<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 24/06/2015 11:51, Rishi Pathak
wrote:<br>
</div>
<blockquote
cite="mid:CANavbA6kXpe+ueah=UdDvMic_XEGyqH58bFbOiSZ5ocw1CHFsQ@mail.gmail.com"
type="cite">
<div dir="ltr">Openssl CMS command requires the actual data to be
provided as an input for creating CMS signed data type.
<div><br>
</div>
<div>But what we have is only the signature and the certificate.
Is there a way to create CMS signed data without requiring the
original document. What we want is to only create and not sign
as we already have signature on the hash of the document. </div>
<div><br>
</div>
<div>One way we thought was to use genconf of asn1parse command,
i.e. create configuration file for CMS in the format required
by it. But not much help is available on that front. </div>
<div><br>
</div>
<div>Any thoughts, links are welcome. <br clear="all">
<div><br>
</div>
</div>
</div>
</blockquote>
<p>First of all, you are not limited to the command line tools in
the openssl utility. OpenSSL is first and foremost a programming
library and the command line tools are just a (big) taste of what
you can do with that library.</p>
<p>Second, what you really want is probably one of the following:<br>
</p>
<ul>
<li>To verify a CMS (PKCS#7) signature on a short message
containing a hash of the rest of the document. In this case,
verifying the signature and checking if the document hash
matches the contents of the short message are already different
steps, with the CMS API and/or the "openssl cms" command only
doing the verify of the signature only.</li>
<li>To verify a "detached" CMS signature on the document hash.
Internally, this is actually a special form of a signature on a
short message like above, but you may need to look deeper at the
API to find the sequence of calls which verifies this separately
from the step of computing a hash of the rest of the document,
unfortunately, this is not currently exposed by the "openssl
cms" or "openssl smime" command, though it is often a useful
first step, for instance if you download the signature before
the signed file.<br>
</li>
</ul>
<pre class="moz-signature" cols="72">Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. <a class="moz-txt-link-freetext" href="http://www.wisemo.com">http://www.wisemo.com</a>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded </pre>
</body>
</html>