Understanding signatures and creating a p7s file from a given data (e.g. PDF)

Mon, 26 Jan 2009 04:04:14 -0800 

Hi,
I'm asking you because we at the Ruby talk mailling list are stuck with this problem (http://www.ruby-forum.com/topic/176646) As Ruby OpenSSL is just a wrapper around the SSL functions I'd like to get it on with openssl command line interface first. Maybe I'm understanding a lot of basic things wrong, too. Please correct me when I'm wrong. 



How can I sign a PDF document to get a detached signature in p7s  
format which was created by the usage of a private key, a certificate  
and SHA512 for hashing?



1. I created a private key and a certificate with OpenSSL

        openssl genrsa -out key.pem 1024
        openssl req -new -key key.pem -x509 -days 365 -out crt.pem



Now I know that I can sign a hash of file with my private key (I'm  
using SHA1 because it seems that SHA512 is not compiled into OpenSSL  
on Mac OS X):


openssl dgst -sha1 -sign key.pem -out test.sha512 test.txt

As reading the man pages I found openssl smime... so I gave this a try:

openssl smime -sign -in test.txt -text -out test.signed -signer  
crt.pem -inkey key.pem
This actually somehow invokes my desired pkcs7 stuff... so I went on  
to investigate on openssl pkcs7


pkcs7 [options] <infile >outfile
where options are
 -inform arg   input format - DER or PEM
 -outform arg  output format - DER or PEM
 -in arg       input file
 -out arg      output file
 -print_certs  print any certs or crl in the input
 -text         print full details of certificates
 -noout        don't output encoded data
 -engine e     use engine e, possibly a hardware device.


Where to specify my data, my key and my cert? Or do I need to  
somethings else before? I'm quite sure... but as you can see, I'm  
stuck. That brings me back to my question:



How can I sign a PDF document to get a detached signature in p7s  
format which was created by the usage of a private key, a certificate  
and SHA512 for hashing?








And… is this right when I say:

A "p7s" file is a file containing just the detached signature.
A "pkc7s" file is a file containing both the data and the signature.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org














    











					Reply via email to