[openssl-users] cms utility "-sign" doesn't include signed content
chris at marget.com
Fri Oct 20 20:00:08 UTC 2017
I'm struggling with a PKCS7 signing operation using openssl 1.0.2g.
I want to create signed messages like the one in my 'original' file
(below). It seemed like extracting and then re-signing this message would
be a good start.
I'm able to verify/unpack the original message, but not able to sign the
unpacked message to get back to where I started. I have access to the
signer's certificate and private key.
I hope somebody can point me in the right direction?
I'm extracting the message with:
openssl cms -verify -CAfile CA_cert.pem -inform pem -in original -out
I thought I'd be able to re-sign this message using something like:
openssl cms -sign -md sha1 -in extracted -inkey signer_key -signer
signer_cert -outform pem
This 'sign' operation completes successfully, but produces an output that's
missing the payload. Using the same procedure to sign 1MB of random data
produces a result that's only 1396 bytes long:
dd if=/dev/urandom bs=1M count=1 | openssl cms -sign -md sha1 -inkey
signer_key -signer signer_cert -outform pem | grep -v -- -- | base64
--decode | wc -c
Clearly this 'sign' function doesn't do what I thought it did.
How can I sign blob of data so that it looks like my 'original'?
The files I'm using:
signer_key https://pastebin.com/raw/tnCXeYHg (the correct key, but not an
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users