views:

290

answers:

1

hi programming folks,

i am using

SignedCms.CheckSignature(certColl, true)

(with only one cert in certColl) to verify the signature of a pkcs-7 message. My problem is that i dont want to change the (public part of the) signers certificate on my server after the signer has renewed his certificate :-( The public key, issuer and subject are remaining unchanged after signer has renewed his certificate! So this has to work - at least in my opinion, even if i´m not a crypto-geek :-)

..but, unfortunately the .NET-Framework throws a Cryptographic Exception "Cannot find the original signer" like the stacktrace says exactly at:

SignerInfo.CheckSignature(X509Certificate2Collection extraStore, Boolean verifySignatureOnly)

This must be because the serial number of the signers certificate has changed and the SignerIdentifier property is readonly and set to IssuerAndSerialNumber.

Does anyone know how workaround this?

Or do i have to implement a "handmade" signature verifying with sth like: signedMessage.ComputeSignature(signer, false)?

Thanks in advance and happy programming, Krile

A: 

For all interested on this issue:

Someone told me that this is due to the PKCS #7 specification, which states that the SubjectKeyIdentifier is always set to IssuerAndSerialNumber.

krile
I forgot to tell you a possible workaround:You could put the signing certificate into the PKCS#7 request and on the called side you have all information which you need. Of course the CA certificate which is above all the signing (client) certificate´s has to be trusted. Happy coding!
krile