Data and Signature (envelope)

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Data and Signature (envelope)

redpath
I have a piece of data like a JPG and a MD from it and a signature PKCS#1 from the MD.

   int rc= RSA_sign(NID_sha1, md, 20, sigret, &siglen, rsapriv)

I send the data and the signature to someone to verify the data and they use it.
Now maybe there is standard measure to package the data and the signature and that would be?

x.509  (that does not make sense or does it)
pkcs12  (maybe)

so what would it be? Of course I have to figure out how to extract the info out of the
new envelope; any suggestions?
Reply | Threaded
Open this post in threaded view
|

Re: Data and Signature (envelope)

Krzysztof Konopko
2013/4/24 redpath <[hidden email]>
I have a piece of data like a JPG and a MD from it and a signature PKCS#1
from the MD.

   int rc= RSA_sign(NID_sha1, md, 20, sigret, &siglen, rsapriv)

I send the data and the signature to someone to verify the data and they use
it.
Now maybe there is standard measure to package the data and the signature
and that would be?

x.509  (that does not make sense or does it)
pkcs12  (maybe)

so what would it be? Of course I have to figure out how to extract the info
out of the
new envelope; any suggestions?

 



--
View this message in context: http://openssl.6102.n7.nabble.com/Data-and-Signature-envelope-tp44885.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Data and Signature (envelope)

redpath
I saw the CMS but I did not see how to store raw data which I need to extract?
Lets assume the data was a JPG and I created signature from the MD (SHA1)
how can I get the JPG use it and validate it. I looked at the PKCS7 and no mention of adding
objects.

Any example is best to learn assuming
  data (JPG) derived MD from it for a signature and I have a private key.

I am assuming RSA though I would like to do ECDSA.
Reply | Threaded
Open this post in threaded view
|

RE: Data and Signature (envelope)

Dave Thompson-5
> From: [hidden email] On Behalf Of redpath
> Sent: Wednesday, 24 April, 2013 18:10

> I saw the CMS but I did not see how to store raw data which I need to
> extract?
> Lets assume the data was a JPG and I created signature from
> the MD (SHA1)
> how can I get the JPG use it and validate it. I looked at the
> PKCS7 and no
> mention of adding
> objects.
>
The PKCS7_* API, and the newer and more complete CMS_* API,
is designed to do most of the work for you. PKCS7_sign or
CMS_sign takes the data as a BIO to allow streaming from
a (large) file or pipe or such, but if you have your data
in memory just use a mem-BIO; computes a signature* using
a given privatekey and cert(s); and produces the result
structure, or if streaming sets-up to produce it.
* By default these APIs do the "two level" signature:
hash the data, put that hash into AuthenticatedAttributes
along with other stuff, hash AuthenticatedAttributes and
pk-sign that hash. You can specify _NOATTR to reduce this
to just hash the data and pk-sign that (first) hash.

I hope you didn't mean the *commandline* utility pkcs7.
Despite the name, that handles only "p7b" objects, i.e.
degenerate PKCS7 containing no actual data or signature
used only to transport cert(s) or (less often) CRL(s).
To do proper-pkcs7 signed or encrypted at commandline,
use smime or cms with format PEM or DER.

> Any example is best to learn assuming
>   data (JPG) derived MD from it for a signature and I have a
> private key.
>

If you really want to do it yourself, the older PKCS7_
module exposes the C structs, which you could fill in
and then I think plain (nonstream) i2d_ or PEM_write_
should work, although I haven't tested.

> I am assuming RSA though I would like to do ECDSA.
>
These APIs will use any privatekey for which a signature
scheme is available; that's RSA DSA ECDSA (or pedantically
EC; openssl uses the same EC_KEY struct for ECDSA and ECDH).
(In general openssl routines using EVP_PKEY will handle many
key types, that's exactly what the EVP level is for.)

