|
On 10/20/2017 10:00 PM, Chris Marget
wrote:
I'm struggling with a PKCS7 signing operation using
openssl 1.0.2g.
I want to create signed messages like the one in my
'original' file (below). It seemed like extracting and then
re-signing this message would be a good start.
I'm able to verify/unpack the original message, but not
able to sign the unpacked message to get back to where I
started. I have access to the signer's certificate and private
key.
I hope somebody can point me in the right direction?
I'm extracting the message with:
openssl
cms -verify -CAfile CA_cert.pem -inform pem -in original
-out extracted
I thought I'd be able to re-sign this message using
something like:
openssl
cms -sign -md sha1 -in extracted -inkey signer_key
-signer signer_cert -outform pem
This 'sign' operation completes successfully, but
produces an output that's missing the payload. Using the
same procedure to sign 1MB of random data produces a result
that's only 1396 bytes long:
I think you want to add the option "-nodetach"
dd
if=/dev/urandom bs=1M count=1 | openssl cms -sign -md
sha1 -inkey signer_key -signer signer_cert -outform pem
| grep -v -- -- | base64 --decode | wc -c
1396
Clearly this 'sign' function doesn't do what I thought it
did.
How can I sign blob of data so that it looks like my
'original'?
The files I'm using:
Thank you!
|
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
