Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
I would like to sign and verify a pdf with elliptic curve. I got some code but it doesn't work.
Create private key:
openssl ecparam -genkey -name secp384r1 -noout -out private.pem
Create public key:
openssl ec -in private.pem -pubout -out public.pem
Sign file:
openssl dgst -ecdsa-with-SHA1 test.pdf > hash openssl dgst
openssl dgst -ecdsa-with-SHA1 -inkey private.pem -keyform PEM -in hash > signature
Verify file:
openssl dgst -ecdsa-with-SHA1 -verify public.pem -signature signature.bin data
The part to sign and verify doesn't work.
I'm not sure where you're getting these command line options from - the help for dgst doesn't indicate that -ecdsa-with-SHA1, -inkey or -in are valid options. Try:
Sign:
openssl dgst -sha1 -sign private.pem < test.pdf > signature.bin
Verify:
openssl dgst -sha1 -verify public.pem -signature signature.bin < test.pdf
Related
I've signed a file like this, using LibreSSL 2.8.3 on macOS:
openssl smime -binary -sign -certfile WWDR.pem -signer passcertificate.pem \
-inkey passkey.pem -in manifest.json -out signature \
-outform DER -passin pass:12345
and now I want to just immediately verify that same file. I am trying the following command
openssl smime -binary -verify -certfile WWDR.pem -signer passcertificate.pem \
-inkey passkey.pem -in manifest.json -content signature \
-inform DER -passin pass:12345
but that fails with the below error. What's the proper syntax to verify the signature?
Error reading S/MIME message
4550921836:error:0DFFF0A8:asn1 encoding routines:CRYPTO_internal:wrong tag:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.11.1/libressl-2.8/crypto/asn1/tasn_dec.c:1144:
4550921836:error:0DFFF03A:asn1 encoding routines:CRYPTO_internal:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.11.1/libressl-2.8/crypto/asn1/tasn_dec.c:317:Type=PKCS7
I'm basically doing this because I want to try and implement the signing in swift. I know the above sign command works properly, and so if I can figure out how to verify a file then I can properly test whether or not my Swift implementation works.
The WWDR.pem file comes from http://www.apple.com/certificateauthority, and is the Worldwide Developer Relations certificate.
To get the passcertificate.pem and passkey.pem files I went to the Apple Developer portal and generated the pass certificate, imported it into the mac Keychain Access, exported it to Certificates.p12, then ran these two commands:
openssl pkcs12 -in Certificates.p12 -clcerts -nokeys \
-out passcertificate.pem -passin pass:
openssl pkcs12 -in Certificates.p12 -nocerts -out passkey.pem \
-passin pass: -passout pass:12345
I'm looking to create an example of creating a document, digitally signing it, and verifying it. All works fine until I try and verify the signature, all I get is unable to load key file
Create a document, which needs an agreement (signature):
echo I, Bob, promise to pay Mark £1000 by 1/1/2020 > contract.txt
Generate a private key:
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
Generate the public key from the private key:
openssl rsa -in private_key.pem -RSAPublicKey_out -out public_key.pem
Digitally sign the document:
openssl dgst -sha256 -hex -sign private_key.pem -out signature.sign contract.txt
Then if we view the contents of signature.sign:
RSA-SHA256(contract.txt)= 2f5dc8216766562a9fb67a7b09b43b599889e7adea3d4d508194018961a82a9076051ee3c3952af9dbd607cbfe1095976ec5e877e22c0e4a884003ebef672f9a3e598128f819435a178c92ad10e4a409dc28db6e6500dfcee6a58e352446c354dec0852d6d826ee443fe158e6c30a231d30eb00e03c21a3e98855445bcc43a000f205b44ea8fc2f4ed85cd7c03c5708d649ef9a7d737b0948b9bdba322868e18492446eac054e2d4a31f0fa9bfccc627b621da0a9a261fb6169c1f107ec0311844151e77e50aeedb1be860c2b0b58f077c2886f9a7f05e727c0f9d4cc24d668f96bf7d6a2fff40a4b14951e745847c13812b35df95f91d202df0ef6ea5a05078
To verify the signature:
openssl dgst -sha256 -hex -verify public_key.pem -signature signature.sign contract.txt
Full script:
echo I, Bob, promise to pay Mark £1000 by 1/1/2020 > contract.txt
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -in private_key.pem -RSAPublicKey_out -out public_key.pem
openssl dgst -sha256 -sign private_key.pem -out signature contract.txt
openssl dgst -sha256 -verify public_key.pem -signature signature contract.txt
Thank you!
