CAdES

Rudolf Suchan rudolf.suchan at proton.me
Fri Jun 23 16:23:07 UTC 2023


Hello,

Look here:
https://cutt.us/CAdES
There you have overview of CAdES variants.

If I have binary data stored in a file named "binar", a private key in a file named "key", my certificate in a file named "cer", a file 
containing complete certificates and revocation links named "CerRevLink", and a file containing complete certificates and revocation 
data instead of just links named "CerRev", how can I create a CAdES signature of the "binar" file to generate a "CAdES-X Long"   signature? 

            


      I try this:

      openssl cms -sign  -binary -nodetach -cades  -in binar  -out PLAIN.txt  -inkey key -signer cer
                             Enter pass phrase for key:
      openssl cms -verify -binary -cades -in PLAIN.txt  -CAfile CerRev  -out Binar
                             CAdES Verification successful

                             sha512sum binar  =  sha512sum Binar

What exactly of this (CAdES-BES  CAdES-EPES CAdES-T CAdES-C CAdES-X Long  CAdES-X type1 CAdES-X type2  CAdES-A CAdES-LT  CAdES-L  CAdES-B  CAdES-XL) is in file PLAIN.txt ?

I think, there is CAdES-BES in file PLAIN.txt. I am right?

If so, how to create CAdES-X Long ?


While we are at it, could you please also write me what commands I need to create each type of signature from the following list?

CAdES-EPES
CAdES-T 
CAdES-C 
CAdES-X Long 
CAdES-X type1 
CAdES-X type2 
CAdES-A 
CAdES-LT
CAdES-L 
CAdES-B   
CAdES-XL a great place for anyone from a beginner to uberhacker. Join the Happy Hacker Unix Mailing List.
 
Thank you.

         Could I do it using three separate commands?

         First CAdES-T
openssl cms -cades -sign -in binar -signer cer -inkey key -out Tsignature.txt -nodetach -binary -md sha256 -outform DER   -tsa <tsa_url>
        -cades because we need to sign attributes ?
        -nodetach because we pipe the output to second command?
        -binary because of no problem with ^M as EOL.
        -md sha256  just possibility
        -outform DER  because of binary data output
        -tsa <tsa_url>   for getting timestamp
                                                                                
                                                                                
         Second CAdES-C
openssl cms -cades  -sign -in Tsignature.txt -signer cer -inkey key -out Csignature.txt -nodetach -binary -md sha256 -outform DER  -certfile CerRevLink -noattr -crl_url "http://example.com/revocation-list.crl" -ocsp_url "http://ocsp.example.com"                                                                                
        -cades   use this or not  ?
        -in Tsignature.txt       Tsignature.txt is the output of above command
        -signer cer       or   -signer   CerRevLink   only key is necessary to sign so what file to put here after -signer 
        -nodetach because we pipe the output to third command? 
         -certfile CerRevLink    this contains Issuer certificate, Root certificate and  Revocation-URL: http://example.com/revocation-list.crl
                                                                                          Revocation-URL: http://ocsp.example.com
        Is this the same   (-cades -noattr)=(without  -cades  and    without -noattr)  
        -crl_url "http://example.com/revocation-list.crl"   
        -ocsp_url "http://ocsp.example.com"                   as an alternative if this is not in CerRevLink  
                                                                                
                                                                                
        Third CAdES-X Long
openssl cms -cades -sign -in Csignature.txt -signer cer -inkey key -out XLongsignature.txt   -binary  -md sha256 -outform PEM   -certfile CerRev -noattr                                                                                
         -cades   use this or not  ?
         -signer cer  or  -signer CerRev  ? 
         -nodetach is missing we want detached signature 
         -outform PEM  or  MIME ?  
         -certfile CerRev     file CerRev contains   Issuer certificate, Root certificate and   -----BEGIN X509 CRL-----
                                                                                                 base64
                                                                                                -----END X509 CRL-----  
         -noattr    see the question in second command above                                                                                                                                                         
         


         I have not experimented with this yet. Please tell me your opinion.


More information about the openssl-users mailing list