"unknown signature algorithm" when trying to verify a certificate based on ECC key

[rgisiger]

Hi everyone, I don't know much about SSL understanding and I have a question because I try to verify a certifcate. I hope someone can help me and/or maybe guide me to a solution.

Context occurs on a process of strong user authentication where I can receive either an old certificate or a new one. My code has to work with both of them. I think I have to verify the signature of a certificate to provide this strong integrity.

I don't have any issue with the old certificate which is based on RSA Keys, but I got one with the new certificate where it is an ECC key. At the moment I have no choice but to bypass the check on the new certificate.

The old certificate has the following lines in it (I have omitted some lines) :

Certificate:
    Data:
        Version: 3 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    -----
                Exponent: 65537 (0x10001)

The new certificate has the following lines in it :

Certificate:
    Data:
        Version: 3 (0x2)
        Signature Algorithm: rsassaPss         
         Hash Algorithm: sha256
         Mask Algorithm: mgf1 with sha256
          Salt Length: 0x20
         Trailer Field: 0xBC (default)
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    --------
                ASN1 OID: prime256v1
                NIST CURVE: P-256

I usually execute the following command to verify the certificate : signer_certificate.verify(certificate.public_key)

I get unknown signature algorithm when I try to use this command on the new certificate.

[rhenium]

Can you provide an example code to reproduce the error?

[rgisiger]

Sure.

Following is the extract. The base64_signature content is a base 64 encoded CMS (which is an extension of PKCS#7) signature object.

