I'm struggling with a PKCS7 signing operation using openssl 1.0.2g. I want to create signed messages like the one in my 'original' file (below). It seemed like extracting and then re-signing this message would be a good start.
I'm able to verify/unpack the original message, but not able to sign the unpacked message to get back to where I started. I have access to the signer's certificate and private key. I hope somebody can point me in the right direction? I'm extracting the message with: openssl cms -verify -CAfile CA_cert.pem -inform pem -in original -out extracted I thought I'd be able to re-sign this message using something like: openssl cms -sign -md sha1 -in extracted -inkey signer_key -signer signer_cert -outform pem This 'sign' operation completes successfully, but produces an output that's missing the payload. Using the same procedure to sign 1MB of random data produces a result that's only 1396 bytes long: dd if=/dev/urandom bs=1M count=1 | openssl cms -sign -md sha1 -inkey signer_key -signer signer_cert -outform pem | grep -v -- -- | base64 --decode | wc -c 1396 Clearly this 'sign' function doesn't do what I thought it did. How can I sign blob of data so that it looks like my 'original'? The files I'm using: original https://pastebin.com/raw/CNPLyqcm CA_cert.pem https://pastebin.com/raw/HiE6gMTN signer_key https://pastebin.com/raw/tnCXeYHg (the correct key, but not an actual secret) signer_cert https://pastebin.com/raw/ACtTVHdp Thank you!
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users