hierarchy is more complicated -- i.e. if it uses a chain -- then there are a variety of cases depending on what cert(s) you included in the signature file with -certfile, what cert(s) are in your default or specified trustore file and/or directory and in -certfile if used and whether you specify -partial_chain in 1.0.2 up, and without a more specific question I don't have time to write that much.

dave_thompson_085

Posted 2016-04-08T14:38:24.503

Reputation: 1 962

I updated my question. Could you please have a look at it ? Thanks Dave :) – entropy – 2016-04-13T19:41:18.713

Thanks a lot @dave_thompson_085 for helping. Adding the purpose -any option solved our problem. – entropy – 2016-04-15T20:11:34.313

@apoorvmunshi you're welcome, but the StackExchange way is to mark accepted and/or vote as discussed at this link rather than 'thanks'.

– dave_thompson_085 – 2016-04-16T08:45:44.950

@dave_thompson_085 ...and maybe to upvote too. But if they also upvote... you will remain tenacious without being an unsung hero :-) – Hastur – 2018-05-22T21:24:20.463