I am looking for any practical method for converting a PEM-encoded x509 certificate chain into PKCS7 format in the Go language.
This openssl command line illustrates what I am trying to achieve in native Go.
openssl crl2pkcs7 -nocrl -certfile certificate-chain.pem > pkcs7.pem
I am able to run the openssl command line from within a Go program using the exec package, but I am looking for an efficient solution in Go.
The input file contains a sequence of certificates in PEM format, starting with -----BEGIN CERTIFICATE-----\n and base64 encoded data. The desired output needs to be in PKCS7 format, starting with -----BEGIN PKCS7-----.
I am looking for an efficient solution, because I am not actually reading and writing files, but handling lots of certificates as strings in memory.
Any suggestions appreciated.
First of all, just to be clear, both the input and output you are requesting are in PEM format. The input is a sequence of PEM-encoded X509 certificates, and the output you request is a PEM-encoded PKCS#7 degenerate "certs only" structure. OpenSSL can output the raw ASN.1 DER for the PKCS#7 structure if you give it the -outform DER option, but it will PEM-encode its output by default.
There are a number of Go packages out there that can build this kind of PKCS#7 structure. The following example uses this one.
If you have your input in a PEM-encoded string, and you want your output to be a PEM-encoded string, then the basic steps are:
Extract each PEM-block from your input, decode it, and collect its raw bytes.
Create a PKCS7 structure from those bytes.
PEM-encode that structure to an array of bytes.
Convert that array of bytes to a string.
Here's a simple example:
package main
import (
"encoding/pem"
"fmt"
"log"
"github.com/fullsailor/pkcs7"
)
var certChain = `-----BEGIN CERTIFICATE-----
MIIEKjCCAhKgAwIBAgIQVUzJj/mbV3n8PS0CHQTfzzANBgkqhkiG9w0BAQsFADBk
MQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTmV3IEhhbXBzaGlyZTETMBEGA1UEBxMK
UG9ydHNtb3V0aDEoMCYGA1UEAxMfU2ltcGxlQ0EgTm9uLVB1YmxpYyBUZXN0IElz
c3VlcjAeFw0xODExMjgyMzMwNDVaFw0xOTAyMjYyMzMwNDVaMBUxEzARBgNVBAMT
CkphbmUgU21pdGgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3iiYS
42eqJOJfF81MekU0w+8UTQgL9D9fh0BYAljgvKx1jvlg6l2CX1OPfNMxOWjDo7DB
ICRrPKxq/FH/tsPumzNWLp6Fsu559MgzkudzRHDVdCF0pa/qujeJeiDLXs7mtekc
rKW6SyrKceknSoPCAwnWr/CEBL09pG3lef7vUMfmkuSMW+L7upHpL/sHyqnyoAnh
9b7IeeQ832rg7b7VOX6zmDcCr6qndhXt6L/neidFbX736wH+fF+iKyTw7XJNflqT
YvifUvnI9rGriDZdAPVa1/a94tKHbFzil/2UEDzNo61mcucbcHqhUL4Iezpi/s5I
iyXqM9oMoMQKPSAlAgMBAAGjJzAlMAsGA1UdDwQEAwIDqDAWBgNVHSUBAf8EDDAK
BggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAgEAXe8ipocWVv+Bc78ci6QjAb6N
1DN0n9X7Ai6nvekDP1hqvNUhqKmKhV8pEL7GapyH7Rz3shYJyLEwlV0zUgS3/Uvv
38Ae5xl2uQLl4eoMz4T9NXewZyRmeSyfwz1za93wKGKz6IhoYRepI4EwaPjYowok
nNrocMRFuZHeUysSdLNXtgxKvtRYFI63rjNikJNM7C8mKOzeVobdegZipALxonDb
FcVUhikyu6YkT3Rc5X/oW5I2LfCl9v8mhjbuIPmLsZJyTcDBK81AFIX8g7Iavb8L
buRBIgSTShQISPrunnxbcQg3YimdNCn0n5llDmUP3jxWqiuvEZ7pSAUU6aVY7x8B
fAq9utHTz63FqVCLyl8us/oYZmeYpxpw5HSFhqwujKzJhvO1raaoU+3zsybrsxAy
tzgm05WucSoMTjhOBZFr8OVQxKnMHwgNudwsxuXqqFhUBV5JLkhxWIZxUoH3fhgz
9b2yH0pf/Vgurglfk/onMYR33B0grAT6/NW294oUOKCP9jdwNPQr+eRgoDU6hZ/P
UZMfr+dhVpIHPouSKCrkNXKLrBLFZsg8UiyMXiNB27OBK+mWCH8gUv5EPjW1PUCV
338v19sruqtHRRs7ZnWYMMxGeWosJ4eK/ysTjCespenOeC1HBVEnHQE+H/JvN7Pc
GN3nlK0GRJl5j3y6nmw=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEKzCCAhOgAwIBAgIRAKju/EHi+Hw4PQZENuj9F1AwDQYJKoZIhvcNAQELBQAw
ZDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU5ldyBIYW1wc2hpcmUxEzARBgNVBAcT
ClBvcnRzbW91dGgxKDAmBgNVBAMTH1NpbXBsZUNBIE5vbi1QdWJsaWMgVGVzdCBJ
c3N1ZXIwHhcNMTgxMTI4MjMzMTQ2WhcNMTkwMjI2MjMzMTQ2WjAVMRMwEQYDVQQD
EwpGcmVkIEpvbmVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt4om
EuNnqiTiXxfNTHpFNMPvFE0IC/Q/X4dAWAJY4LysdY75YOpdgl9Tj3zTMTlow6Ow
wSAkazysavxR/7bD7pszVi6ehbLuefTIM5Lnc0Rw1XQhdKWv6ro3iXogy17O5rXp
HKyluksqynHpJ0qDwgMJ1q/whAS9PaRt5Xn+71DH5pLkjFvi+7qR6S/7B8qp8qAJ
4fW+yHnkPN9q4O2+1Tl+s5g3Aq+qp3YV7ei/53onRW1+9+sB/nxfoisk8O1yTX5a
k2L4n1L5yPaxq4g2XQD1Wtf2veLSh2xc4pf9lBA8zaOtZnLnG3B6oVC+CHs6Yv7O
SIsl6jPaDKDECj0gJQIDAQABoycwJTALBgNVHQ8EBAMCA6gwFgYDVR0lAQH/BAww
CgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAImzRaStB2tb0tCs0x9d0NTy
Z8Q3Fkexvt816xfBGiRS1AtetnV59sJKJvPe9qRoKQDRk7Q+/HO80Iu1o7dWfp7S
h29g9a1uhIVCY1ijr8cW8La9H/OF2KxgGX8TOldrftUl60sA3riJ7lQYOW0NkU+o
wrRsIlMCLhP8NZYjKn2Wf066JtV6Z4Be2CgVpaXkuTIE3h4BOv0kG9OsMvuRMqZw
n7z6EqhduSujwHevB2dIZgixacnE5v5hnpZm1ujzlgbAAZWh7uFthktXL5fBbkW7
heoOv320GOTvqkGVVlc4Pac5kR+P6JWfCDETfIVvtyTtfei5tDm606rBa3BHtiRu
kO4m63fnYziUzRXrF/bDcAzVx5jHQWugpxeI5UcaF6e5psOvhlP6O0sIeN6ThY/I
f+zZN6kf8eZ0OYk+61fVPbbpkF05AFhKkduIRfywUy5+iXrPK4iuQxhM/kRCO0H3
rxXcDlc+9Ol1JiJNNF2lV8+U1APsPFK0gnrxoYLFyRsejCiV8/D67v8oEk0gfiMm
/uZUhC2jYJ05lfK7aGV72Cf82g46zAuNAiH4zwvmxvC/2tcqcaYFyK15D1dQGqOg
z3LR6viX/ncO72ywQWgjRc5hdR5vLinIEXTRlNKm4EW+AoLY3x+Erhmq69EEnGMr
4/GUXRuNB7Is+lFM3JYE
-----END CERTIFICATE-----`
func main() {
// Decode each PEM block in the input and append the ASN.1
// DER bytes for each certificate therein to the data slice.
input := []byte(certChain)
data := []byte{}
for len(input) > 0 {
var block *pem.Block
block, input = pem.Decode(input)
data = append(data, block.Bytes...)
