> From: owner-openssl-us...@openssl.org On Behalf Of JuliusIT > Sent: Friday, 19 August, 2011 04:03
> we have tried and tried but we are not able to get an result > on the subject > below. > > we need to make an implementation of EDIFACT digital sign > with embedded > > sign and certificate in the edifact file. > > We have a digital sign solution (that we buy not develope) > that return a > > zip file with the file to sign and a p7s file with the > certificate and > > sign inside, so we need to extract both certificate and > sign from this > > file to put them after in the edifact file. I assume you want either the one signer-info, or set of signer-infos, since those are what a verifier needs, not just the raw signature. > > We where able to extract the certificate from the p7s file > using OPENSSL > > but we can't find in the documentation or in the > forum/mailinglist a way > > to extract the signature. We would also like a way to extract the > > certificate in a HEX format. If you want to do this using commandline, I don't think you can, except by using asn1parse and parsing the output, perhaps with awk or perl or similar. Assuming a detached signature, the second cont[0] tagged item is certs; take the offset hdrlen and length from that line and add together and that's the offset of signer-infos. If you want only single signer-info (first if multiple), add hdrlen of the signer-infos line, or just use the offset of the next line. Then do openssl asn1parse -in file [-inform der] -strparse offset \ -out outfile -noout # yes -noout and -out If you want hex, again awk or perl can do that, or od is close enough that it can be bent into the required shape. If you want code, just read the headers and apply logic: PKCS7 *p7; STACK_OF(PKCS7_SIGNER_INFO) *signers; PKCS7_SIGNER_INFO *signer; X509 *cert; unsigned char buff [BIGENUF], *ptr; // or dynamic as appropriate int len; p7 = PEM_read_PKCS7(stdin,NULL,NULL,NULL); // or from a BIO, especially a memBIO if already in memory // or d2i...[fp] if a DER file or data in memory assert (p7!=NULL); // should report/handle/etc errors assert (PKCS7_type_is_signed(p7)); // ditto maybe signers = PKCS7_get_signer_info(p7); assert (signers!=NULL); // should never fail // or cheat and just do p7->d.sign->signer_info assert (signers==p7->d.sign->signer_info); assert (sk_PKCS7_SIGNER_INFO_num(signers) == 1); // or if allow multi-signed signer = sk_PKCS7_SIGNER_INFO_value(signers,0); // loop through and choose assert (signer!=NULL); // should never fail ptr = &buff; len = i2d_PKCS7_SIGNER_INFO (signer, &ptr); assert (len>0); // I don't think i2d_mem ever fails // do something with buff for len cert = PKCS7_cert_from_signer_info(p7,signer); assert (cert!=NULL); // should never fail // similarly (re)encode and convert to hex as you like // or cheat and use STACK_OF(X509)* p7->d.sign->cert // and require only one, or loop through and look assert(cert == sk_X509_value(p7->d.sign->cert,0)); > > To the two results we need also to apply a filtering > algorithms EDC, is > > that a way to do so in OPENSSL? No idea what that is, but I don't think it's in OpenSSL. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
