[openssl-users] using openssl to create PKCS#7/CMS on windows

Thu Feb 5 13:30:27 UTC 2015

Hi All,

Is there a way to use openssl to sign data using a private key (on USB
token) and produce PKCS7 output on win32, if:

a) the data to be signed message is not touched yet and goes as input
to the solution to the answer to this problem, OR

b) signature is already generated, i.e message is hashed and signed
and only needs to be encoded in PKCS7,

If yes, for which of the above case and how (please give some pointers
on how to go about it).

Thanks
Srinivas

On 1/30/15, Srinivas Rao <srirrao at gmail.com> wrote:
> All,
>
> Please let me know if my below mentioned usage of PKCS7_sign()+adding
> signer info is wrong and how.
>
> Really appreciate your response.
>
> cheers and regards
> Srinivas
>
> On 1/29/15, Srinivas Rao <srirrao at gmail.com> wrote:
>> OpenSSL experts,
>>
>> Here the intention is to get the signed data (raw signature obtained
>> by PKCS11 APIs like C_Sign) to be packed in PKCS7 format (attached -
>> with certificate, content and signer info) using openssl.
>>
>> I am using USB token (smart card) for signing.
>>
>> Here's the code snippet.
>>
>> 	PKCS7* p7 = PKCS7_new();
>> 	PKCS7_set_type(p7, NID_pkcs7_signed);
>> 	//PKCS7_SIGNER_INFO* pSI = PKCS7_SIGNER_INFO_new();
>> 	//PKCS7_SIGNER_INFO_set(pSI, pX509, pX509->cert_info->key->pkey,
>> EVP_sha256());
>> 	//PKCS7_add_signer(p7, pSI);
>> 	PKCS7_SIGNER_INFO* pSI = PKCS7_add_signature(p7, pX509,
>> pX509->cert_info->key->pkey, EVP_sha256());  // <== core dumps here
>>         :
>>         :
>> where pX509 is correctly obtained X509* node using d2i_X509() from the
>> value obtained from PKCS11 funcstions like C_GetAttributeValue() etc.
>>
>> I believe the set of the commented lines is the alternate way for this
>> add signature function - that also dumps core at
>> PKCS7_SIGNER_INFO_set() function.
>>
>> I have no clue as to what am I doing wrong here.
>>
>> Appreciate your help.
>>
>> regards
>> Srinivas