[openssl-users] cms utility "-sign" doesn't include signed content

Chris Marget chris at marget.com
Fri Oct 20 20:00:08 UTC 2017

I'm struggling with a PKCS7 signing operation using openssl 1.0.2g.

I want to create signed messages like the one in my 'original' file
(below). It seemed like extracting and then re-signing this message would
be a good start.

I'm able to verify/unpack the original message, but not able to sign the
unpacked message to get back to where I started. I have access to the
signer's certificate and private key.

I hope somebody can point me in the right direction?

I'm extracting the message with:

openssl cms -verify -CAfile CA_cert.pem -inform pem -in original -out

I thought I'd be able to re-sign this message using something like:

openssl cms -sign -md sha1 -in extracted -inkey signer_key -signer
signer_cert -outform pem

This 'sign' operation completes successfully, but produces an output that's
missing the payload. Using the same procedure to sign 1MB of random data
produces a result that's only 1396 bytes long:

dd if=/dev/urandom bs=1M count=1 | openssl cms -sign -md sha1 -inkey
signer_key -signer signer_cert -outform pem | grep -v -- -- | base64
--decode | wc -c


Clearly this 'sign' function doesn't do what I thought it did.

How can I sign blob of data so that it looks like my 'original'?

The files I'm using:
original https://pastebin.com/raw/CNPLyqcm
CA_cert.pem https://pastebin.com/raw/HiE6gMTN
signer_key https://pastebin.com/raw/tnCXeYHg (the correct key, but not an
actual secret)
signer_cert https://pastebin.com/raw/ACtTVHdp

Thank you!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171020/f7e54453/attachment.html>

More information about the openssl-users mailing list