I am using openssl smime to sign and verify data.
To sign text file using openssl I sue the following command:
openssl smime -sign -in sample.txt -out mail.msg -signer cert.pem -inkey key.pem
Then I proceed to verification:
openssl smime -verify -in mail.msg -CAfile allCA.pem
The verification succeed.
My problem is that I have an external tool that performs the verification using the following command:
openssl smime -verify -in mail.msg -inform DER -CAfile allCA.pem
How to sign my txt file so it can be verified with the previous command ?
What I've tried so far:
openssl smime -sign -in sample.txt -out mail.msg -outform DER -signer cert.pem -inkey key.pem
But I get an error when trying to verify my mail:
Verification failure
140204331579208:error:2107507A:PKCS7 routines:PKCS7_verify:no content:pk7_smime.c:291:
The way you call sign operation creates detached signature so you would need to pass -content sample.txt to verify command. However, it is possible to create structure that encapsulates message together with signature (-nodetach parameter).
This is the sign command you are looking for:
openssl smime -sign -in data.dat -out mail.msg -signer cert.pem -inkey key.pem -outform DER -nodetach
This question already has answers here:
How to generate a self-signed SSL certificate using OpenSSL? [closed]
(23 answers)
Closed 6 years ago.
Trying to convert .pem file to .der file using below command.
openssl x509 -in public_key.pem -out cert.der -outform DER
getting below error
unable to load certificate
31833:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSS
L098/OpenSSL098-52.30.1/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFIC
ATE
I have generated RSA private/public keys using below.
openssl genrsa -out private_key.pem 2048
openssl rsa -pubout -in private_key.pem -out public_key.pem
You are creating a RSA key pair. And you are trying to convert the public key into DER format.
openssl x509 command requires public key inside the X.509 container.
Try this command to create the Private Key and Public Cert.
Create a self signed CA Cert:
openssl genrsa -out CAkey.pem 2048
openssl req -new -x509 -key CAkey.pem -out cacert.pem -days 1095
Now create another cert which is signed by the CA created above
openssl genrsa -out serverkey.pem 2048
openssl req -new -key serverkey.pem -out server.csr
openssl x509 -req -days 1000 -in server.csr -CA cacert.pem -CAkey CAkey.pem -out server.pem -set_serial 01
Later convert the public cert in PEM to DER format.
openssl x509 -in server.pem -out server.der -outform DER
Is there a way to digitally sign a x509 certificate or any document using openssl?
To Generate Private Key
openssl genrsa -out privatekey.pem 2048
To Sign
openssl dgst -sha256 -sign privatekey.pem -out data.txt.signature data.txt
To Generate The Public Key
dgst -verify requires the public key
openssl rsa -in privatekey.pem -outform PEM -pubout -out publickey.pem
To Verify
openssl dgst -sha256 -verify publickey.pem -signature data.txt.signature data.txt
In case of success: prints "Verified OK", return code 0
In case of failure: prints "Verification Failure", return code 1
Yes, the dgst and rsautl component of OpenSSL can be used to compute a signature given an RSA key pair.
Signing:
openssl dgst -sha256 data.txt > hash
openssl rsautl -sign -inkey privatekey.pem -keyform PEM -in hash >signature
Verifying just the signature:
openssl rsautl -verify -inkey publickey.pem -pubin -keyform PEM -in signature
Update: Capturing Reto's comments from below because this is an important nuance. Presumably if you are going to the trouble to verify, you want to know the signature was produced on the plaintext to which it is attached:
This might sound obvious for some but: Be aware, rsautl verify just decrypts the file signature. The output of this call is guaranteed to be produced by the owner of the private key, but beside that nothing else is being checked. So to actually verify the consistency of data.txt you have to regenerate the digest and then compare it against the output of openssl rsautl -verify.
Verifying that the owner of the private key does vouch for data.txt:
openssl dgst -sha256 -verify publickey.pem -signature signature data.txt
For this operation, openssl requires the public key, the signature, and the message.
To digitally sign document in openssl it will work
For this first your certificate should be trusted
it would be look like this
-----BEGIN TRUSTED CERTIFICATE-----
MIIDbjCCAlYCCQCOyunl25ProDANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJJ
...
-----END TRUSTED CERTIFICATE-----
Then use following command
smime -sign -signer certificate.pem -inkey private.key -in test.txt \
-out test1.txt -from ashish -to singhal