发表新帖
发表新帖

Digital signature for a file using openssl

前端 未结
关注
3 1818
粉色の甜心
粉色の甜心 2020-12-07 12:46

Is there a way to digitally sign a x509 certificate or any document using openssl?

相关标签:
3条回答
  • 眼角桃花
    2020-12-07 13:15

    Yes, the dgst and rsautl component of OpenSSL can be used to compute a signature given an RSA key pair.

    Signing:

    openssl dgst -sha256 data.txt > hash
openssl rsautl -sign -inkey privatekey.pem -keyform PEM -in hash >signature

    Verifying just the signature:

    openssl rsautl -verify -inkey publickey.pem -pubin -keyform PEM -in signature

    Update: Capturing Reto's comments from below because this is an important nuance. Presumably if you are going to the trouble to verify, you want to know the signature was produced on the plaintext to which it is attached:

    This might sound obvious for some but: Be aware, rsault verify just decrypts the file signature. The output of this call is guaranteed to be produced by the owner of the private key, but beside that nothing else is being checked. So to actually verify the consistency of data.txt you have to regenerate the digest and then compare it against the output of openssl rsautl -verify.

    Verifying that the owner of the private key does vouch for data.txt:

    openssl dgst -sha256 -verify publickey.pem -signature signature data.txt

    For this operation, openssl requires the public key, the signature, and the message.

    0 讨论(0)
  • 再見小時候
    2020-12-07 13:23

    To digitally sign document in openssl it will work

    For this first your certificate should be trusted it would be look like this 

    -----BEGIN TRUSTED CERTIFICATE-----
MIIDbjCCAlYCCQCOyunl25ProDANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJJ
...
-----END TRUSTED CERTIFICATE-----

    Then use following command 

    smime -sign -signer certificate.pem -inkey private.key -in test.txt \
    -out test1.txt -from ashish -to singhal
    0 讨论(0)
  • 说谎
    2020-12-07 13:25

    Alternative way to sign/verify a single, inspired by Anders Lindahl's answer.

    to sign

    openssl dgst -sha256 -sign snakeoil.key -out some-file.sha256 some-file

    to verify

    # dgst -verify requires the public key
openssl x509 -in snakeoil.crt -pubkey -noout > snakeoil.pub

openssl dgst -sha256  -verify  snakeoil.pub -signature some-file.sha256 some-file

# in case of success: prints "Verified OK"
# in case of failure: prints "Verification Failure", return code 1

# or compact (requires a modern shell)
openssl dgst -sha256  \
    -verify  <(openssl x509 -in snakeoil.crt -pubkey -noout) \
    -signature some-file.sha256 some-file
    0 讨论(0)
 看不清?
提交回复
热议问题