[openssl-users] using openssl to create PKCS#7/CMS on windows

Jakob Bohm jb-openssl at wisemo.com
Fri Feb 6 14:38:48 UTC 2015

On 05/02/2015 14:30, Srinivas Rao wrote:
> Hi All,
> Is there a way to use openssl to sign data using a private key (on USB
> token) and produce PKCS7 output on win32, if:
> a) the data to be signed message is not touched yet and goes as input
> to the solution to the answer to this problem, OR
> b) signature is already generated, i.e message is hashed and signed
> and only needs to be encoded in PKCS7,
> If yes, for which of the above case and how (please give some pointers
> on how to go about it).
> Thanks
> Srinivas

Are you trying to get us to help with a school assignment?
This looks a lot like how a teacher would ask a question to
his students to find out how much they have understood

That said, the main pointers I can give you are these:

Verylittlein OpenSSL differs between Win32 and other
systems.  Howeverthere is one part in the question that
will usually be slightly different onWin32.If you
understand the question and OpenSSL general features, you
should be able to recognize which part that is.

One of the alternatives is going to be more difficult than
the other because it is a less common task, but it may still
be doable with some ingenuity.

The task (either one if both are doable) can be performed
using almost no APIs and interfaces other than those
provided by OpenSSL and ANSI C.  If you are tempted to use
other tools, look closer at the OpenSSL feature lists and
available options.

In your code below you forgot to use two of the items your
teacher gave you, which is probably the problem.

> On 1/30/15, Srinivas Rao <srirrao at gmail.com> wrote:
>> All,
>> Please let me know if my below mentioned usage of PKCS7_sign()+adding
>> signer info is wrong and how.
>> Really appreciate your response.
>> cheers and regards
>> Srinivas
>> On 1/29/15, Srinivas Rao <srirrao at gmail.com> wrote:
>>> OpenSSL experts,
>>> Here the intention is to get the signed data (raw signature obtained
>>> by PKCS11 APIs like C_Sign) to be packed in PKCS7 format (attached -
>>> with certificate, content and signer info) using openssl.
>>> I am using USB token (smart card) for signing.
>>> Here's the code snippet.
>>> 	PKCS7* p7 = PKCS7_new();
>>> 	PKCS7_set_type(p7, NID_pkcs7_signed);
>>> 	//PKCS7_SIGNER_INFO_set(pSI, pX509, pX509->cert_info->key->pkey,
>>> EVP_sha256());
>>> 	//PKCS7_add_signer(p7, pSI);
>>> 	PKCS7_SIGNER_INFO* pSI = PKCS7_add_signature(p7, pX509,
>>> pX509->cert_info->key->pkey, EVP_sha256());  // <== core dumps here
>>>          :
>>>          :
>>> where pX509 is correctly obtained X509* node using d2i_X509() from the
>>> value obtained from PKCS11 funcstions like C_GetAttributeValue() etc.
>>> I believe the set of the commented lines is the alternate way for this
>>> add signature function - that also dumps core at
>>> PKCS7_SIGNER_INFO_set() function.
>>> I have no clue as to what am I doing wrong here.
>>> Appreciate your help.


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list