Can SSL cert be used to digitally sign files?

2019-06-20 08:19发布

站内问答 / 后端开发
1766 3 4

I want to ask a thing about digital signing I am not very sure. Instead of creating a self signed certificate to use to sign some (PDF) files, I wanted to take my SSL cert which have my data already verified.

But the question is: Can a SSL cert be used to digital sign files or is it incompatible in some manner?

EDIT: To clarify, this question is not about how to sign PDFs, is only about if a SSL cert can be used (or converted in any way) to sign files.

3条回答
啃猪蹄的小仙女
2楼-- · 2019-06-20 09:04

To support digital signing certificate must have digitalSignature option in it's keyUsage field (and codeSigning option in it's extendedKeyUsage field if your want to sign programs with it).

Signing may be done with existing tools or manually (java example, you are not asking for it, but this code snippet might be useful anyway):

byte[] bytesToSign = loadMyData();
KeyStore ks = KeyStore.getInstance("pkcs12", "SunJSSE");
ks.load(new FileInputStream("cert.p12"), "passwd1".toCharArray());
PrivateKey privateKey = (PrivateKey) ks.getKey("myalias", "passwd2".toCharArray());
Signature sig = Signature.getInstance("SHA1withRSA", ks.getProvider());
sig.initSign(privateKey);
sig.update(bytesToSign);
byte[] signature = sig.sign();

To make your own not self-signed certificate with openssl see this SO answer.

Also curious about signing PDF's - aren't separate hash sums of these files enough in your case?

edit: if you want any sign, not exactly X.509 sign by existing tools, you can extract RSA key from your cert and do signing without bothering about keyUsage field.

查看更多
0人赞 添加讨论(0) 举报
我欲成王,谁敢阻挡
3楼-- · 2019-06-20 09:16

Yes, you can sign and verify the signature of files using SSL certificates

Here is an example:

SSLCERT='/XXXX/ssl/certs/fqdn.pem'
SSLKEY='/XXXX/ssl/private_keys/fqdn.pem'
# You might not need to specify a CA
CACERTFILE='/XXXX/ssl/certs/ca.pem'
# File to sign
FILE='YYYYYYY'

# Signs, needs ${SSLKEY} and ${FILE}
openssl dgst -sha512 -sign ${SSLKEY} -out ${FILE}.sha512 ${FILE}

# Then transfer the following files to another server:
#  - ${CACERTFILE}
#  - ${SSLCERT}
#  - ${FILE}
#  - ${FILE}.sha512

# Check the certificate is valid
openssl verify -verbose -CAfile ${CACERTFILE} ${SSLCERT}
# Extract the pub key from the cert
openssl x509 -in ${SSLCERT} -pubkey -noout > ${SSLCERT}.pub
# Check the signature
openssl dgst -sha512 -verify ${SSLCERT}.pub -signature ${FILE}.sha512 ${FILE}
查看更多
0人赞 添加讨论(0) 举报
孤傲高冷的网名
4楼-- · 2019-06-20 09:21

At the core, the certificate is just a normal RSA public key that's been signed by several authorities.

So yes, definitely possible.

Though I don't know of any easy-to-use widespread tools for the end-user for this.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)