signer_cert = nil

root4_cert = OpenSSL::X509::Certificate.new("-----BEGIN CERTIFICATE-----\nMIIKVTCCBgmgAwIBAgIQFJ46eF+C8WuK+yGq1a/3RzBBBgkqhkiG9w0BAQowNKAP\nMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMC\nASAwgYQxGzAZBgNVBAMMElN3aXNzY29tIFJvb3QgQ0EgNDElMCMGA1UECwwcRGln\naXRhbCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEeMBwGA1UEYQwVVkFUQ0gtQ0hFLTEw\nMS42NTQuNDIzMREwDwYDVQQKDAhTd2lzc2NvbTELMAkGA1UEBhMCQ0gwHhcNMTgx\nMTI5MTAyMTUzWhcNMzgxMTI0MTAyMTUzWjCBhDEbMBkGA1UEAwwSU3dpc3Njb20g\nUm9vdCBDQSA0MSUwIwYDVQQLDBxEaWdpdGFsIENlcnRpZmljYXRlIFNlcnZpY2Vz\nMR4wHAYDVQRhDBVWQVRDSC1DSEUtMTAxLjY1NC40MjMxETAPBgNVBAoMCFN3aXNz\nY29tMQswCQYDVQQGEwJDSDCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQB\nAMYSU5n0a3hxJTV2UbAl0yxQNCFbZbExdTno3VsASxxbjQKPF9Iz8HsPAdPyC7bb\nYmpVk7WuaKD5myJaVPpN4bEnFosFEfAGWDdN5D6Sb9ckn7EunQWznJ+FfMb6kUM+\njJL9nUxYBCJexxeTq4XmAKP3ziq+yP/i8JvxL5vQPi2kbfva5c20J9Q72xVVeX/p\nAmRn0JQZ2cuulzz+M/cwUv2p8YsOYj1H62wITiCsOThI4RlIQXheQOcaM4XBktb8\nb0SJOpHhbOfCWP9ghgpXbGfC/COKAegQvwzJqGuyrXXQe6k0TGELLzwLf65S5piH\nfrEwOJS32Ie81TCc7BkWr3+8xDBUBFPy7mWwOqI9tUutm6XiHrFlHk5yHppBiYAw\nHwFrtCt/e7UpP/w/8ugsfKxT8WbP5DHA9u18EpAFBCFh8h+5llXbFwPZ5+zLMV5q\nyg2RwqiSeAo4s8RTUF+/+urw+P2/mrw4dqfeWo+gwrRPuGFaj+I2H+lQaWHFRrw6\nXgqdjNp8BTo8qi5nwJCImTlTburerWCcj9gLduf/+6lRBiAq+Q/QIbG0ERdUq+LC\nAkRV/6VWezk9RFQmM+jU2VhVnMda9z++eNpjGgNWEeG6leYBVr0Jnu6Dk6QzxY2j\n3jHUiv46S2lf3Pf7mYryV6ldvGNddmZ8uRBUJ3tuxOBddgQgV+A8wJcqEudkWCWM\nc1u4ULtWXUN++DakB63+TMUPRXBMxW4w+ddA3esS7zlgdcAoVihwWU+NGuFwbcAU\nrizg77FH6mbtesUW2zPbxK7iUwles8/4MvjX94lq0/3owL1AiR7gW/vhWazIDbU0\n6gfMMxMKho6sAY6+0imrrWHEse2YFmQHdr2OqVzXhl8BL+jC/mNUduqNLcwP/Cdz\nhqa1555JlbExNUNgnQJ8FHFMzGPAKzFAoPmU0+Dj/bIHYMuCTMmW58GuXPhSJfur\n/CZeChDHKD529HEP472l/rGYasHazl6P8Si5lZi+7piU++Vwe3tg5YKuM2CQgNXX\nHYeNkjaRCIQ6DkZhoi7Qd6nEmLvblkt4f9d91Qj+1Xjy0cJvCx5aPEOsnRDW58BT\njpdgan9TSEkLZNsk7ld6MFNum4ifBBEPEZ98QRoXZG5n3676MDoaEp9aouWX2y24\nZ6NkgdH7OZvmgRzPSUEWXOxZPDxymePVE8Avkm/Ni6JkxsCoRVdNqMNOO8HYSm7d\ncn1KKtWNwW44jGZWx6PZoJ5e/E6ESHdL4RBdoKYvdnkmHvP9AUitpLxCRAGGEI5E\nhxOG9mILWjSEwp0LKchEyF16ndtoUe1suZT4Sw5yGwPjW159poroSoy/WDUmwcji\nExueOU5NAn7jolQLs5DIJkECAwEAAaNZMFcwDwYDVR0TAQH/BAUwAwEB/zAVBgNV\nHSAEDjAMMAoGCGCFdAFTHgQAMB0GA1UdDgQWBBRUWmcfazT5nllAol9Bej7BCMYV\nEzAOBgNVHQ8BAf8EBAMCAQYwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEF\nAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IEAQAIZlEtAqKq\nPdJGz4Zwb5hCBw3E9fkJFMGnNkZ7jb0akuwsoeMSlfnZ1JUbfHGSSHFruadJFqm5\nIqeUSPtvSDkIo3wpF2OLP5lvBA2USupFLbcGK+wxDFXcTzdmqgj1S3ssQEL6eTgb\nYqPeWDAN9m1kkzBgDIk7cOGJyOMr805ZIZ/GgRduw72IcWB57AuEYyPQoES7ulYb\nFE4MgkxNzod9J4281jDl6WJB2C67BEiDlnBhQzyBYx6uFKcfWmEjGxvtTlXIGqYL\ntu9YWICzNOUeB3o238QQFsmSNRJXMALMBGak4R7+0v9r+oZSjQexx2QEXUMlYUjy\nR/02DaPZC/cfzE5HTvQr601f6xOpTPMw1XNFxMyds1KkmIOielXDGtNr4ufKPX5C\nuuBWXO1W2ESzS/bl0NP+E1kugz6B5KsO9cD4L5XuYbTP9PJ/MO+frNEW5Ua4HHVK\nxpOvpU1h6DacykzVw95d/KZDudZku+D5PWI01i7DgBUoPppM2Pt0xtdmQx4hVNrI\nDeW5jhCvIc9ZSfzXwpIUFlT9Mqy4cRjuEGxa7gYTZ7Ktwy7C5UpZu+5ExAYkcWmW\nQ1fGLctPC4Wh5dhan+6UvjfYCw0IaLukXo8h3YucLpAr7XU3fFhc01SBNxrtAwWJ\n1iLZvJvAlT3ggZfdQBzeOmGqFWjLmMpirs5KUwqKMUawEZjHPM9LXsuQcNo6AbZH\n6S+4cJEQEbVuMrfbF2X/0Zu5B8fqq+PWyxJ3XgdR6w9TYtgg2LeUU+B/wbCH2lo1\n5d2IwxySAL/hASRo/sP7c/UuE8UvMiWl1GRRJPgbjtikkruBQXCRMBBLq2Ts6dXT\n+LizFdyAbnpOuiEK6hH9JDpJGV+DaZyQiwCOcNOcPR8/cR96eeBDU8mx870//ZJu\nnRoGBm24mYeV0TLQuKbEEpaNk5Tc0z3Ci9eHsTgroncuI10p671aQIBXYdT9/QzE\nsDTsdNFx4m3gDarYRCBjgF481Vj0o2qvYkdu+1GpG7cfKcPLJRFb+J/6g2SD9+yo\nSPnOuuTiU1l1tC22G1xV/ds8qymjR+BnY3wmFDaCMf0DdG1mkkUEzG+MHUHmaId0\n0bejnZ+GEdFX3sS/WrxRCCWI+f5h9SLYntobevUHKqY6Yk93+xa3CPYMRGF7QM9B\nfVxHYsgvr8isYcsPwjylZumzMW2yxGIK+Zy4K5qTz7G/lLk/oRAvf/3e2SYmY6Qp\nHeS86pc78jB0+6bRhnT8BWtZ9r2sAIORgLzEZ+U1o6YZOXrUeaIjK+eSmge4BTbk\n2mfQGPvQ9/XhHOIANN13S/gyURCPoKmjPH3IB54FSdFyIp8fT6JQx3L8l+6iX8On\ndMFLMgjr/DJO\n-----END CERTIFICATE-----\n")

