[openssl-users] Create CMS signed data only with signature(not requiring data)

Jakob Bohm jb-openssl at wisemo.com
Wed Jun 24 12:35:30 UTC 2015 

On 24/06/2015 11:51, Rishi Pathak wrote:
> Openssl CMS command requires the actual data to be provided as an 
> input for creating CMS signed data type.
>
> But what we have is only the signature and the certificate. Is there a 
> way to create CMS signed data without requiring the original document. 
> What we want is to only create and not sign as we already have 
> signature on the hash of the document.
>
> One way we thought was to use genconf of asn1parse command, i.e. 
> create configuration file for CMS in the format required by it. But 
> not much help is available on that front.
>
> Any thoughts, links are welcome.
>
First of all, you are not limited to the command line tools in the 
openssl utility.  OpenSSL is first and foremost a programming library 
and the command line tools are just a (big) taste of what you can do 
with that library.

Second, what you really want is probably one of the following:

  * To verify a CMS (PKCS#7) signature on a short message containing a
    hash of the rest of the document.  In this case, verifying the
    signature and checking if the document hash matches the contents of
    the short message are already different steps, with the CMS API
    and/or the "openssl cms" command only doing the verify of the
    signature only.
  * To verify a "detached" CMS signature on the document hash.
    Internally, this is actually a special form of a signature on a
    short message like above, but you may need to look deeper at the API
    to find the sequence of calls which verifies this separately from
    the step of computing a hash of the rest of the document,
    unfortunately, this is not currently exposed by the "openssl cms" or
    "openssl smime" command, though it is often a useful first step, for
    instance if you download the signature before the signed file.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150624/528464f3/attachment.html>

More information about the openssl-users mailing list