}
// Build a PKCS#7 degenerate "certs only" structure from
// that ASN.1 certificates data.
var err error
data, err = pkcs7.DegenerateCertificate(data)
if err != nil {
log.Fatalf("couldn't create degenerate PKCS7 object: %v", err)
}
// Convert the PKCS#7 structure to a PEM-encoded string.
pemString := string(pem.EncodeToMemory(&pem.Block{
Type: "PKCS7",
Bytes: data,
}))
// Print the string, or do whatever you want with it.
fmt.Printf("%s", pemString)
}
and to show it gives the same output as your OpenSSL command:
paul#mac:certstop7$ cat certs.pem
-----BEGIN CERTIFICATE-----
MIIEKjCCAhKgAwIBAgIQVUzJj/mbV3n8PS0CHQTfzzANBgkqhkiG9w0BAQsFADBk
MQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTmV3IEhhbXBzaGlyZTETMBEGA1UEBxMK
UG9ydHNtb3V0aDEoMCYGA1UEAxMfU2ltcGxlQ0EgTm9uLVB1YmxpYyBUZXN0IElz
c3VlcjAeFw0xODExMjgyMzMwNDVaFw0xOTAyMjYyMzMwNDVaMBUxEzARBgNVBAMT
CkphbmUgU21pdGgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3iiYS
42eqJOJfF81MekU0w+8UTQgL9D9fh0BYAljgvKx1jvlg6l2CX1OPfNMxOWjDo7DB
ICRrPKxq/FH/tsPumzNWLp6Fsu559MgzkudzRHDVdCF0pa/qujeJeiDLXs7mtekc
rKW6SyrKceknSoPCAwnWr/CEBL09pG3lef7vUMfmkuSMW+L7upHpL/sHyqnyoAnh
9b7IeeQ832rg7b7VOX6zmDcCr6qndhXt6L/neidFbX736wH+fF+iKyTw7XJNflqT
YvifUvnI9rGriDZdAPVa1/a94tKHbFzil/2UEDzNo61mcucbcHqhUL4Iezpi/s5I
iyXqM9oMoMQKPSAlAgMBAAGjJzAlMAsGA1UdDwQEAwIDqDAWBgNVHSUBAf8EDDAK
BggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAgEAXe8ipocWVv+Bc78ci6QjAb6N
1DN0n9X7Ai6nvekDP1hqvNUhqKmKhV8pEL7GapyH7Rz3shYJyLEwlV0zUgS3/Uvv
38Ae5xl2uQLl4eoMz4T9NXewZyRmeSyfwz1za93wKGKz6IhoYRepI4EwaPjYowok
nNrocMRFuZHeUysSdLNXtgxKvtRYFI63rjNikJNM7C8mKOzeVobdegZipALxonDb
FcVUhikyu6YkT3Rc5X/oW5I2LfCl9v8mhjbuIPmLsZJyTcDBK81AFIX8g7Iavb8L
buRBIgSTShQISPrunnxbcQg3YimdNCn0n5llDmUP3jxWqiuvEZ7pSAUU6aVY7x8B
fAq9utHTz63FqVCLyl8us/oYZmeYpxpw5HSFhqwujKzJhvO1raaoU+3zsybrsxAy
tzgm05WucSoMTjhOBZFr8OVQxKnMHwgNudwsxuXqqFhUBV5JLkhxWIZxUoH3fhgz
9b2yH0pf/Vgurglfk/onMYR33B0grAT6/NW294oUOKCP9jdwNPQr+eRgoDU6hZ/P
UZMfr+dhVpIHPouSKCrkNXKLrBLFZsg8UiyMXiNB27OBK+mWCH8gUv5EPjW1PUCV
338v19sruqtHRRs7ZnWYMMxGeWosJ4eK/ysTjCespenOeC1HBVEnHQE+H/JvN7Pc
GN3nlK0GRJl5j3y6nmw=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEKzCCAhOgAwIBAgIRAKju/EHi+Hw4PQZENuj9F1AwDQYJKoZIhvcNAQELBQAw
ZDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU5ldyBIYW1wc2hpcmUxEzARBgNVBAcT
ClBvcnRzbW91dGgxKDAmBgNVBAMTH1NpbXBsZUNBIE5vbi1QdWJsaWMgVGVzdCBJ
c3N1ZXIwHhcNMTgxMTI4MjMzMTQ2WhcNMTkwMjI2MjMzMTQ2WjAVMRMwEQYDVQQD
EwpGcmVkIEpvbmVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt4om
