On 10/20/2017 10:00 PM, Chris Marget wrote:
I'm struggling with a PKCS7 signing operation using openssl 1.0.2g.
I want to create signed messages like the one in my 'original' file
(below). It seemed like extracting and then re-signing this message
would be a good start.
I'm able to verify/unpack the original message, but not able to sign
the unpacked message to get back to where I started. I have access to
the signer's certificate and private key.
I hope somebody can point me in the right direction?
I'm extracting the message with:
openssl cms -verify -CAfile CA_cert.pem -inform pem -in original -out
extracted
I thought I'd be able to re-sign this message using something like:
openssl cms -sign -md sha1 -in extracted -inkey signer_key -signer
signer_cert -outform pem
This 'sign' operation completes successfully, but produces an output
that's missing the payload. Using the same procedure to sign 1MB of
random data produces a result that's only 1396 bytes long:
I think you want to add the optionĀ "-nodetach"
dd if=/dev/urandom bs=1M count=1 | openssl cms -sign -md sha1 -inkey
signer_key -signer signer_cert -outform pem | grep -v -- -- | base64
--decode | wc -c
1396
Clearly this 'sign' function doesn't do what I thought it did.
How can I sign blob of data so that it looks like my 'original'?
The files I'm using:
original https://pastebin.com/raw/CNPLyqcm
CA_cert.pem https://pastebin.com/raw/HiE6gMTN
signer_key https://pastebin.com/raw/tnCXeYHg (the correct key, but not
an actual secret)
signer_cert https://pastebin.com/raw/ACtTVHdp
Thank you!
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users