I still encounter a few reliers (or other systems) now and then
who don't support ECDSA, though less than a few years ago.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Data and Signature (envelope)

Viktor Dukhovni
On Wed, Apr 24, 2013 at 10:35:04PM -0400, Dave Thompson wrote:

> > I am assuming RSA though I would like to do ECDSA.
>
> These APIs will use any privatekey for which a signature
> scheme is available; that's RSA DSA ECDSA (or pedantically
> EC; openssl uses the same EC_KEY struct for ECDSA and ECDH).
> (In general openssl routines using EVP_PKEY will handle many
> key types, that's exactly what the EVP level is for.)

For some time CMS did not support ECDSA (recipient public keys),
only RSA was supported.  Has that changed recently?  One needs to
recipient public keys to encrypt the message key to each recipient,
which is different from the sender key used for signing. There was
no code for that last time I looked, is there a suitable standard
for using ECDSA with CMS recipients? I just tried with 1.0.1e and
could only encrypt to an RSA recipient.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Data and Signature (envelope)

redpath
I thought the PKCS7 was the way to go thanks.
Yes the command line is confusing as to what the PKCS7 can provide
and thats what was a paradox to me.

Any pointers to PKCS7 example code inserting objects and extracted them
would be appreciated and I do use the men_bio nicely.
Reply | Threaded
Open this post in threaded view
|

Re: Data and Signature (envelope)

redpath
I took the sign.c example and modified it slightly to use artifacts I have,
but it seems the result just produces a PKCS7 that has a signature?
I want to have the data (PDF or JPG) in there as I need to use it after validating
that it is trusted.

Basically I have a piece of data and a signature and want to envelope it in
something for best practices. Otherwise I simply send the data and the signature
and validate trust and use the data. I have to get the data out of the PKCS7 and use it
just having a signature is not very useful for m.

Is there something I am missing?

The code I modified is shown below which is basically sign.c, get my private key
and a x509 sign the data but hey I need the data int there too to extract later.


//cc -o sign -Wno-deprecated-declarations sign.c -lcrypto

#include <stdio.h>
#include <string.h>
#include <openssl/bio.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/err.h>

int main(argc,argv)
int argc;
char *argv[];
        {
        X509 *x509;
        EVP_PKEY *pkey;
        PKCS7 *p7;
        PKCS7_SIGNER_INFO *si;
        BIO *in;
        BIO *data,*p7bio;
        char buf[1024*4];
        int i;
        int nodetach=0;

#ifndef OPENSSL_NO_MD2
        EVP_add_digest(EVP_md2());
#endif
#ifndef OPENSSL_NO_MD5
        EVP_add_digest(EVP_md5());
#endif
#ifndef OPENSSL_NO_SHA1
        EVP_add_digest(EVP_sha1());
#endif
#ifndef OPENSSL_NO_MDC2
        EVP_add_digest(EVP_mdc2());
#endif

        data=BIO_new(BIO_s_file());
again:
        if (argc > 1)
                {
                if (strcmp(argv[1],"-nd") == 0)
                        {
                        nodetach=1;
                        argv++; argc--;
                        goto again;
                        }
                if (!BIO_read_filename(data,argv[1]))
                        goto err;
                }
        else
                BIO_set_fp(data,stdin,BIO_NOCLOSE);

  /**
   * Get our private key as it will be used from some other PKCS7 function later I assume to sign data?
   **/
   FILE * fp =fopen("rsa.pem.0", "rb");
   if (fp==NULL){
     printf("NULL fp \n");
     return 1;
   }

   EVP_PKEY *pevpkey= PEM_read_PrivateKey(fp, NULL, NULL, NULL);
   if (pevpkey==NULL){
      printf("PEM for read private failed\n");
      return 1;
    }
   else
       printf("PEM for read private SUCCESS\n");

   fclose(fp);


        if ((in=BIO_new_file("RSApublic.x509.0.cert","r")) == NULL) goto err;
        if ((x509=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) goto err;
        //BIO_reset(in);
        //if ((pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL)) == NULL) goto err;
        BIO_free(in);


        p7=PKCS7_new();
        PKCS7_set_type(p7,NID_pkcs7_signed);
        si=PKCS7_add_signature(p7,x509,pevpkey,EVP_sha1());
        if (si == NULL) goto err;

