cms utility "-sign" doesn't include signed content

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

cms utility "-sign" doesn't include signed content

Chris Marget
I'm struggling with a PKCS7 signing operation using openssl 1.0.2g.

I want to create signed messages like the one in my 'original' file (below). It seemed like extracting and then re-signing this message would be a good start.

I'm able to verify/unpack the original message, but not able to sign the unpacked message to get back to where I started. I have access to the signer's certificate and private key.

I hope somebody can point me in the right direction?

I'm extracting the message with:

openssl cms -verify -CAfile CA_cert.pem -inform pem -in original -out extracted


I thought I'd be able to re-sign this message using something like:

openssl cms -sign -md sha1 -in extracted -inkey signer_key -signer signer_cert -outform pem


This 'sign' operation completes successfully, but produces an output that's missing the payload. Using the same procedure to sign 1MB of random data produces a result that's only 1396 bytes long:

dd if=/dev/urandom bs=1M count=1 | openssl cms -sign -md sha1 -inkey signer_key -signer signer_cert -outform pem | grep -v -- -- | base64 --decode | wc -c

1396


Clearly this 'sign' function doesn't do what I thought it did.

How can I sign blob of data so that it looks like my 'original'?

The files I'm using:
signer_key https://pastebin.com/raw/tnCXeYHg (the correct key, but not an actual secret)

Thank you!

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: cms utility "-sign" doesn't include signed content

lists-161
On 10/20/2017 10:00 PM, Chris Marget wrote:
I'm struggling with a PKCS7 signing operation using openssl 1.0.2g.

I want to create signed messages like the one in my 'original' file (below). It seemed like extracting and then re-signing this message would be a good start.

I'm able to verify/unpack the original message, but not able to sign the unpacked message to get back to where I started. I have access to the signer's certificate and private key.

I hope somebody can point me in the right direction?

I'm extracting the message with:

openssl cms -verify -CAfile CA_cert.pem -inform pem -in original -out extracted


I thought I'd be able to re-sign this message using something like:

openssl cms -sign -md sha1 -in extracted -inkey signer_key -signer signer_cert -outform pem


This 'sign' operation completes successfully, but produces an output that's missing the payload. Using the same procedure to sign 1MB of random data produces a result that's only 1396 bytes long:


I think you want to add the option  "-nodetach"

dd if=/dev/urandom bs=1M count=1 | openssl cms -sign -md sha1 -inkey signer_key -signer signer_cert -outform pem | grep -v -- -- | base64 --decode | wc -c

1396


Clearly this 'sign' function doesn't do what I thought it did.

How can I sign blob of data so that it looks like my 'original'?

The files I'm using:
signer_key https://pastebin.com/raw/tnCXeYHg (the correct key, but not an actual secret)

Thank you!




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users