EuNnqiTiXxfNTHpFNMPvFE0IC/Q/X4dAWAJY4LysdY75YOpdgl9Tj3zTMTlow6Ow
wSAkazysavxR/7bD7pszVi6ehbLuefTIM5Lnc0Rw1XQhdKWv6ro3iXogy17O5rXp
HKyluksqynHpJ0qDwgMJ1q/whAS9PaRt5Xn+71DH5pLkjFvi+7qR6S/7B8qp8qAJ
4fW+yHnkPN9q4O2+1Tl+s5g3Aq+qp3YV7ei/53onRW1+9+sB/nxfoisk8O1yTX5a
k2L4n1L5yPaxq4g2XQD1Wtf2veLSh2xc4pf9lBA8zaOtZnLnG3B6oVC+CHs6Yv7O
SIsl6jPaDKDECj0gJQIDAQABoycwJTALBgNVHQ8EBAMCA6gwFgYDVR0lAQH/BAww
CgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAImzRaStB2tb0tCs0x9d0NTy
Z8Q3Fkexvt816xfBGiRS1AtetnV59sJKJvPe9qRoKQDRk7Q+/HO80Iu1o7dWfp7S
h29g9a1uhIVCY1ijr8cW8La9H/OF2KxgGX8TOldrftUl60sA3riJ7lQYOW0NkU+o
wrRsIlMCLhP8NZYjKn2Wf066JtV6Z4Be2CgVpaXkuTIE3h4BOv0kG9OsMvuRMqZw
n7z6EqhduSujwHevB2dIZgixacnE5v5hnpZm1ujzlgbAAZWh7uFthktXL5fBbkW7
heoOv320GOTvqkGVVlc4Pac5kR+P6JWfCDETfIVvtyTtfei5tDm606rBa3BHtiRu
kO4m63fnYziUzRXrF/bDcAzVx5jHQWugpxeI5UcaF6e5psOvhlP6O0sIeN6ThY/I
f+zZN6kf8eZ0OYk+61fVPbbpkF05AFhKkduIRfywUy5+iXrPK4iuQxhM/kRCO0H3
rxXcDlc+9Ol1JiJNNF2lV8+U1APsPFK0gnrxoYLFyRsejCiV8/D67v8oEk0gfiMm
/uZUhC2jYJ05lfK7aGV72Cf82g46zAuNAiH4zwvmxvC/2tcqcaYFyK15D1dQGqOg
z3LR6viX/ncO72ywQWgjRc5hdR5vLinIEXTRlNKm4EW+AoLY3x+Erhmq69EEnGMr
4/GUXRuNB7Is+lFM3JYE
-----END CERTIFICATE-----
paul#mac:certstop7$ openssl crl2pkcs7 -nocrl -certfile certs.pem > openssl_p7.pem
paul#mac:certstop7$ ./certstop7 > generated_p7.pem
paul#mac:certstop7$ diff generated_p7.pem openssl_p7.pem
paul#mac:certstop7$
Related
I'm trying to create an Elixir code that will generate GnuPG-compatible key pairs and also to be able to encrypt, decrypt and sign messages. But it's also important that it can export PEM-formatted keys and messages, so users can use it with the GnuPG implementation.
Here's how I began my attempt:
defmodule GPG do
def test do
private_key = generate_private_key()
public_pem = pem_encoded_public_key(private_key)
IO.puts("Public Key PEM:")
IO.puts(public_pem)
end
defp pem_encoded_public_key(private_key) do
private_key
|> public_key_from_private_key()
|> pem_entry_encode(:RSAPublicKey)
end
defp generate_private_key do
:public_key.generate_key({:rsa, 2048, 65537})
end
defp public_key_from_private_key(private_key) do
{:RSAPublicKey, elem(private_key, 2), elem(private_key, 2)}
end
defp pem_entry_encode(key, type) do
:public_key.pem_encode([:public_key.pem_entry_encode(type, key)])
end
end
If I run GNU.test() on iEx, it will output:
iex(3)> GPG.test()
Public Key PEM:
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAQEAxEKcdLQmc8ik+srOf/hVTUzADGOVOrtOAigyqCMmtxAmNW4fTj5+
3MTSBTHQLSO0gWeuq2gR2Qrb/vd0d3OOielAudonvgo3enDL2jDp49zokB333LgK