        /* If you do this then you get signing time automatically added */
                PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,
                                                        OBJ_nid2obj(NID_pkcs7_data));

        /* USE THIS TO ADD a X509 if you wish to the PKCS7*/
        // PKCS7_add_certificate(p7,x509);

        /* Set the content of the signed to 'data' */
        PKCS7_content_new(p7,NID_pkcs7_data);

        // if (!nodetach)
        PKCS7_set_detached(p7,1);

        if ((p7bio=PKCS7_dataInit(p7,NULL)) == NULL) goto err;

        for (;;)
                {
                i=BIO_read(data,buf,sizeof(buf));
                if (i <= 0) break;
                printf("%d \n",BIO_write(p7bio,buf,i) );
                }

        if (!PKCS7_dataFinal(p7,p7bio)) goto err;
        BIO_free(p7bio);

        PEM_write_PKCS7(stdout,p7);
        PKCS7_free(p7);

        exit(0);
err:
        ERR_load_crypto_strings();
        ERR_print_errors_fp(stderr);
        exit(1);
        }
Reply | Threaded
Open this post in threaded view
|

Re: Data and Signature (envelope)

Jakob Bohm-7
On 4/25/2013 1:13 PM, redpath wrote:

> I took the sign.c example and modified it slightly to use artifacts I have,
> but it seems the result just produces a PKCS7 that has a signature?
> I want to have the data (PDF or JPG) in there as I need to use it after
> validating
> that it is trusted.
>
> Basically I have a piece of data and a signature and want to envelope it in
> something for best practices. Otherwise I simply send the data and the
> signature
> and validate trust and use the data. I have to get the data out of the PKCS7
> and use it
> just having a signature is not very useful for m.
>

In other words you want to produce a non-detached PKCS7 SignedData
structure, not a detached one, to use the official names from the
standards.

> Is there something I am missing?
>
> The code I modified is shown below which is basically sign.c, get my private
> key
> and a x509 sign the data but hey I need the data int there too to extract
> later.
>

I am not sure, maybe someone else can point out what parameters and
options to pass to the PKCS7_* functions to produce a non-detached
signature.

I'll leave in your code to keep specific answers on this in context.