base64_signature = "MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwGggARYTW9iaWxlIElEOiBSZXF1w6p0ZSBkZSBjb25uZXhpb24gbXlXaW5nbyBzw6ljdXJpc8OpZSBkZW1hbmTDqWUuIChNSURfRlIuMjMxMTIyNTgwM182ODY3KQAAAACggDCCBWwwggMgoAMCAQICEAzNIbUcTL8XLIewXqGz0qswQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMIGSMRwwGgYDVQQDDBNTd2lzc2NvbSBSdWJpbiBDQSA0MSUwIwYDVQQLDBxEaWdpdGFsIENlcnRpZmljYXRlIFNlcnZpY2VzMR4wHAYDVQRhDBVWQVRDSC1DSEUtMTAxLjY1NC40MjMxHjAcBgNVBAoMFVN3aXNzY29tIChTY2h3ZWl6KSBBRzELMAkGA1UEBhMCY2gwHhcNMjIxMDIxMDg0NzAzWhcNMjUxMDIwMDg0NzAyWjA5MRkwFwYDVQQFExBNSURDSEVaRDREVTdSOEUzMRwwGgYDVQQDDBNNSURDSEVaRDREVTdSOEUzOlBOMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMc3i/Br4FM+D7T04hmPlJ4Xv3FprKe/uvZBnF1gWrGO9YnXx2O6s6tpNY3TIZu2nUDYhl2yEOTDcNPJfBR8TMKOCAXcwggFzMB8GA1UdIwQYMBaAFAbpSvauxpqRLYlVoUbhbgX9sbkEMH0GCCsGAQUFBwEBBHEwbzA3BggrBgEFBQcwAoYraHR0cDovL2FpYS5zd2lzc2RpZ2ljZXJ0LmNoL3NkY3MtcnViaW40LmNydDA0BggrBgEFBQcwAYYoaHR0cDovL29jc3Auc3dpc3NkaWdpY2VydC5jaC9zZGNzLXJ1YmluNDBPBgNVHSAESDBGMAgGBgQAj3oBAzA6BghghXQBUx4EBDAuMCwGCCsGAQUFBwIBFiBodHRwOi8vd3d3LnN3aXNzZGlnaWNlcnQuY2gvY3BzLzATBgNVHSUEDDAKBggrBgEFBQcDAjA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN3aXNzZGlnaWNlcnQuY2gvc2Rjcy1ydWJpbjQuY3JsMB0GA1UdDgQWBBTPMfMlclb3DE5CQ2dBfkPEsWPNcTAOBgNVHQ8BAf8EBAMCB4AwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4ICAQAuzkhQTkuuhDbBl7ZEiQPE9sjNNXeDj/haieOyqLZ9CbZwVipYoCApcxrAScwHOMQORW0hefQxo5FE/sZtIBsAKEhKRyraMipz9IhiTUkGr08q71KGLCz3qAjWD3cS4OfVjoG6K3NoZmwq3SuoV5lBhd5j3+sUsAn5kaHyKFO+wHapAgGWHHBa1eJ1fY8MdddRVLqjMZtyx5tBd8McBJ2bCeGg16iAW5XGwDKSysw/9SOYXjC5IH82oSDr7n8R+cWoJOlB5sbO9uLGEvCqJvfP83i7iP5eHmJXz3DiO6B016WH/03aity2ADbxLtdRIzKSnnJYJRP56+R1+kfR98p/EabB3KUOWo6enpR688gqj8ZMoUxo0JidM/ZnP7ZpDgIUhd3rFoCG9jlyWH4y7qr0DklCEoZsybiZHaRwo6jZEqG+X9gVuNjXDd/Ut6YtXVNpjTql6rG6hRjHoBlKk9upLLbbQASzYPHgZwceHMVV6EtSwTIW0f+YvdpNuHbZCGSJjMttj3l/wQtNojiynwqqhQcaY1YxKMsQqb1nRWwmKdbpj7810MSMtLjKMzH3U115TNzdmPCeRZ4nzLkdsosvEH8A1cf3MRY0XsPRJ/+Td7DlArxCOl8QU4FQmR+yDNvBCz9hF4T46QYdsITpkljP9IR0PQOCY1Ivm2pFHOtPBDCCCVUwggUJoAMCAQICEBEPU7h29UMfA0K/1PcERnowQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMIGEMRswGQYDVQQDDBJTd2lzc2NvbSBSb290IENBIDQxJTAjBgNVBAsMHERpZ2l0YWwgQ2VydGlmaWNhdGUgU2VydmljZXMxHjAcBgNVBGEMFVZBVENILUNIRS0xMDEuNjU0LjQyMzERMA8GA1UECgwIU3dpc3Njb20xCzAJBgNVBAYTAkNIMB4XDTE5MDEzMTEyMjMzOFoXDTI5MDEyODEyMjMzOFowgZIxHDAaBgNVBAMME1N3aXNzY29tIFJ1YmluIENBIDQxJTAjBgNVBAsMHERpZ2l0YWwgQ2VydGlmaWNhdGUgU2VydmljZXMxHjAcBgNVBGEMFVZBVENILUNIRS0xMDEuNjU0LjQyMzEeMBwGA1UECgwVU3dpc3Njb20gKFNjaHdlaXopIEFHMQswCQYDVQQGEwJjaDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMiVKH8pnBmWg3KIebt6HWEBAvB+uVqNgZXs0OpzTOS0DI2S31yCRKHNkHgKDRqPryjgnm4UCnAayjOKcwRb5rHzVJxirfceASLvtqjE2MA5qiqynLGvKcQSXeqZC9pbPaNVF4N2pLZs/3/e4x1aE9nQu6CIsjIq9C3j9KJbFTbaAFg8lYIF+0vbZJfbkuo2tOibLeQi5OEvWKJqsHKC2Kiy7Mb3dIq92itgp05nJ/Oz2BuYvyUe2M+P6C6Lft1gpzZu/wymsoVggVXxhk5IyjYicUwVjWkRJVnjqLM8DTEobHAi+1wWMzJacg39f3zeMRQGPfOkOQ4dhieuamqf6fYdxFHeqwxZWu8qR+q1ULvwYdmUE/EOn8fVIHHz/aN4TPexTTP07qzlNlEBA5lfcbDSqKx9948/ei/izhlM1FHplC4HS7YXEJ7BaVzryTRfFrObZyzM5+xd07T6gJP1SaD4uRFuHEq9Nde0c7Jm004RYSCOQ+l6+clIjoNimcG4d/dQ0i5tpeZsUci/JTSoeRz7C48r3tJ+T1DUrs+D09zieTJhLCdg8xu+lOKNqZqdy+VEcvS+bwKS5xlvEj5oK2mD1fkkolMjY6O6zK5mtx3IP0bvNBoAysAcS9w9d5/Yg0v2bzEiDvG5HZsOgjQxL5y0oHLty+calsLc99iqJHo7AgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEAMB8GA1UdIwQYMBaAFFRaZx9rNPmeWUCiX0F6PsEIxhUTMEYGCCsGAQUFBwEBBDowODA2BggrBgEFBQcwAoYqaHR0cDovL2FpYS5zd2lzc2RpZ2ljZXJ0LmNoL3NkY3Mtcm9vdDQuY3J0MEUGA1UdIAQ+MDwwOgYIYIV0AVMeBAQwLjAsBggrBgEFBQcCARYgaHR0cDovL3d3dy5zd2lzc2RpZ2ljZXJ0LmNoL2Nwcy8wEwYDVR0lBAwwCgYIKwYBBQUHAwIwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zd2lzc2RpZ2ljZXJ0LmNoL3NkY3Mtcm9vdDQuY3JsMB0GA1UdDgQWBBQG6Ur2rsaakS2JVaFG4W4F/bG5BDAOBgNVHQ8BAf8EBAMCAQYwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IEAQB94lcrFcuN3DDpxj3NXoutnV4h6Zv0y5E/kM9xUkQDrrOsl41ZKRGx2GKE4rz9nAF99LFt8gPMeNjuQ8M/ZO5JKayx9h0iSH8+7kHharQm1xqWctcyQIXLExtpG80e7dc87NjVYsj929Iw+fWHQqcVOMR07Dyj7h8bIyue15WeDedUNibQOz2LRbB3NoOG36f7+JeYwGOhQflxQsNQl3vALJrYI04VvCvvgD8nRrI8NewgJcbdSEjTMY1vr5ZK6EzqI+4yVPXUiubCDM519UhXOVq5WhEzQQIwd71udpg7s0+nIKCGtI11D5gRjSFnBBJZD200AczPNO7gLeZwKcBjwMvEmYktszH3