64QK+l1erkjmy1Atj2fbXJAE0O2VzZmfMjCUGBJJQ/cklWXZH0Qczjojith2VHJU
jx4OoGHzIOOJ9qDOPPrY43vvymWs4CEM7OPUKq37MDfU0yxtSGoBERW2a/4jUOlk
JNQSBzjUSfd7VZaIziyF8NRy47j1ErrES3DS8m5zPoR/d+qyrQs0pg1S7Wgr9Aws
tpwM6yFEKhK507S4gdBuVWqyIVuiI/HcmwKCAQEAxEKcdLQmc8ik+srOf/hVTUzA
DGOVOrtOAigyqCMmtxAmNW4fTj5+3MTSBTHQLSO0gWeuq2gR2Qrb/vd0d3OOielA
udonvgo3enDL2jDp49zokB333LgK64QK+l1erkjmy1Atj2fbXJAE0O2VzZmfMjCU
GBJJQ/cklWXZH0Qczjojith2VHJUjx4OoGHzIOOJ9qDOPPrY43vvymWs4CEM7OPU
Kq37MDfU0yxtSGoBERW2a/4jUOlkJNQSBzjUSfd7VZaIziyF8NRy47j1ErrES3DS
8m5zPoR/d+qyrQs0pg1S7Wgr9AwstpwM6yFEKhK507S4gdBuVWqyIVuiI/Hcmw==
-----END RSA PUBLIC KEY-----
But if I create a test_public_key.txt file with this given key as content and run GnuPG to evaluate it, this happens:
$ gpg --show-keys test_public_key.txt
gpg: no valid OpenPGP data found.
I'm wondering what I'm missing.
I believe gpg expects this format
header -> -----BEGIN PGP PUBLIC KEY BLOCK-----
empty ->
key -> blablablablablablablablablablablabla
key -> blablablablablablablablablablablabla
header -> -----END PGP PUBLIC KEY BLOCK-----
Just manually change the headers and add an empty line.
I'm trying to sign a PDF with certificate. I prepare the PDF for signing, generate SHA256 hash value of the document, encrypt it with my private key and now I need to create PKCS7 certificate. When I create it like this:
PKCS7 *pkcs7 = PKCS7_sign(certificate, privateKey, ca, fileBIO, PKCS7_DETACHED | PKCS7_BINARY);
PKCS7_final(pkcs7, fileBIO, PKCS7_DETACHED | PKCS7_BINARY);
the certificate works but it doesn't contain any hash value. How do I insert my custom SHA256 hash value?
In what format are you supposed to supply the certificates (and keys) in the WifiClientSecure module? NO examples exist, or documentation of it's usage.
I am following the Arduino (ESP32) WiFiClientSecure example code - and trying to connect while specifying a CA Certificate, such as:
client.connect(server, 443, test_ca_cert, test_client_cert, test_client_key)
(test_client_cert and test_client_key are NULL pointers). If test_ca_cert is a NULL pointer, the SSL connection is fine.
If I try to specify my own test_ca_cert, I always get:
CA cert: mbedtls_x509_crt_parse returned -0x2180 (which is an error code for "invalid format")
I have tried a multitude of things for the test_ca_cert such as a string with the PEM formatted (cleartext) base64 encoded certificate, and a byte array of the DER formatted certificates. Nothing seems to work.
What is the format in which this certificate should be specified?
