On 05/02/2015 14:30, Srinivas Rao wrote: > Hi All, > > Is there a way to use openssl to sign data using a private key (on USB > token) and produce PKCS7 output on win32, if: > > a) the data to be signed message is not touched yet and goes as input > to the solution to the answer to this problem, OR > > b) signature is already generated, i.e message is hashed and signed > and only needs to be encoded in PKCS7, > > If yes, for which of the above case and how (please give some pointers > on how to go about it). > > Thanks > Srinivas Are you trying to get us to help with a school assignment? This looks a lot like how a teacher would ask a question to his students to find out how much they have understood themselves. That said, the main pointers I can give you are these: Verylittlein OpenSSL differs between Win32 and other systems. Howeverthere is one part in the question that will usually be slightly different onWin32.If you understand the question and OpenSSL general features, you should be able to recognize which part that is. One of the alternatives is going to be more difficult than the other because it is a less common task, but it may still be doable with some ingenuity. The task (either one if both are doable) can be performed using almost no APIs and interfaces other than those provided by OpenSSL and ANSI C. If you are tempted to use other tools, look closer at the OpenSSL feature lists and available options. In your code below you forgot to use two of the items your teacher gave you, which is probably the problem. > On 1/30/15, Srinivas Rao <srirrao at gmail.com> wrote: >> All, >> >> Please let me know if my below mentioned usage of PKCS7_sign()+adding >> signer info is wrong and how. >> >> Really appreciate your response. >> >> cheers and regards >> Srinivas >> >> On 1/29/15, Srinivas Rao <srirrao at gmail.com> wrote: >>> OpenSSL experts, >>> >>> Here the intention is to get the signed data (raw signature obtained >>> by PKCS11 APIs like C_Sign) to be packed in PKCS7 format (attached - >>> with certificate, content and signer info) using openssl. >>> >>> I am using USB token (smart card) for signing. >>> >>> Here's the code snippet. >>> >>> PKCS7* p7 = PKCS7_new(); >>> PKCS7_set_type(p7, NID_pkcs7_signed); >>> //PKCS7_SIGNER_INFO* pSI = PKCS7_SIGNER_INFO_new(); >>> //PKCS7_SIGNER_INFO_set(pSI, pX509, pX509->cert_info->key->pkey, >>> EVP_sha256()); >>> //PKCS7_add_signer(p7, pSI); >>> PKCS7_SIGNER_INFO* pSI = PKCS7_add_signature(p7, pX509, >>> pX509->cert_info->key->pkey, EVP_sha256()); // <== core dumps here >>> : >>> : >>> where pX509 is correctly obtained X509* node using d2i_X509() from the >>> value obtained from PKCS11 funcstions like C_GetAttributeValue() etc. >>> >>> I believe the set of the commented lines is the alternate way for this >>> add signature function - that also dumps core at >>> PKCS7_SIGNER_INFO_set() function. >>> >>> I have no clue as to what am I doing wrong here. >>> >>> Appreciate your help. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded