[openssl-users] Converting Bin format to X509 format

Anirudh Raghunath anirudhraghunath at rocketmail.com
Wed Jul 22 10:32:02 UTC 2015

Thank you for the extremely elaborate answer. Now I understand the big picture. I want to attach a file from the server side which can be collected in the client program(the test) and I want to sign it and send it back. I have the ssl server client connection ready through socket and ssl code. I want to know if there is a function to load the random file to the SSL_CTX object the way we do with certificates. Thanks anyways for taking the time to answer my trivial doubts :). 

     On Wednesday, 22 July 2015 12:12 PM, Victor Wagner <vitus at wagner.pp.ru> wrote:

 On Wed, 22 Jul 2015 09:17:43 +0000 (UTC)
Anirudh Raghunath <anirudhraghunath at rocketmail.com> wrote:

> Hello,
> I have used rsault -sign option to sign a text file which gives me a
> binary file. I would like to convert this to X509 so that I can use
> it in a ssl handshake. I understand the command: openssl x509 -inform
> <format> -in <certfile> -out <cert.pem> is used. I want to know what
> the parameters would be for a binary input file. Thanks in advance. 

Unfortunately signed text file and certificate are quite different

Of course, certificate is signed electronic document. But it is
document of special binary format, which contains public key and
information about owner of corresponding private key.

And typically, it is not signed by you, it is signed by Certificate
Authority (known to server).

When you use certificate (and corresponding private key) during SSL
handshake, it means than server sends you something, you sign this
something using your private key and send signature to server along
with certificate.

Server verifies signature under data, which it remembers it have been
sent to you, using public key contained in the certificate, and says
"Ok, this guy really owns private key corresponding to public key in
this certificate". It also verifies signature under certificate using
known beforehand and trusted CA certificates, to make sure that  public
key stored in the certificate
really belongs to person mentioned in the certificate subject field.

So, if you sign some text file using your certificate, this signature
cannot be used in the SSL handshake any way. Because you've signed some
text file, not a challenge send by server during SSL handshake.

This signature proves that you, owner of private key,
have had access to
this text file (provided your private key is not compromised), but
there is no way to use this signature to prove that your are one, who
established connection with server. To prove so, you have to sign
something send to your from server, not some data, known beforehand. 

Really, option -sign of this utility may produce some signed document
format such as PKCS#7 or CMS, which contains signer's certificate.

For same purpose which I've described above. If someone wants to verify
if you've signed this file, one should have your certificate, with
public key and your name in it. Simplest way to ensure this is to
attach certificate to the signed message. Then recipient of message can
validate certificate, extracted from message with known and trusted CA
and then use it to verify signature under message.

If you want use such a curved way to extract certificate from card, it
is possbile, provided that your  rsautl produces standard signed message
format, i.e PKCS#7

may be

openssl pkcs7 -inform der -in signedfile.bin -print_certs

would do the trick and write certificate of one who signed the file into

But this is not called "convert signed file to X509 format", it is
called "extract X509 certificate from signed file".
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150722/bbb7e692/attachment.html>

More information about the openssl-users mailing list