I figured it out by a combination of brute-force, and combing through some mbedtls code online. The certificate has to be specified in exactly the format as follows - i.e. by embedding your own newlines in the array:
unsigned char test_ca_cert[] =
"-----BEGIN CERTIFICATE-----\n"
"MIIDpDCCAowCCQC7mCk5Iu3YmDANBgkqhkiG9w0BAQUFADCBkzELMAkGA1UEBhMC\n"
"VVMxFjAUBgNVBAgMDU5ldyBIYW1wc2hpcmUxDzANBgNVBAcMBk5hc2h1YTEYMBYG\n"
"A1UECgwPYnJhZGdvb2RtYW4uY29tMR0wGwYDVQQDDBRCcmFkIEdvb2RtYW4gUm9v\n"
"dCBDQTEiMCAGCSqGSIb3DQEJARYTYnJhZEBicmFkZ29kbWFuLmNvbTAeFw0xNDEy\n"
"MDgwMTM2NDJaFw0yNDEyMDUwMTM2NDJaMIGTMQswCQYDVQQGEwJVUzEWMBQGA1UE\n"
"CAwNTmV3IEhhbXBzaGlyZTEPMA0GA1UEBwwGTmFzaHVhMRgwFgYDVQQKDA9icmFk\n"
"Z29vZG1hbi5jb20xHTAbBgNVBAMMFEJyYWQgR29vZG1hbiBSb290IENBMSIwIAYJ\n"
"KoZIhvcNAQkBFhNicmFkQGJyYWRnb2RtYW4uY29tMIIBIjANBgkqhkiG9w0BAQEF\n"
"AAOCAQ8AMIIBCgKCAQEAq0TfPz/2eH1vMhs5wKjZQU5KEpJH8n27jW3cSVPJPRHo\n"
"tn1S14zzaxuMYhZ1LQJgqT3/V9eVJdJkgoW54dgHLZVMb0xRilJPXNtR9WIZI+3r\n"
"6+7sm6OOhmxjOKUuTWdK+Rbx/KGU+xjQjlyw7Ir4hRLmfaNAw7gnZWyzVcJbvg8O\n"
"5JsReO4x4CnDveX0EJK6L9kNpTSLJZoFsVPdA3QJrxUYOw9s7gQYSjxx1SlcXqQQ\n"
"eWyJWF0FSkRcgRo4qu3JiV94kLUwYNno89G5kU1TnlK0d740KK/A3LN686HhtT66\n"
"XTtE/GLP9EUdlNgEkSoa00580iZqxYZBjlswa04qPQIDAQABMA0GCSqGSIb3DQEB\n"
"BQUAA4IBAQBqf27PAMC0cs5qgr6z5nUxSUN+o3Ap0YjNqrvBID0jQNPr3pfW8fy2\n"
"7dGa3ZAGwPnAmMvx2M6UF5GRYA7lAiC/jBmp0qrdekst4FBx5whJL6tt6sSSmeNp\n"
"4dF7OpGFFDeuBj1CJlN7dro+nd+wty9f7rpjNmGcNjD/vGOrk9T67uWB5NYDIrcn\n"
"rBOAVb+yBnDphBH7UIXWnSBCyDGD7SjAnWPQdH6uRAhVrbhIPylC50NwhqjlN5su\n"
"ll2eQ0Vfp5u+viLK441MwfF77CjhFMs50Ahu7y5ApRD9nzMdqav63dU4oKrdOJgK\n"
"yiUGy+6qJ0KK7FyaU4YKbcsqmd/kev9m\n"
"-----END CERTIFICATE-----\n";
As the title says, I have both the signature and the private key and would like to know the string that generated the signature.
To sign my string I would do this:
$ echo 'data to sign' > data.txt
$ openssl dgst -sha1 -sign privateKey.pem -out data.sha1 data.txt
$ openssl enc -base64 -in data.sha1 -out data.b64 -A
And I end up with a 172 bytes signature.
What I would like to know is if there's a way to reverse the process.
Thank you.
You wont be able to do this. A Hash such as SHA1 is a one way type of encryption. Once the encryption is done its done and there is no going back.
Basically no, but if you know the string was relatively short and had some defined structure, you could brute force it until you get a matching hash value. For long and random strings it is impossible.
If I run the openssl command line in hmac mode (as below), is the key used for the hmac used directly or is it hashed before using it as the key?
echo "foo" | openssl dgst -sha256 -binary -hmac "test" | openssl base64
Similarly, when encrypting a file with openssl (as below)is the pass phrase hashed with the salt? (If so how is it done? A pointer to the right source file would be even better.)
openssl enc -salt
The hmac option does not use salting or hashing; it just uses the passphrase directly as the key. See apps/dgst.c in the source distribution:
else if (!strcmp(*argv,"-hmac"))
{
if (--argc < 1)
break;
hmac_key=*++argv;
}
...
if (hmac_key)
{
sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
(unsigned char *)hmac_key, -1);
if (!sigkey)
goto end;
}
The enc command does seem to use some form of salting, at least in some cases. The relevant source file is apps/enc.c, but seems to come with some caveats:
/* Note that str is NULL if a key was passed on the command
* line, so we get no salt in that case. Is this a bug?
*/
if (str != NULL)
{
/* Salt handling: if encrypting generate a salt and
* write to output BIO. If decrypting read salt from
* input BIO.
*/
It then uses the function EVP_BytesToKey (in crypto/evp/evp_key.c) to generate a random key. This function seems to be a non-standard algorithm, which looked perhaps plausibly OK at a very brief glance but I couldn't attest to it beyond that.
Source snippets and comments are all from the OpenSSL 1.0.0 release.