Unable to verify smime signature - libressl

I've signed a file like this, using LibreSSL 2.8.3 on macOS:
openssl smime -binary -sign -certfile WWDR.pem -signer passcertificate.pem \
-inkey passkey.pem -in manifest.json -out signature \
-outform DER -passin pass:12345
and now I want to just immediately verify that same file. I am trying the following command
openssl smime -binary -verify -certfile WWDR.pem -signer passcertificate.pem \
-inkey passkey.pem -in manifest.json -content signature \
-inform DER -passin pass:12345
but that fails with the below error. What's the proper syntax to verify the signature?
Error reading S/MIME message
4550921836:error:0DFFF0A8:asn1 encoding routines:CRYPTO_internal:wrong tag:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.11.1/libressl-2.8/crypto/asn1/tasn_dec.c:1144:
4550921836:error:0DFFF03A:asn1 encoding routines:CRYPTO_internal:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.11.1/libressl-2.8/crypto/asn1/tasn_dec.c:317:Type=PKCS7
I'm basically doing this because I want to try and implement the signing in swift. I know the above sign command works properly, and so if I can figure out how to verify a file then I can properly test whether or not my Swift implementation works.
The WWDR.pem file comes from http://www.apple.com/certificateauthority, and is the Worldwide Developer Relations certificate.
To get the passcertificate.pem and passkey.pem files I went to the Apple Developer portal and generated the pass certificate, imported it into the mac Keychain Access, exported it to Certificates.p12, then ran these two commands:
openssl pkcs12 -in Certificates.p12 -clcerts -nokeys \
-out passcertificate.pem -passin pass:
openssl pkcs12 -in Certificates.p12 -nocerts -out passkey.pem \
-passin pass: -passout pass:12345

Related

openssl self-signed certificate verify failed

Background: I create a self-made certificate and use the private key to sign some text.And then, use the self made certificate verify the signature.But I cannot verify successful.Here is my process.
# create Rsa public/private key
openssl genrsa -out private.key 2048
# generate the certificate
openssl req -x509 -days 3650 -key private.key -out ca.csr
# generate text message
echo 'hello' > text
# sign text
openssl smime -sign -inkey private.key -signer ca.csr -in text -outform PEM -out signature
# verify signature
openssl smime -verify -noverify -content text -certfile ca.csr -inform PEM -in signature -signer ca.csr
hello
Verification failure
139927005472576:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:crypto/pkcs7/pk7_doit.c:1011:
139927005472576:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:crypto/pkcs7/pk7_smime.c:353:
what's wrong with my verification process.
In addition, if verify without -noverify option, which is in line with expectations
# verify signature
openssl smime -verify -content text -certfile ca.csr -inform PEM -in signature -signer ca.csr
Verification failure
139636965443472:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:336:Verify error:self signed certificate

Node-RED communication using CA certificate

i am trying to deploy my node-RED environment using CA certificate.
i have created the pem files using .p12 file by executing below commands
– openssl pkcs12 -in test.p12 -passin pass:Password -out keyfile.pem -nodes
– openssl pkcs12 -in test.p12 -passin pass:Password -out crtfile.pem -nodes
then i have uncommented the https code from settings.js file of node red
https: {
key: require("fs").readFileSync('keyfile.pem'),
cert: require("fs").readFileSync('crtfile.pem')
}
i have used default http node and made the following configuration to the tls config
when i deploy the node i get the following error
"Error: unable to verify the first certificate"
what am i missing here?
Remove the changes you made to the settings.js. That section is only for if you want to have Node-RED serve the editor via TLS.
Next your openssl commands to export the user'sprivate key and certificate should probably be more like
openssl pkcs12 -in test.p12 -out keyfile.pem -passin pass:Password -nocerts
openssl pkcs12 -in test.p12 -out crtfile.crt -passin pass:Password -nokeys -clcert
You should also export the include CA chain with
openssl pkcs12 -in test.p12 -out ca.crt -passin pass:Password -cacerts -nokeys
You then need to add the ca.crt file to the HTTP node's TLS config.

Data verification with openssl smime fails

I am using openssl smime to sign and verify data.
To sign text file using openssl I sue the following command:
openssl smime -sign -in sample.txt -out mail.msg -signer cert.pem -inkey key.pem
Then I proceed to verification:
openssl smime -verify -in mail.msg -CAfile allCA.pem
The verification succeed.
My problem is that I have an external tool that performs the verification using the following command:
openssl smime -verify -in mail.msg -inform DER -CAfile allCA.pem
How to sign my txt file so it can be verified with the previous command ?
What I've tried so far:
openssl smime -sign -in sample.txt -out mail.msg -outform DER -signer cert.pem -inkey key.pem
But I get an error when trying to verify my mail:
Verification failure
140204331579208:error:2107507A:PKCS7 routines:PKCS7_verify:no content:pk7_smime.c:291:
The way you call sign operation creates detached signature so you would need to pass -content sample.txt to verify command. However, it is possible to create structure that encapsulates message together with signature (-nodetach parameter).
This is the sign command you are looking for:
openssl smime -sign -in data.dat -out mail.msg -signer cert.pem -inkey key.pem -outform DER -nodetach

How do I convert a PEM cert to a PKCS12 with GnuTLS

I want to use GnuTLS certtool to convert a PEM public and private key to a PKCS12 pfx bundle. I don't have openssl available to me on the target system. The equivalent command with openssl is:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
$ certtool --load-certificate certificate.pem --load-privkey certificate.pem --to-p12 --outder --outfile certificate.pfx

No certificate matches private key while generating .p12 file

I have successfully generated .p12 file but I got a message which is a follows:
C:\OpenSSL-Win32\bin>openssl pkcs12 -export -inkey mykey.key -in exported.pem -out myfile.p12
Loading 'screen' into random state - done
No certificate matches private key
Could anyone tell me what is this error all about?
Also, the size of the file myfile.p12 is 0KB and when I tried to open it, I got the following message in a small window with OK button:
`Invalid Public Key Security Object File
This file is invalid for use as the following: Personal Information Exchange `
Please clarify.
Thanks
Source
OpenSSL says no certificate matches private key when the certificate is DER-encoded. Just change it to PEM encoding before creating the PKCS#12.
Create key pair :
openssl genrsa -out aps_development.key 2048
Create CSR : openssl req -new -sha256 -key aps_development.key -out aps_development.csr
Upload the CSR to developer portal to get the certificate aps_development.cer
Convert the certificate: openssl x509 -inform DER -outform PEM -in aps_development.cer -out aps_development.pem
Build the PKCS#12: openssl pkcs12 -inkey aps_development.key -in aps_development.pem -export -out aps_development.p12
I also had exactly same issue. Below two commands worked like a charm.
cat domain.crt intermediate.crt ca.crt > bundle.crt
openssl pkcs12 -export -out cert.pfx -inkey key -in bundle.crt
In my case, I'd actually specified the wrong certificate -- i.e. the certificate was for one system, and the private key for another. So the error message was spot-on!
Use these commands to compare the RSA Public-Key component of your CSR to that of the private key.
Key: openssl pkey -text_pub -in file.key -noout
CSR: openssl req -in file.csr -noout -text
These must match for 'openssl pkcs12' to create the export file.