UyZDltqvR4vvjBQUtHbMYKnDpcVTZ+h7ScIVkmiOs2LgUQI709zQMH9LIyOg+zevR5QpPu12f+FKEji+7PxUtb9kY2jhxu/QxWlgIHf0Ap7FyqLxOxfokyNQk3aiwcihUujhFrBK/HklEbkS5PlcQKIGKccqU5TBL9ovRP00ZtLsMbN9nHzkcK4erqcwB4C1C9IFW96waD+n4EYwA+lUxBiHMJHLMLt1dLtqgKryscmp/RL+1Q2xNuJ3sHJMQPjgm9Ns4NcWur8sb5ZDbywo1wHmlI1gjIo+5fFprPMqk4z2IQAjRQc9LH02v75kuQ4+dKWfLbKFEZS+N8/cODsGyzOF+FaIEvFbfVFHTgm/B+xHKgSDIj6WpfnbhWX5FQ5uYkK0LhIbC5DR7gHa17RMIHkx65I5ScnL7+T0TNWFBJjhPYeK4T9REiHRyRp1xYnYdRHLTAxCIDHMVb3Qaj1oHRf1O2NDzTl4lU5ZoluQZh51k3UeTHHbuGmT+/AbHHUsWKaUF1UCA2tlFzVlI0JMjpWnmh5t3iRQcSaFeBLtq/eYM6wAQpG4FX2pLoLuBVVA27vQ9RKtI7H42Nc7tNVDQqnagkluCIy8AoacOFDRFHg5M+yKyik8fnt6kuv+Vh/j1RSXZo7t9su9/vw/yfyJ4SmJnq5OMaEVkThNwDY4dDZjInRHEAnMwAlJA1zUns3iNKB7XZ0yZETM/3VqwUjxLat9RNmPADa4diMW7HewHHcRIFVbxOF/CQl95sveHakyvD/x1cKFPfwbkAXJzdNpc6V5hZZ6j7yv2kiQebH4orHFnFPDTpFtW4Zwb1S9DkmNoq/AtAg9WJGjPkfxlwMGSVMhQQ048UjCadirVL9U7AZRIBcxlT1jjVGysWd3LMIuR6qN6HpWlO28LtQqraq8hJpMZAwQCT+WU4dAKq/EE4vIZD/RQKdD9E/qvqwvGvswSvIrXwh9iA0M1WyB2JUDmkehxjcQ2BEN290QNRQIa7xSlcfUciSEMIIKVTCCBgmgAwIBAgIQFJ46eF+C8WuK+yGq1a/3RzBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAwgYQxGzAZBgNVBAMMElN3aXNzY29tIFJvb3QgQ0EgNDElMCMGA1UECwwcRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEeMBwGA1UEYQwVVkFUQ0gtQ0hFLTEwMS42NTQuNDIzMREwDwYDVQQKDAhTd2lzc2NvbTELMAkGA1UEBhMCQ0gwHhcNMTgxMTI5MTAyMTUzWhcNMzgxMTI0MTAyMTUzWjCBhDEbMBkGA1UEAwwSU3dpc3Njb20gUm9vdCBDQSA0MSUwIwYDVQQLDBxEaWdpdGFsIENlcnRpZmljYXRlIFNlcnZpY2VzMR4wHAYDVQRhDBVWQVRDSC1DSEUtMTAxLjY1NC40MjMxETAPBgNVBAoMCFN3aXNzY29tMQswCQYDVQQGEwJDSDCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQBAMYSU5n0a3hxJTV2UbAl0yxQNCFbZbExdTno3VsASxxbjQKPF9Iz8HsPAdPyC7bbYmpVk7WuaKD5myJaVPpN4bEnFosFEfAGWDdN5D6Sb9ckn7EunQWznJ+FfMb6kUM+jJL9nUxYBCJexxeTq4XmAKP3ziq+yP/i8JvxL5vQPi2kbfva5c20J9Q72xVVeX/pAmRn0JQZ2cuulzz+M/cwUv2p8YsOYj1H62wITiCsOThI4RlIQXheQOcaM4XBktb8b0SJOpHhbOfCWP9ghgpXbGfC/COKAegQvwzJqGuyrXXQe6k0TGELLzwLf65S5piHfrEwOJS32Ie81TCc7BkWr3+8xDBUBFPy7mWwOqI9tUutm6XiHrFlHk5yHppBiYAwHwFrtCt/e7UpP/w/8ugsfKxT8WbP5DHA9u18EpAFBCFh8h+5llXbFwPZ5+zLMV5qyg2RwqiSeAo4s8RTUF+/+urw+P2/mrw4dqfeWo+gwrRPuGFaj+I2H