Add authenticated/signed attributes with custom oi

2020-07-27 06:31发布

Is there any way to pass extra authenticated attributes for a PKCS#7 signed message using openssl? I'm stuck with the command-line.

I'm currently using :

openssl smime -sign -outform DER -md sha1 -binary -signer my.crt -inkey my.key

I did not find any releveant option in openssl cli help.

More info :

I'm currently trying to build a SCEP (http://tools.ietf.org/pdf/draft-nourse-scep-23.pdf) server in NodeJS.

SCEP spec requires to build PKCS#7 signed pkiMessages,

The SignerInfo MUST contain a set of authenticatedAttributes (see PKCS#7 [RFC2315] Section 9.2 as well as Section 3.1.1 in this document). All messages MUST contain
* an SCEP transactionID attribute
* an SCEP messageType attribute
* an SCEP senderNonce attribute
* any attributes required by PKCS#7 [RFC2315] Section 9.2 If the message is a response, it MUST also include

Currently my only option has been to wrap openssl functionality through child_process.spawn.

标签： cryptography openssl pkcs#7

1条回答

老娘就宠你

2楼-- · 2020-07-27 07:19

Unfortunately, it is not possible to add custom attributes to a signed message from the OpenSSL command line (neither with the smime nor the cms command). If you want to add some custom attributes you will have to use the OpenSSL API.

The main steps are:

call CMS_sign to create a CMS_ContentInfo
create a SignerInfo with CMS_add1_signer
add the attributes to this signer with CMS_signed_add1_attr_by_OBJ
sign with CMS_final()

More details here: http://www.openssl.org/docs/crypto/CMS_sign.html

0人赞添加讨论(0) 举报

Add authenticated/signed attributes with custom oi

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间