Re: [openssl-users] Create CMS signed data only with signature(not requiring data)

Wed, 24 Jun 2015 05:37:44 -0700 

On 24/06/2015 11:51, Rishi Pathak wrote:
Openssl CMS command requires the actual data to be provided as an input for creating CMS signed data type. 


But what we have is only the signature and the certificate. Is there a 
way to create CMS signed data without requiring the original document. 
What we want is to only create and not sign as we already have 
signature on the hash of the document.



One way we thought was to use genconf of asn1parse command, i.e. 
create configuration file for CMS in the format required by it. But 
not much help is available on that front.


Any thoughts, links are welcome.


First of all, you are not limited to the command line tools in the 
openssl utility.  OpenSSL is first and foremost a programming library 
and the command line tools are just a (big) taste of what you can do 
with that library.


Second, what you really want is probably one of the following:

 * To verify a CMS (PKCS#7) signature on a short message containing a
   hash of the rest of the document.  In this case, verifying the
   signature and checking if the document hash matches the contents of
   the short message are already different steps, with the CMS API
   and/or the "openssl cms" command only doing the verify of the
   signature only.
 * To verify a "detached" CMS signature on the document hash.
   Internally, this is actually a special form of a signature on a
   short message like above, but you may need to look deeper at the API
   to find the sequence of calls which verifies this separately from
   the step of computing a hash of the rest of the document,
   unfortunately, this is not currently exposed by the "openssl cms" or
   "openssl smime" command, though it is often a useful first step, for
   instance if you download the signature before the signed file.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users






















					Reply via email to