+lQaWHFRrw6XgqdjNp8BTo8qi5nwJCImTlTburerWCcj9gLduf/+6lRBiAq+Q/QIbG0ERdUq+LCAkRV/6VWezk9RFQmM+jU2VhVnMda9z++eNpjGgNWEeG6leYBVr0Jnu6Dk6QzxY2j3jHUiv46S2lf3Pf7mYryV6ldvGNddmZ8uRBUJ3tuxOBddgQgV+A8wJcqEudkWCWMc1u4ULtWXUN++DakB63+TMUPRXBMxW4w+ddA3esS7zlgdcAoVihwWU+NGuFwbcAUrizg77FH6mbtesUW2zPbxK7iUwles8/4MvjX94lq0/3owL1AiR7gW/vhWazIDbU06gfMMxMKho6sAY6+0imrrWHEse2YFmQHdr2OqVzXhl8BL+jC/mNUduqNLcwP/Cdzhqa1555JlbExNUNgnQJ8FHFMzGPAKzFAoPmU0+Dj/bIHYMuCTMmW58GuXPhSJfur/CZeChDHKD529HEP472l/rGYasHazl6P8Si5lZi+7piU++Vwe3tg5YKuM2CQgNXXHYeNkjaRCIQ6DkZhoi7Qd6nEmLvblkt4f9d91Qj+1Xjy0cJvCx5aPEOsnRDW58BTjpdgan9TSEkLZNsk7ld6MFNum4ifBBEPEZ98QRoXZG5n3676MDoaEp9aouWX2y24Z6NkgdH7OZvmgRzPSUEWXOxZPDxymePVE8Avkm/Ni6JkxsCoRVdNqMNOO8HYSm7dcn1KKtWNwW44jGZWx6PZoJ5e/E6ESHdL4RBdoKYvdnkmHvP9AUitpLxCRAGGEI5EhxOG9mILWjSEwp0LKchEyF16ndtoUe1suZT4Sw5yGwPjW159poroSoy/WDUmwcjiExueOU5NAn7jolQLs5DIJkECAwEAAaNZMFcwDwYDVR0TAQH/BAUwAwEB/zAVBgNVHSAEDjAMMAoGCGCFdAFTHgQAMB0GA1UdDgQWBBRUWmcfazT5nllAol9Bej7BCMYVEzAOBgNVHQ8BAf8EBAMCAQYwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IEAQAIZlEtAqKqPdJGz4Zwb5hCBw3E9fkJFMGnNkZ7jb0akuwsoeMSlfnZ1JUbfHGSSHFruadJFqm5IqeUSPtvSDkIo3wpF2OLP5lvBA2USupFLbcGK+wxDFXcTzdmqgj1S3ssQEL6eTgbYqPeWDAN9m1kkzBgDIk7cOGJyOMr805ZIZ/GgRduw72IcWB57AuEYyPQoES7ulYbFE4MgkxNzod9J4281jDl6WJB2C67BEiDlnBhQzyBYx6uFKcfWmEjGxvtTlXIGqYLtu9YWICzNOUeB3o238QQFsmSNRJXMALMBGak4R7+0v9r+oZSjQexx2QEXUMlYUjyR/02DaPZC/cfzE5HTvQr601f6xOpTPMw1XNFxMyds1KkmIOielXDGtNr4ufKPX5CuuBWXO1W2ESzS/bl0NP+E1kugz6B5KsO9cD4L5XuYbTP9PJ/MO+frNEW5Ua4HHVKxpOvpU1h6DacykzVw95d/KZDudZku+D5PWI01i7DgBUoPppM2Pt0xtdmQx4hVNrIDeW5jhCvIc9ZSfzXwpIUFlT9Mqy4cRjuEGxa7gYTZ7Ktwy7C5UpZu+5ExAYkcWmWQ1fGLctPC4Wh5dhan+6UvjfYCw0IaLukXo8h3YucLpAr7XU3fFhc01SBNxrtAwWJ1iLZvJvAlT3ggZfdQBzeOmGqFWjLmMpirs5KUwqKMUawEZjHPM9LXsuQcNo6AbZH6S+4cJEQEbVuMrfbF2X/0Zu5B8fqq+PWyxJ3XgdR6w9TYtgg2LeUU+B/wbCH2lo15d2IwxySAL/hASRo/sP7c/UuE8UvMiWl1GRRJPgbjtikkruBQXCRMBBLq2Ts6dXT+LizFdyAbnpOuiEK6hH9JDpJGV+DaZyQiwCOcNOcPR8/cR96eeBDU8mx870//ZJunRoGBm24mYeV0TLQuKbEEpaNk5Tc0z3Ci9eHsTgroncuI10p671aQIBXYdT9/QzEsDTsdNFx4m3gDarYRCBjgF481Vj0o2qvYkdu+1GpG7cfKcPLJRFb+J/6g2SD9+