Discussion:
Signing a binary file
Danny Joseph
2003-08-04 16:54:52 UTC
Permalink
I am new in the openssl world so my questions migth be basic.
I have a binary code file that I have to sign (using a private key and one
or more certificat).
It has to be PKCS#7(SHA1 with RSA encryption) DER encoded Signed Data.
1- I have to create a PKCS#7 data message from my binary file.
2- Sign this last PKCS#7 file -> In my signed data, there will be
one (or more) certificats along with their Signing Info. I need to put a
signing time as well.
There is the pkcs7 to create a PKCS#7 fiel from my binary file but it has
to be PEM or DER input.
Then, there is the crl2pkcs7 function to add certificats to the PKCS#7
file, without crl in my case.
Then, I have to sign the whole thing with a SigningTime. I read on the
x509(1) function along with the req.
I saw rsault as well as dgst(1) but I am a little bit lost in all those
functions and their differences.
Any suggestions to help me through this
Tx
Danny Joseph
Electroline Equipment Inc, Montreal
* Tel: (514) 374-6204 #447
* Fax: (514) 374-8901
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Henrik Nordstrom
2003-08-04 17:24:33 UTC
Permalink
I am new in the openssl world so my questions migth be basic.
I have a binary code file that I have to sign (using a private key and one
or more certificat).
It has to be PKCS#7(SHA1 with RSA encryption) DER encoded Signed Data.
1- I have to create a PKCS#7 data message from my binary file.
2- Sign this last PKCS#7 file -> In my signed data, there will be
one (or more) certificats along with their Signing Info. I need to put a
signing time as well.
PKCS7_encrypt() & PKCS7_sign() maybe?

I do not think the required operations is available in the openssl tool
for your purpose. Some programming will probably be needed to use
OpenSSL in this manner.

Note: The OpenSSL pkcs7 functions is primarily designed for SSL related
operations (i.e. CRL lists) and as such is not a complete PKCS #7
implementation from what I can tell. It is fully possible what you are
trying to accomplish is beyond the capabilities of the OpenSSL PKCS #7
functions. For example the documentation to PKCS7_sign() says (under
BUGS) that only a single signer certificate is supported by the
implementation.

Regards
Henrik
--
Henrik Nordstrom <hno-PkEYrkghkiNmbZtjAW+***@public.gmane.org>
MARA Systems AB

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Dr. Stephen Henson
2003-08-04 18:47:47 UTC
Permalink
I am new in the openssl world so my questions migth be basic.
I have a binary code file that I have to sign (using a private key and one
or more certificat).
It has to be PKCS#7(SHA1 with RSA encryption) DER encoded Signed Data.
1- I have to create a PKCS#7 data message from my binary file.
2- Sign this last PKCS#7 file -> In my signed data, there will be
one (or more) certificats along with their Signing Info. I need to put a
signing time as well.
There is the pkcs7 to create a PKCS#7 fiel from my binary file but it has
to be PEM or DER input.
Then, there is the crl2pkcs7 function to add certificats to the PKCS#7
file, without crl in my case.
Then, I have to sign the whole thing with a SigningTime. I read on the
x509(1) function along with the req.
I saw rsault as well as dgst(1) but I am a little bit lost in all those
functions and their differences.
Any suggestions to help me through this
Tx
You should look at the smime command, it does most or all of what you want. By
default it uses S/MIME format and text translation but if you use the -binary
and -outform DER options it should be more suited to your needs.

Signing time is added automatically.

Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: shenson-Pqzf/mBTa20vnmoEvQhlZgbYiX8G1TQY9dF7HbQ/***@public.gmane.org, PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Danny Joseph
2003-08-05 18:48:12 UTC
Permalink
Thank you Mr. Henson,

I only have one problem: it takes a PKCS#7 file in input but mine is binary.
I tried with the -binary command but it still say that it can not read the
S/MIME message, so it does not recognise my file as a binary one.
Any suggestion?

Danny
Electroline Equipment Inc, Montreal
Tel: (514) 374-6204 #447
Fax: (514) 374-8901
E-mail: dj-9HHMsRDtEzRfOZc0+***@public.gmane.org





-----Original Message-----
From: Dr. Stephen Henson [mailto:steve-MCmKBN63+***@public.gmane.org]
Sent: Monday, August 04, 2003 2:48 PM
To: openssl-users-MCmKBN63+***@public.gmane.org
Subject: Re: Signing a binary file
I am new in the openssl world so my questions migth be basic.
I have a binary code file that I have to sign (using a private key and
one
or more certificat).
It has to be PKCS#7(SHA1 with RSA encryption) DER encoded Signed Data.
1- I have to create a PKCS#7 data message from my binary file.
2- Sign this last PKCS#7 file -> In my signed data, there will be
one (or more) certificats along with their Signing Info. I need to put a
signing time as well.
There is the pkcs7 to create a PKCS#7 fiel from my binary file but it
has
to be PEM or DER input.
Then, there is the crl2pkcs7 function to add certificats to the PKCS#7
file, without crl in my case.
Then, I have to sign the whole thing with a SigningTime. I read on the
x509(1) function along with the req.
I saw rsault as well as dgst(1) but I am a little bit lost in all those
functions and their differences.
Any suggestions to help me through this
Tx
You should look at the smime command, it does most or all of what you want.
By
default it uses S/MIME format and text translation but if you use the
-binary
and -outform DER options it should be more suited to your needs.

