Skip to content

Add verify-tool - PKCS#7 Signature Verification Tool #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sridhar-design wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add verify-tool - PKCS#7 Signature Verification Tool #95

sridhar-design wants to merge 1 commit into from

Conversation

@sridhar-design
Copy link

@sridhar-design sridhar-design commented Nov 24, 2025

This utility verifies PKCS#7 (CMS) signatures against content files using the Mbed TLS library. It supports both detached signatures and appended signatures. The tool also allows verification of signatures with PEM or DER certificates, and supports multi-signer PKCS#7 files.

@erichte-ibm
Copy link
Collaborator

erichte-ibm commented Nov 24, 2025

Looks good to me, thanks! You can ignore that failing CI check, that's somewhere else in the code and probably due to a new version of cppcheck.

@sguarin
Copy link

sguarin commented Dec 10, 2025
edited
Loading

Hello @sridhar-design I'm testing this against a pkcs#7 generated by signing server with only one signature and mbedtls_pkcs7_parse_der() is not able to parse it.

test.bin.pkcs7.zip

./verify  -d test.bin.pkcs7 test.bin cert.pem
Failed to parse PKCS7 structure: -0x5366

This is what openssl pkcs7 asn1parse gets:

$ openssl asn1parse -inform DER -in test.bin.pkcs7
    0:d=0  hl=4 l= 451 cons: SEQUENCE          
    4:d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
   15:d=1  hl=4 l= 436 cons: cont [ 0 ]        
   19:d=2  hl=4 l= 432 cons: SEQUENCE          
   23:d=3  hl=2 l=   1 prim: INTEGER           :01
   26:d=3  hl=2 l=  13 cons: SET               
   28:d=4  hl=2 l=  11 cons: SEQUENCE          
   30:d=5  hl=2 l=   9 prim: OBJECT            :sha256
   41:d=3  hl=2 l=  11 cons: SEQUENCE          
   43:d=4  hl=2 l=   9 prim: OBJECT            :pkcs7-data
   54:d=3  hl=4 l= 397 cons: SET               
   58:d=4  hl=4 l= 393 cons: SEQUENCE          
   62:d=5  hl=2 l=   1 prim: INTEGER           :01
   65:d=5  hl=2 l= 100 cons: SEQUENCE          
   67:d=6  hl=2 l=  87 cons: SEQUENCE          
   69:d=7  hl=2 l=  50 cons: SET               
   71:d=8  hl=2 l=  48 cons: SEQUENCE          
   73:d=9  hl=2 l=   3 prim: OBJECT            :commonName
   78:d=9  hl=2 l=  41 prim: UTF8STRING        :[DEVELOPMENT] Red Hat Secure Boot CA TEST
  121:d=7  hl=2 l=  33 cons: SET               
  123:d=8  hl=2 l=  31 cons: SEQUENCE          
  125:d=9  hl=2 l=   9 prim: OBJECT            :emailAddress
  136:d=9  hl=2 l=  18 prim: IA5STRING         :devnull@redhat.com
  156:d=6  hl=2 l=   9 prim: INTEGER           :AFEBA16DF860A4FB
  167:d=5  hl=2 l=  11 cons: SEQUENCE          
  169:d=6  hl=2 l=   9 prim: OBJECT            :sha256
  180:d=5  hl=2 l=  13 cons: SEQUENCE          
  182:d=6  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  193:d=6  hl=2 l=   0 prim: NULL              
  195:d=5  hl=4 l= 256 prim: OCTET STRING      [HEX DUMP]:5B842CB0FC4E324FE1A0CB8F592713A13334FD947E5E6D8C4CC456658DA872FF0AA150BB3A859EC8F01D0E9BC85E3C6459A6528A1BB678181156497D23168E9C727B7055CF5AA8BFD52DA940D27C7A581A08E7EBDFF2CD9A7D9E85196E5969CB4448FEF73726CABEB6F41169F014D326C637665BCBC17919B887F7D851EFE3D2A0F2243FABD309797ED53C9A1154883A0DF2E69CE878EE10C32E45EDDAF64B3C42C72445D2D536500B34FB8FEEA2B4307C27A3463DFAF6A81BA9253F58BAE2A405077EB527BB0DE9D8079E29D228B2D94549CE74334AE47044A02E2BAFF806F890B9735B695501552DDD5B9CEA900F0BEA69F89A90FA554AAD711CDD5356ECBC
  455:d=0  hl=2 l=   0 prim: EOC

Any ideas?

@sridhar-design
Copy link
Author

sridhar-design commented Dec 11, 2025

Hi @sguarin,
Thanks for testing, The error indicates a length mismatch while parsing PKC7 ASN.1 .
To debug more, could you share the command used to generate test.bin.pkcs7, input file test.bin and if possible test certificates/keys to reproduce
Mbedtls TLS version you are using (and if you can test with latest release)

@sguarin
Copy link

sguarin commented Dec 11, 2025

Hi @sguarin, Thanks for testing, The error indicates a length mismatch while parsing PKC7 ASN.1 . To debug more, could you share the command used to generate test.bin.pkcs7, input file test.bin and if possible test certificates/keys to reproduce Mbedtls TLS version you are using (and if you can test with latest release)

I'm using mbedtls-3.6.5-1 (On Fedora 42).
The commands I used are:

dd if=/dev/random of=test.bin bs=1 count=1000
cp test.bin test.bin.orig
rh-signing-client-stage --lkmsign --key devsecureboottest01  test.bin
# At this point I got from signing server a signed binary so the next command will extract the added payload
dd if=test.bin of=test.bin.pkcs7 bs=1 skip=1000

I will send you the cert by email.

@sguarin
Copy link

sguarin commented Dec 17, 2025

Thanks @sridhar-design for troubleshooting this.
I was able to verify successfully a single signature returned by signing server like this:

./verify -a test.bin devsecureboottest01.crt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sridhar-design @erichte-ibm @sguarin