On Fri, May 15, 2009, Lasse Kliemann wrote: > * Message by -Dr. Stephen Henson- from Thu 2009-05-14: > > > It does sound like S/MIME does exactly what you want using a detached > > signature. That would be preferable as opposed to inventing an incompatible > > version with possible security issues. > > Ok, so how do I generate such a detached signature? I tried the > following: > > $ echo foo > doc > $ openssl smime -sign -signer cert.pem -inkey privkey.pem \ > -binary -outform pem -in doc -out doc.pem > > 'cert.pem' contains a selfsigned certificate, which I created for > testing. Now, as far as I understood, the above command results > in a PEM formatted PKCS#7 structure being in 'doc.pem'. It can in > fact be verified okay using: > > $ openssl smime -verify -inform pem -content doc -in doc.pem -noverify > > (It does not work when I omit '-binary', which took me a long > time to discover, since my document is a text file. Obviously, it > is still needed.) > > Now, my original goal was to omit the certificate, so I created > the PKCS#7 thing with the additional option '-nocerts'. Indeed, > the resulting 'doc.pem' is smaller. However, verification seems > to require '-certfile cert.pem' now, which in turn requires that > the recipient knows which certificate to use. > > Does the PKCS#7 structure that is created with '-nocerts' contain > any hint concerning the certificate needed for verification? If > so, how can it be extracted? Earlier, you wrote: "In PKCS#7 the > only permissible identifier is the issuer name and serial > number." So, it appears that I can hope for that information > (issuer name and serial number) at best. > > Am I following the right trail, or did you mean something > different by "detached signature"? >
The -certfile option can contain a whole load of certificates and the hint in the PKCS#7 structure will be used to locate the correct one. The cms utility permits the use of the the key identifier option too. While the command line utility has rather limited search capabilities (it is only a sample application after all) the API is more extensive. For example see the manual page: http://www.openssl.org/docs/crypto/CMS_get0_SignerInfos.html Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