Signing time is added automatically.

Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: shenson-Pqzf/mBTa20vnmoEvQhlZgbYiX8G1TQY9dF7HbQ/***@public.gmane.org, PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Dr. Stephen Henson
2003-08-05 18:59:20 UTC
Permalink
Post by Danny Joseph
Thank you Mr. Henson,
I only have one problem: it takes a PKCS#7 file in input but mine is binary.
I tried with the -binary command but it still say that it can not read the
S/MIME message, so it does not recognise my file as a binary one.
Any suggestion?
If you are using 'openssl smime -sign -binary ...' it takes the content to be
signed as its input which can be in any format.

Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: shenson-Pqzf/mBTa20vnmoEvQhlZgbYiX8G1TQY9dF7HbQ/***@public.gmane.org, PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Danny Joseph
2003-08-05 19:06:40 UTC
Permalink
Thank you for the information but my signed content need to already be in
pkcs#7 format before beeing signed, not in binary.
That is why I am trying to "encapsulate" it in pkcs#7.

Danny
Electroline Equipment Inc, Montreal
* Tel: (514) 374-6204 #447
* Fax: (514) 374-8901
* E-mail: dj-9HHMsRDtEzRfOZc0+***@public.gmane.org




-----Original Message-----
From: Dr. Stephen Henson [mailto:steve-MCmKBN63+***@public.gmane.org]
Sent: Tuesday, August 05, 2003 2:59 PM
To: openssl-users-MCmKBN63+***@public.gmane.org
Subject: Re: Signing a binary file
Post by Danny Joseph
Thank you Mr. Henson,
I only have one problem: it takes a PKCS#7 file in input but mine is
binary.
Post by Danny Joseph
I tried with the -binary command but it still say that it can not read the
S/MIME message, so it does not recognise my file as a binary one.
Any suggestion?
If you are using 'openssl smime -sign -binary ...' it takes the content to
be
signed as its input which can be in any format.

Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: shenson-Pqzf/mBTa20vnmoEvQhlZgbYiX8G1TQY9dF7HbQ/***@public.gmane.org, PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Dr. Stephen Henson
2003-08-05 19:57:54 UTC
Permalink
Post by Danny Joseph
Thank you for the information but my signed content need to already be in
pkcs#7 format before beeing signed, not in binary.
That is why I am trying to "encapsulate" it in pkcs#7.
What do you mean? Do you mean that the PKCS#7 signedData must include the
content? If so the -nodetach option will do that.

Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: shenson-Pqzf/mBTa20vnmoEvQhlZgbYiX8G1TQY9dF7HbQ/***@public.gmane.org, PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Danny Joseph
2003-08-05 20:11:42 UTC
Permalink
What I want to do is to take my binary file, encapsulate it in a PKCS #7
data message (without signing) and then, take this last one and, along with
the cert and private key, create a PKCS #7 signed data message.
The requirement for the input file that I have to sign is : it has to be a
DER-encoded PKCS #7 ContentInfo.


-----Original Message-----
From: Dr. Stephen Henson [mailto:steve-MCmKBN63+***@public.gmane.org]
Sent: Tuesday, August 05, 2003 3:58 PM
To: openssl-users-MCmKBN63+***@public.gmane.org
Subject: Re: Signing a binary file
Post by Danny Joseph
Thank you for the information but my signed content need to already be in
pkcs#7 format before beeing signed, not in binary.
That is why I am trying to "encapsulate" it in pkcs#7.
What do you mean? Do you mean that the PKCS#7 signedData must include the
content? If so the -nodetach option will do that.

Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: shenson-Pqzf/mBTa20vnmoEvQhlZgbYiX8G1TQY9dF7HbQ/***@public.gmane.org, PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Dr. Stephen Henson
2003-08-06 16:00:09 UTC
Permalink
Post by Danny Joseph
What I want to do is to take my binary file, encapsulate it in a PKCS #7
data message (without signing) and then, take this last one and, along with
the cert and private key, create a PKCS #7 signed data message.
The requirement for the input file that I have to sign is : it has to be a
DER-encoded PKCS #7 ContentInfo.
That's how PKCS#7 signedData is normally encapsulated, the signed data is
another PKCS#7 ContentInfo which is of type data for OpenSSLs smime command.

Or do you want to obtain the PKCS#7 data ContentInfo from the binary file too?
If so there isn't an OpenSSL command that can do that at present, though it is
possible to do that with the API albeit a bit messily.

Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: shenson-Pqzf/mBTa20vnmoEvQhlZgbYiX8G1TQY9dF7HbQ/***@public.gmane.org, PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Loading...