CAdES
Rudolf Suchan
rudolf.suchan at proton.me
Fri Jun 23 16:23:07 UTC 2023
Hello,
Look here:
https://cutt.us/CAdES
There you have overview of CAdES variants.
If I have binary data stored in a file named "binar", a private key in a file named "key", my certificate in a file named "cer", a file
containing complete certificates and revocation links named "CerRevLink", and a file containing complete certificates and revocation
data instead of just links named "CerRev", how can I create a CAdES signature of the "binar" file to generate a "CAdES-X Long" signature?
I try this:
openssl cms -sign -binary -nodetach -cades -in binar -out PLAIN.txt -inkey key -signer cer
Enter pass phrase for key:
openssl cms -verify -binary -cades -in PLAIN.txt -CAfile CerRev -out Binar
CAdES Verification successful
sha512sum binar = sha512sum Binar
What exactly of this (CAdES-BES CAdES-EPES CAdES-T CAdES-C CAdES-X Long CAdES-X type1 CAdES-X type2 CAdES-A CAdES-LT CAdES-L CAdES-B CAdES-XL) is in file PLAIN.txt ?
I think, there is CAdES-BES in file PLAIN.txt. I am right?
If so, how to create CAdES-X Long ?
While we are at it, could you please also write me what commands I need to create each type of signature from the following list?
CAdES-EPES
CAdES-T
CAdES-C
CAdES-X Long
CAdES-X type1
CAdES-X type2
CAdES-A
CAdES-LT
CAdES-L
CAdES-B
CAdES-XL a great place for anyone from a beginner to uberhacker. Join the Happy Hacker Unix Mailing List.
Thank you.
Could I do it using three separate commands?
First CAdES-T
openssl cms -cades -sign -in binar -signer cer -inkey key -out Tsignature.txt -nodetach -binary -md sha256 -outform DER -tsa <tsa_url>
-cades because we need to sign attributes ?
-nodetach because we pipe the output to second command?
-binary because of no problem with ^M as EOL.
-md sha256 just possibility
-outform DER because of binary data output
-tsa <tsa_url> for getting timestamp
Second CAdES-C
openssl cms -cades -sign -in Tsignature.txt -signer cer -inkey key -out Csignature.txt -nodetach -binary -md sha256 -outform DER -certfile CerRevLink -noattr -crl_url "http://example.com/revocation-list.crl" -ocsp_url "http://ocsp.example.com"
-cades use this or not ?
-in Tsignature.txt Tsignature.txt is the output of above command
-signer cer or -signer CerRevLink only key is necessary to sign so what file to put here after -signer
-nodetach because we pipe the output to third command?
-certfile CerRevLink this contains Issuer certificate, Root certificate and Revocation-URL: http://example.com/revocation-list.crl
Revocation-URL: http://ocsp.example.com
Is this the same (-cades -noattr)=(without -cades and without -noattr)
-crl_url "http://example.com/revocation-list.crl"
-ocsp_url "http://ocsp.example.com" as an alternative if this is not in CerRevLink
Third CAdES-X Long
openssl cms -cades -sign -in Csignature.txt -signer cer -inkey key -out XLongsignature.txt -binary -md sha256 -outform PEM -certfile CerRev -noattr
-cades use this or not ?
-signer cer or -signer CerRev ?
-nodetach is missing we want detached signature
-outform PEM or MIME ?
-certfile CerRev file CerRev contains Issuer certificate, Root certificate and -----BEGIN X509 CRL-----
base64
-----END X509 CRL-----
-noattr see the question in second command above
I have not experimented with this yet. Please tell me your opinion.
More information about the openssl-users
mailing list