yoSPnOuuTiU1l1tC22G1xV/ds8qymjR+BnY3wmFDaCMf0DdG1mkkUEzG+MHUHmaId00bejnZ+GEdFX3sS/WrxRCCWI+f5h9SLYntobevUHKqY6Yk93+xa3CPYMRGF7QM9BfVxHYsgvr8isYcsPwjylZumzMW2yxGIK+Zy4K5qTz7G/lLk/oRAvf/3e2SYmY6QpHeS86pc78jB0+6bRhnT8BWtZ9r2sAIORgLzEZ+U1o6YZOXrUeaIjK+eSmge4BTbk2mfQGPvQ9/XhHOIANN13S/gyURCPoKmjPH3IB54FSdFyIp8fT6JQx3L8l+6iX8OndMFLMgjr/DJOAAAxggF/MIIBewIBATCBpzCBkjEcMBoGA1UEAwwTU3dpc3Njb20gUnViaW4gQ0EgNDElMCMGA1UECwwcRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEeMBwGA1UEYQwVVkFUQ0gtQ0hFLTEwMS42NTQuNDIzMR4wHAYDVQQKDBVTd2lzc2NvbSAoU2Nod2VpeikgQUcxCzAJBgNVBAYTAmNoAhAMzSG1HEy/FyyHsF6hs9KrMA0GCWCGSAFlAwQCAQUAoGUwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAYBgoqhkiG9w0BCRkDMQoECGCdWBgjVQKFMC8GCSqGSIb3DQEJBDEiBCB/UcUDG0cFGw0KvQewtzQo6KfXoh5O+w9kAN1BOeYS/zAMBggqhkjOPQQDAgUABEgwRgIhAPxOjVLlU3QnrqJot4DHILXhV9GneKNCIfL6ia7DATybAiEA1GB/TLisxGDcjAycNCia559r4M0LLuh0Q9K7xyw9iPMAAAAAAAA="

cms_signed_data = OpenSSL::PKCS7.new(Base64.decode64(base64_signature))
signer_info = cms_signed_data.signers.first

signer_cert_chain = [].tap do |chain|
  cms_signed_data.certificates.each do |certificate|
    chain << certificate
    signer_cert = certificate if signer_info.serial == certificate.serial
  end
end

# checking certificate dates validity
today = DateTime.current
raise "Certificate will be valid on #{signer_cert.not_before.iso8601}" if today < signer_cert.not_before
raise "Certificate has expired on #{signer_cert.not_after.iso8601}" if today > signer_cert.not_after

# Using certificates store to check validity of path
cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths
cert_store.add_cert(root4_cert)
signer_certificate_path_valid = cert_store.verify(signer_cert, signer_cert_chain)

signer_cert_chain.each do |certificate|
  signature_valid = signer_cert.verify(certificate.public_key)       # raising OpenSSL::X509::CertificateError (unknown signature algorithm)
  break if signature_valid
end

cms_signed_data.verify(signer_cert_chain, cert_store)
cms_signed_data.error_string                                         # giving "certificate verify error"