The following command is used to sign a string via openssl:
smime -sign -signer cert.crt -inkey key.key -engine gost -binary -noattr
Given a .cer file that was said to contain key within self how to I execute the same command?
I'd assume 2 options:
- Rewrite the command to use internal key
- Convert .cer file to .crt and extract .key from it to be used w/o rewriting existing command
Update:
The file insides are as follows:
(using openssl x509 -in cert.cer -noout -text, replaced sensitive data with X_X_X):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
X_X_X
Signature Algorithm: GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)
Issuer: X_X_X
Validity
X_X_X
X_X_X
Subject: X_X_X
Subject Public Key Info:
Public Key Algorithm: GOST R 34.10-2012 with 256 bit modulus
Unable to load Public Key
842D0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:crypto\x509\x_pubkey.c:458:
842D0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:crypto\x509\x_pubkey.c:458:
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Subject Alternative Name:
othername: title::<unsupported>
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, 1.2.643.2.1.6.8.5, 1.2.643.3.61.502710.1.6.3.2, 1.2.643.3.251.1.1, 1.2.643.3.251.3
X509v3 Certificate Policies:
Policy: Class of Signing Tool KC1
1.2.643.100.114:
...
Signing Tool of Subject:
X_X_X
Signing Tool of Issuer:
signTool : X_X_X
cATool : X_X_X
signToolCert: X_X_X
cAToolCert : X_X_X
X509v3 CRL Distribution Points:
Full Name:
X_X_X
Full Name:
X_X_X
Authority Information Access:
CA Issuers - X_X_X
CA Issuers - X_X_X
X509v3 Subject Key Identifier:
X_X_X
X509v3 Authority Key Identifier:
keyid:X_X_X
DirName:X_X_X
serial:X_X_X
Signature Algorithm: GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)
Signature Value:
X_X_X
CodePudding user response:
I guess there are several things to be noted.
The file suffix
First of all, it should be noted that there is nothing like "a .crt or .cer file" as suggested in the question. These are just file suffixes from which you cannot derive the actual file format.
For example, a .cer file created in Windows will usually be in DER (binary) format, while openssl defaults to PEM (base-64 text) format. The very same is true for for .crt which is just more commonly used suffix in Windows. Other suffixes are .der and .pem which suggest that their suffix and format match.
openssl can handle both formats. You can let openssl know the input format using the -inform der or -inform pem option.
The private key
I assume you want to sign an email message, because you are using the smime option (although you speak of signing a string, but that may just be the same in you context).
In order to sign a message, you need a private key. Private S/MIME certificates include the private key, so it should not be necessary to extract the key first. Just do not use the -inkey option.
Quoted from the openssl smime docs:
If this option is not specified then the private key must be included in the certificate file specified with the -recip or -signer file.
To create a cleartext signed message using a certificate in PEM format, use
openssl smime -sign -in message.txt -text -out mail.msg -signer cert.crt
If the certificate file you have is not in PEM, but in DER format, simply use the -inform option like so
openssl smime -sign -in message.txt -text -out mail.msg -signer cert.crt -inform der