I am using openssl smime to sign and verify data.
To sign text file using openssl I sue the following command:
openssl smime -sign -in sample.txt -out mail.msg -signer cert.pem -inkey key.pem
Then I proceed to verification:
openssl smime -verify -in mail.msg -CAfile allCA.pem
The verification succeed.
My problem is that I have an external tool that performs the verification using the following command:
openssl smime -verify -in mail.msg -inform DER -CAfile allCA.pem
How to sign my txt file so it can be verified with the previous command ?
What I've tried so far:
openssl smime -sign -in sample.txt -out mail.msg -outform DER -signer cert.pem -inkey key.pem
But I get an error when trying to verify my mail:
Verification failure
140204331579208:error:2107507A:PKCS7 routines:PKCS7_verify:no content:pk7_smime.c:291:
The way you call sign operation creates detached signature so you would need to pass -content sample.txt to verify command. However, it is possible to create structure that encapsulates message together with signature (-nodetach parameter).
This is the sign command you are looking for:
openssl smime -sign -in data.dat -out mail.msg -signer cert.pem -inkey key.pem -outform DER -nodetach
Related
Background: I create a self-made certificate and use the private key to sign some text.And then, use the self made certificate verify the signature.But I cannot verify successful.Here is my process.
# create Rsa public/private key
openssl genrsa -out private.key 2048
# generate the certificate
openssl req -x509 -days 3650 -key private.key -out ca.csr
# generate text message
echo 'hello' > text
# sign text
openssl smime -sign -inkey private.key -signer ca.csr -in text -outform PEM -out signature
# verify signature
openssl smime -verify -noverify -content text -certfile ca.csr -inform PEM -in signature -signer ca.csr
hello
Verification failure
139927005472576:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:crypto/pkcs7/pk7_doit.c:1011:
139927005472576:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:crypto/pkcs7/pk7_smime.c:353:
what's wrong with my verification process.
In addition, if verify without -noverify option, which is in line with expectations
# verify signature
openssl smime -verify -content text -certfile ca.csr -inform PEM -in signature -signer ca.csr
Verification failure
139636965443472:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:336:Verify error:self signed certificate
I've signed a file like this, using LibreSSL 2.8.3 on macOS:
openssl smime -binary -sign -certfile WWDR.pem -signer passcertificate.pem \
-inkey passkey.pem -in manifest.json -out signature \
-outform DER -passin pass:12345
and now I want to just immediately verify that same file. I am trying the following command
openssl smime -binary -verify -certfile WWDR.pem -signer passcertificate.pem \
-inkey passkey.pem -in manifest.json -content signature \
-inform DER -passin pass:12345
but that fails with the below error. What's the proper syntax to verify the signature?
Error reading S/MIME message
4550921836:error:0DFFF0A8:asn1 encoding routines:CRYPTO_internal:wrong tag:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.11.1/libressl-2.8/crypto/asn1/tasn_dec.c:1144:
4550921836:error:0DFFF03A:asn1 encoding routines:CRYPTO_internal:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.11.1/libressl-2.8/crypto/asn1/tasn_dec.c:317:Type=PKCS7
I'm basically doing this because I want to try and implement the signing in swift. I know the above sign command works properly, and so if I can figure out how to verify a file then I can properly test whether or not my Swift implementation works.
The WWDR.pem file comes from http://www.apple.com/certificateauthority, and is the Worldwide Developer Relations certificate.
To get the passcertificate.pem and passkey.pem files I went to the Apple Developer portal and generated the pass certificate, imported it into the mac Keychain Access, exported it to Certificates.p12, then ran these two commands:
openssl pkcs12 -in Certificates.p12 -clcerts -nokeys \
-out passcertificate.pem -passin pass:
openssl pkcs12 -in Certificates.p12 -nocerts -out passkey.pem \
-passin pass: -passout pass:12345
I'm looking to create an example of creating a document, digitally signing it, and verifying it. All works fine until I try and verify the signature, all I get is unable to load key file
Create a document, which needs an agreement (signature):
echo I, Bob, promise to pay Mark £1000 by 1/1/2020 > contract.txt
Generate a private key:
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
Generate the public key from the private key:
openssl rsa -in private_key.pem -RSAPublicKey_out -out public_key.pem
Digitally sign the document:
openssl dgst -sha256 -hex -sign private_key.pem -out signature.sign contract.txt
Then if we view the contents of signature.sign:
RSA-SHA256(contract.txt)= 2f5dc8216766562a9fb67a7b09b43b599889e7adea3d4d508194018961a82a9076051ee3c3952af9dbd607cbfe1095976ec5e877e22c0e4a884003ebef672f9a3e598128f819435a178c92ad10e4a409dc28db6e6500dfcee6a58e352446c354dec0852d6d826ee443fe158e6c30a231d30eb00e03c21a3e98855445bcc43a000f205b44ea8fc2f4ed85cd7c03c5708d649ef9a7d737b0948b9bdba322868e18492446eac054e2d4a31f0fa9bfccc627b621da0a9a261fb6169c1f107ec0311844151e77e50aeedb1be860c2b0b58f077c2886f9a7f05e727c0f9d4cc24d668f96bf7d6a2fff40a4b14951e745847c13812b35df95f91d202df0ef6ea5a05078
To verify the signature:
openssl dgst -sha256 -hex -verify public_key.pem -signature signature.sign contract.txt
Full script:
echo I, Bob, promise to pay Mark £1000 by 1/1/2020 > contract.txt
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -in private_key.pem -RSAPublicKey_out -out public_key.pem
openssl dgst -sha256 -sign private_key.pem -out signature contract.txt
openssl dgst -sha256 -verify public_key.pem -signature signature contract.txt
Thank you!
I have successfully generated .p12 file but I got a message which is a follows:
C:\OpenSSL-Win32\bin>openssl pkcs12 -export -inkey mykey.key -in exported.pem -out myfile.p12
Loading 'screen' into random state - done
No certificate matches private key
Could anyone tell me what is this error all about?
Also, the size of the file myfile.p12 is 0KB and when I tried to open it, I got the following message in a small window with OK button:
`Invalid Public Key Security Object File
This file is invalid for use as the following: Personal Information Exchange `
Please clarify.
Thanks
Source
OpenSSL says no certificate matches private key when the certificate is DER-encoded. Just change it to PEM encoding before creating the PKCS#12.
Create key pair :
openssl genrsa -out aps_development.key 2048
Create CSR : openssl req -new -sha256 -key aps_development.key -out aps_development.csr
Upload the CSR to developer portal to get the certificate aps_development.cer
Convert the certificate: openssl x509 -inform DER -outform PEM -in aps_development.cer -out aps_development.pem
Build the PKCS#12: openssl pkcs12 -inkey aps_development.key -in aps_development.pem -export -out aps_development.p12
I also had exactly same issue. Below two commands worked like a charm.
cat domain.crt intermediate.crt ca.crt > bundle.crt
openssl pkcs12 -export -out cert.pfx -inkey key -in bundle.crt
In my case, I'd actually specified the wrong certificate -- i.e. the certificate was for one system, and the private key for another. So the error message was spot-on!
Use these commands to compare the RSA Public-Key component of your CSR to that of the private key.
Key: openssl pkey -text_pub -in file.key -noout
CSR: openssl req -in file.csr -noout -text
These must match for 'openssl pkcs12' to create the export file.
Is there a way to digitally sign a x509 certificate or any document using openssl?
To Generate Private Key
openssl genrsa -out privatekey.pem 2048
To Sign
openssl dgst -sha256 -sign privatekey.pem -out data.txt.signature data.txt
To Generate The Public Key
dgst -verify requires the public key
openssl rsa -in privatekey.pem -outform PEM -pubout -out publickey.pem
To Verify
openssl dgst -sha256 -verify publickey.pem -signature data.txt.signature data.txt
In case of success: prints "Verified OK", return code 0
In case of failure: prints "Verification Failure", return code 1
Yes, the dgst and rsautl component of OpenSSL can be used to compute a signature given an RSA key pair.
Signing:
openssl dgst -sha256 data.txt > hash
openssl rsautl -sign -inkey privatekey.pem -keyform PEM -in hash >signature
Verifying just the signature:
openssl rsautl -verify -inkey publickey.pem -pubin -keyform PEM -in signature
Update: Capturing Reto's comments from below because this is an important nuance. Presumably if you are going to the trouble to verify, you want to know the signature was produced on the plaintext to which it is attached:
This might sound obvious for some but: Be aware, rsautl verify just decrypts the file signature. The output of this call is guaranteed to be produced by the owner of the private key, but beside that nothing else is being checked. So to actually verify the consistency of data.txt you have to regenerate the digest and then compare it against the output of openssl rsautl -verify.
Verifying that the owner of the private key does vouch for data.txt:
openssl dgst -sha256 -verify publickey.pem -signature signature data.txt
For this operation, openssl requires the public key, the signature, and the message.
To digitally sign document in openssl it will work
For this first your certificate should be trusted
it would be look like this
-----BEGIN TRUSTED CERTIFICATE-----
MIIDbjCCAlYCCQCOyunl25ProDANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJJ
...
-----END TRUSTED CERTIFICATE-----
Then use following command
smime -sign -signer certificate.pem -inkey private.key -in test.txt \
-out test1.txt -from ashish -to singhal