>
> //cc -o sign -Wno-deprecated-declarations sign.c -lcrypto
>
> #include <stdio.h>
> #include <string.h>
> #include <openssl/bio.h>
> #include <openssl/x509.h>
> #include <openssl/pem.h>
> #include <openssl/err.h>
>
> int main(argc,argv)
> int argc;
> char *argv[];
> {
> X509 *x509;
> EVP_PKEY *pkey;
> PKCS7 *p7;
> PKCS7_SIGNER_INFO *si;
> BIO *in;
> BIO *data,*p7bio;
> char buf[1024*4];
> int i;
> int nodetach=0;
>
> #ifndef OPENSSL_NO_MD2
> EVP_add_digest(EVP_md2());
> #endif
> #ifndef OPENSSL_NO_MD5
> EVP_add_digest(EVP_md5());
> #endif
> #ifndef OPENSSL_NO_SHA1
> EVP_add_digest(EVP_sha1());
> #endif
> #ifndef OPENSSL_NO_MDC2
> EVP_add_digest(EVP_mdc2());
> #endif
>
> data=BIO_new(BIO_s_file());
> again:
> if (argc > 1)
> {
> if (strcmp(argv[1],"-nd") == 0)
> {
> nodetach=1;
> argv++; argc--;
> goto again;
> }
> if (!BIO_read_filename(data,argv[1]))
> goto err;
> }
> else
> BIO_set_fp(data,stdin,BIO_NOCLOSE);
>
>    /**
>     * Get our private key as it will be used from some other PKCS7 function
> later I assume to sign data?
>     **/
>     FILE * fp =fopen("rsa.pem.0", "rb");
>     if (fp==NULL){
>       printf("NULL fp \n");
>       return 1;
>     }
>
>     EVP_PKEY *pevpkey= PEM_read_PrivateKey(fp, NULL, NULL, NULL);
>     if (pevpkey==NULL){
>        printf("PEM for read private failed\n");
>        return 1;
>      }
>     else
>         printf("PEM for read private SUCCESS\n");
>
>     fclose(fp);
>
>
> if ((in=BIO_new_file("RSApublic.x509.0.cert","r")) == NULL) goto err;
> if ((x509=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) goto err;
> //BIO_reset(in);
> //if ((pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL)) == NULL) goto err;
> BIO_free(in);
>
>
> p7=PKCS7_new();
> PKCS7_set_type(p7,NID_pkcs7_signed);
> si=PKCS7_add_signature(p7,x509,pevpkey,EVP_sha1());
> if (si == NULL) goto err;
>
> /* If you do this then you get signing time automatically added */
> PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,
> OBJ_nid2obj(NID_pkcs7_data));
>
> /* USE THIS TO ADD a X509 if you wish to the PKCS7*/
> // PKCS7_add_certificate(p7,x509);
>
>          /* Set the content of the signed to 'data' */
> PKCS7_content_new(p7,NID_pkcs7_data);
>
> // if (!nodetach)
>           PKCS7_set_detached(p7,1);
>
> if ((p7bio=PKCS7_dataInit(p7,NULL)) == NULL) goto err;
>
> for (;;)
> {
> i=BIO_read(data,buf,sizeof(buf));
> if (i <= 0) break;
> printf("%d \n",BIO_write(p7bio,buf,i) );
> }
>
> if (!PKCS7_dataFinal(p7,p7bio)) goto err;
> BIO_free(p7bio);
>
> PEM_write_PKCS7(stdout,p7);
> PKCS7_free(p7);
>
> exit(0);
> err:
> ERR_load_crypto_strings();
> ERR_print_errors_fp(stderr);
> exit(1);
> }
>
>


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Data and Signature (envelope)

redpath
Exactly a non-detached, I see the constant detached and thought thats what it meant but that road lead nowhere, so if anyone has pointers how to make a non-detacched or modify below that would be
great.
Reply | Threaded
Open this post in threaded view
|

Re: Data and Signature (envelope)

Dr. Stephen Henson
In reply to this post by redpath
On Thu, Apr 25, 2013, redpath wrote:

> I took the sign.c example and modified it slightly to use artifacts I have,
> but it seems the result just produces a PKCS7 that has a signature?
> I want to have the data (PDF or JPG) in there as I need to use it after
> validating
> that it is trusted.
>

That's rather an ancient example. It would be better to rely on the high level
APIs and demos. See demos/smime and demos/cms for example.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Data and Signature (envelope)

Dr. Stephen Henson
In reply to this post by Viktor Dukhovni
On Thu, Apr 25, 2013, Viktor Dukhovni wrote:

> On Wed, Apr 24, 2013 at 10:35:04PM -0400, Dave Thompson wrote:
>
> > > I am assuming RSA though I would like to do ECDSA.
> >
> > These APIs will use any privatekey for which a signature
> > scheme is available; that's RSA DSA ECDSA (or pedantically
> > EC; openssl uses the same EC_KEY struct for ECDSA and ECDH).
> > (In general openssl routines using EVP_PKEY will handle many
> > key types, that's exactly what the EVP level is for.)
>
> For some time CMS did not support ECDSA (recipient public keys),
> only RSA was supported.  Has that changed recently?  One needs to
> recipient public keys to encrypt the message key to each recipient,
> which is different from the sender key used for signing. There was
> no code for that last time I looked, is there a suitable standard
> for using ECDSA with CMS recipients? I just tried with 1.0.1e and
> could only encrypt to an RSA recipient.
>

OpenSSL doesn't currentliy support ECDH with the eneveloped data type. It does
support ECDSA for sign/verify.

