Is it possible to sign data in Node.js “native” from
command: openssl cms -sign -signer ${cert} -inkey ${key} -nodetach -binary -outform DER -md SHA256 -des -in ${content}
I am programming with Linux to encrypt a .txt file. I should encrypt a s2 chaine with a given PKI encryption key using RSA in
RSA/ECB/PKCS1Padding mode.
I have excecuted the following commands:
openssl rsautl -encrypt -pkcs -inkey Key.pem -pubin -in s2.txt -out rsa_4096.bin
openssl -encrypt -e -base64 -in rsa_4096.bin -out s2encrypted.txt
There is a problem with the padding mode.
I have an application signed twice using openssl smime. like shown below in a script:
SRC_FILE="my-app"
echo "signature XYZ..."
openssl smime -sign \
-in ${SRC_FILE} -binary \
-out ${SRC_FILE}.sig1 -nodetach \
-signer ${SIGN_CERT} -inkey ${SIGN_KEY}
echo "NB signature..."
openssl smime -sign \
-in ${SRC_FILE}.sig1 -binary \
-out ${SRC_FILE}.sig2 -nodetach \
-signer ${NB_SIGN_CERT} -inkey ${NB_SIGN_KEY}
I am trying to verify the signed application using :
openssl smime -verify -in ${SRC_FILE}.sig2 -CAfile ./Root_CA.crt -out ${SRC_FILE}.out
As an output of verify I am getting equivalent to ${SRC_FILE}.sig1 but my intention is to get original my-app.
If I am running verify command twice then eventually I am able to receive my-app.
I wanted to ask is there any flag which internally call recursively to produce original signed file.
I have prepared an application and website where the customer can set several options for this application before he downloads it. Settings are stored in binary format on the end of the file (appended), then the edited file is sent to the end user. The problem is that the change of "contents" of the file will break the file signature - is there any chance to re-sign this changed file with any command line tools? I've tried to use Microsoft's SignTool, but it does not work properly on Linux.
You can try osslsigncode
To sign an EXE or MSI file you can now do:
osslsigncode sign -certs <cert-file> -key <der-key-file> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-in yourapp.exe -out yourapp-signed.exe
or if you are using a PEM or PVK key file with a password together
with a PEM certificate:
osslsigncode sign -certs <cert-file> \
-key <key-file> -pass <key-password> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-in yourapp.exe -out yourapp-signed.exe
or if you want to add a timestamp as well:
osslsigncode sign -certs <cert-file> -key <key-file> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-t http://timestamp.verisign.com/scripts/timstamp.dll \
-in yourapp.exe -out yourapp-signed.exe
You can use a certificate and key stored in a PKCS#12 container:
osslsigncode sign -pkcs12 <pkcs12-file> -pass <pkcs12-password> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-in yourapp.exe -out yourapp-signed.exe
To sign a CAB file containing java class files:
osslsigncode sign -certs <cert-file> -key <key-file> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-jp low \
-in yourapp.cab -out yourapp-signed.cab
It's actually quite straight forward to do using Mono's signtool; the tricky part (described in more detail in the linked Mozilla article) is copying the certificate in the correct format from Windows to Linux.
Converting the Windows PFX certificate file to PVK and SPC files, only needs to be done once when copying the certificate from Windows to Linux;
openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc
Actually signing the exe is straight forward;
signcode \
-spc authenticode.spc \
-v authenticode.pvk \
-a sha1 -$ commercial \
-n My\ Application \
-i http://www.example.com/ \
-t http://timestamp.digicert.com/scripts/timstamp.dll \
-tr 10 \
MyApp.exe
If you want to do that programmatically in runtime you can usee Jsign tool. Especially it could be quite helpful when you generate self-executable archive on the backend by request signing it after. And you do that using Java/Kotlin obviously (name of the tool is suggesting). Here is API provided from the official site:
Simply add this dependency to the project:
<dependency>
<groupId>net.jsign</groupId>
<artifactId>jsign-core</artifactId>
<version>3.1</version>
</dependency>
and then use the AuthenticodeSigner class like this:
KeyStore keystore = KeyStoreUtils.load(newFile("keystore.p12"), "PKCS12", "password", null);
AuthenticodeSigner signer = new AuthenticodeSigner(keystore, "test", "secret"); signer.withProgramName("My Application")
.withProgramURL("http://www.example.com")
.withTimestamping(true)
.withTimestampingAuthority("http://timestamp.comodoca.com/authenticode");
Signable file = Signable.of(new File("application.exe"));
signer.sign(file);
See the Javadoc for more details about the API.
Besides signing via Java KeyStore AuthenticodeSigner has (Certificate, PrivateKey) constructor and you can freely use it like I did in my "Spring on Kotlin" backend:
#Bean
fun certsChain(): Array<Certificate> {
val fact: CertificateFactory = CertificateFactory.getInstance("X.509")
val `is` = ResourceUtil.getResourceFileAsInputStream("cert/certificate.pem")
val cer: X509Certificate = fact.generateCertificate(`is`) as X509Certificate
return arrayOf(cer)
}
#Bean
fun privateKey(): PrivateKey {
var key = ResourceUtil.getResourceFileAsString("cert/privateKey.pem")
key = key.replace("-----BEGIN PRIVATE KEY-----", "")
key = key.replace("\n", "")
key = key.replace("-----END PRIVATE KEY-----", "")
val encoded = Base64.getDecoder().decode(key)
val kf = KeyFactory.getInstance("RSA")
val keySpec = PKCS8EncodedKeySpec(encoded)
return kf.generatePrivate(keySpec) as RSAPrivateKey
}
#Bean
fun signer(
certs: Array<Certificate>,
privateKey: PrivateKey
): AuthenticodeSigner =
AuthenticodeSigner(certs, privateKey)
.withProgramName("Your Company Name")
.withProgramURL("https://something.com")
.withTimestamping(true)
.withTimestampingAuthority("http://timestamp.comodoca.com/authenticode");
after, you can just #Autowire the signer bean and call its method sign() with the required file
Would I have to make any changes to these linux commands to make it work on windows? Do all the pipes and redirects work as they do on linux?
openssl genrsa -out key.pem
openssl rsa -in key.pem -pubout > key.pub
openssl rsa -pubin -modulus -noout < key.pub
#
# to decrypt mess.enc (message encrypted via javascript)
cat mess.enc | openssl base64 -d | openssl rsautl -inkey key.pem -decrypt
I expect I must swap cat for type, and I am hoping the rest will work as it is. Can anyone confirm this?
Equivalent of cat on Windows will be of great help. Rest of the commands are same and should work fine on Windows.
Equivalent of cat on Windows
openssl
cat key.pem
type key.pem
cat=type