[openssl-users] cms utility "-sign" doesn't include signed content

lists lists at rustichelli.net
Tue Nov 7 18:10:43 UTC 2017


On 10/20/2017 10:00 PM, Chris Marget wrote:
> I'm struggling with a PKCS7 signing operation using openssl 1.0.2g.
>
> I want to create signed messages like the one in my 'original' file 
> (below). It seemed like extracting and then re-signing this message 
> would be a good start.
>
> I'm able to verify/unpack the original message, but not able to sign 
> the unpacked message to get back to where I started. I have access to 
> the signer's certificate and private key.
>
> I hope somebody can point me in the right direction?
>
> I'm extracting the message with:
>
> openssl cms -verify -CAfile CA_cert.pem -inform pem -in original -out 
> extracted
>
>
> I thought I'd be able to re-sign this message using something like:
>
> openssl cms -sign -md sha1 -in extracted -inkey signer_key -signer 
> signer_cert -outform pem
>
>
> This 'sign' operation completes successfully, but produces an output 
> that's missing the payload. Using the same procedure to sign 1MB of 
> random data produces a result that's only 1396 bytes long:
>

I think you want to add the option  "-nodetach"

> dd if=/dev/urandom bs=1M count=1 | openssl cms -sign -md sha1 -inkey 
> signer_key -signer signer_cert -outform pem | grep -v -- -- | base64 
> --decode | wc -c
>
> 1396
>
>
> Clearly this 'sign' function doesn't do what I thought it did.
>
> How can I sign blob of data so that it looks like my 'original'?
>
> The files I'm using:
> original https://pastebin.com/raw/CNPLyqcm
> CA_cert.pem https://pastebin.com/raw/HiE6gMTN
> signer_key https://pastebin.com/raw/tnCXeYHg (the correct key, but not 
> an actual secret)
> signer_cert https://pastebin.com/raw/ACtTVHdp
>
> Thank you!
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171107/b0b4f6d0/attachment.html>


More information about the openssl-users mailing list