I'll be looking into adding support in future. It would help a great deal if I
had some test vectors (e.g. sample of messages and appropriate keys) for ECDH
for interop testing. Anyone who has any either post links to them in the list
or if you prefer send them to me privately.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Data and Signature (envelope)

redpath
I looked at the latest smsign.c shown below modified with a large data item.
The result is still a detached and quite small like a signature. The flag changed
and yet nothing different. It should be quite large. All I see is the API to soign
p7 = PKCS7_sign(scert, skey, NULL, in, flags);

and tried to do some data content with only core dumps, so what modification
do I have to do to store objects I can get later from the PKCS7?

#include <openssl/pem.h>
#include <openssl/pkcs7.h>
#include <openssl/err.h>

int main(int argc, char **argv)
        {
        BIO *in = NULL, *out = NULL, *tbio = NULL;
        X509 *scert = NULL;
        EVP_PKEY *skey = NULL;
        PKCS7 *p7 = NULL;
        int ret = 1;

        /* For simple S/MIME signing use PKCS7_DETACHED.
         * On OpenSSL 0.9.9 only:
         * for streaming detached set PKCS7_DETACHED|PKCS7_STREAM
         * for streaming non-detached set PKCS7_STREAM
         */
        // int flags = PKCS7_DETACHED|PKCS7_STREAM;
        int flags = PKCS7_STREAM;

        OpenSSL_add_all_algorithms();
        ERR_load_crypto_strings();

        /* Read in signer certificate and private key */
        tbio = BIO_new_file("signer.pem", "r");

        if (!tbio)
                goto err;

        scert = PEM_read_bio_X509(tbio, NULL, 0, NULL);

        BIO_reset(tbio);

        skey = PEM_read_bio_PrivateKey(tbio, NULL, 0, NULL);

        if (!scert || !skey)
                goto err;

        /* Open content being signed */

        in = BIO_new_file("my.pdf", "r");

        if (!in)
                goto err;

        /* Sign content */
        p7 = PKCS7_sign(scert, skey, NULL, in, flags);

        if (!p7)
                goto err;

        out = BIO_new_file("smout.txt", "w");
        if (!out)
                goto err;

        if (!(flags & PKCS7_STREAM))
                BIO_reset(in);

        /* Write out S/MIME message */
        if (!SMIME_write_PKCS7(out, p7, in, flags))
                goto err;

        ret = 0;

        err:

        if (ret)
                {
                fprintf(stderr, "Error Signing Data\n");
                ERR_print_errors_fp(stderr);
                }

        if (p7)
                PKCS7_free(p7);
        if (scert)
                X509_free(scert);
        if (skey)
                EVP_PKEY_free(skey);

        if (in)
                BIO_free(in);
        if (out)
                BIO_free(out);
        if (tbio)
                BIO_free(tbio);

        return ret;

        }

Reply | Threaded
Open this post in threaded view
|

RE: Data and Signature (envelope)

Dave Thompson-5
> From: [hidden email] On Behalf Of redpath
> Sent: Thursday, 25 April, 2013 09:40
> To: [hidden email]
> Subject: Re: Data and Signature (envelope)
>
> I looked at the latest smsign.c shown below modified with a
> large data item.
> The result is still a detached and quite small like a
> signature. The flag changed
> and yet nothing different. It should be quite large. <snip>

Your code works for me, with one change to use my data file,
on (home) Vista with ShiningLight 1.0.0e and mingw gcc.

Are you by any chance also working on Windows? Remember that
on Windows C implementations (except maybe cygwin, I'm not sure)
open mode "r" means a text file, which is truncated at any 0x1A
(^Z) byte. PDF's are usually compressed and compressed data is
practically certain to contain 0x1A bytes here and there.
To handle compressed or other binary data use "rb".

If you want to see what is actually in your generated object
take the body part (i.e. skip the S/MIME headers) and feed it
as input to commandline asn1parse. If your contained data is
compressed it will display as unreadable gibberish, but you
can see something is there and get some idea how big it is.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]