问题描述
是否可以使用openssl为PKCS#7签名的消息传递额外的身份验证属性?我被命令行困住了.
Is there any way to pass extra authenticated attributes for a PKCS#7 signed message using openssl? I'm stuck with the command-line.
我当前正在使用:
openssl smime -sign -outform DER -md sha1 -binary -signer my.crt -inkey my.key
我在openssl cli帮助中找不到任何相关的选项.
I did not find any releveant option in openssl cli help.
更多信息:
我目前正在尝试在NodeJS中构建SCEP(http://tools.ietf.org/pdf/draft-nourse-scep-23.pdf)服务器.
I'm currently trying to build a SCEP (http://tools.ietf.org/pdf/draft-nourse-scep-23.pdf) server in NodeJS.
SCEP规范要求构建签名为pkiMessages的PKCS#7
SCEP spec requires to build PKCS#7 signed pkiMessages,
The SignerInfo MUST contain a set of authenticatedAttributes (see PKCS#7 [RFC2315] Section 9.2 as well as Section 3.1.1 in this document). All messages MUST contain
* an SCEP transactionID attribute
* an SCEP messageType attribute
* an SCEP senderNonce attribute
* any attributes required by PKCS#7 [RFC2315] Section 9.2 If the message is a response, it MUST also include
目前,我唯一的选择是通过child_process.spawn包装openssl功能.
Currently my only option has been to wrap openssl functionality through child_process.spawn.
推荐答案
不幸的是,无法从OpenSSL命令行(使用smime或cms命令都不能)将自定义属性添加到已签名的消息中.如果要添加一些自定义属性,则必须使用OpenSSL API.
Unfortunately, it is not possible to add custom attributes to a signed message from the OpenSSL command line (neither with the smime nor the cms command). If you want to add some custom attributes you will have to use the OpenSSL API.
主要步骤是:
- 调用
CMS_sign创建一个CMS_ContentInfo - 使用
CMS_add1_signer创建一个SignerInfo - 使用
CMS_signed_add1_attr_by_OBJ将属性添加到该签名者 - 使用
CMS_final()签名
- call
CMS_signto create aCMS_ContentInfo - create a SignerInfo with
CMS_add1_signer - add the attributes to this signer with
CMS_signed_add1_attr_by_OBJ - sign with
CMS_final()
此处有更多详细信息: http://www.openssl.org/docs/crypto/CMS_sign.html
More details here: http://www.openssl.org/docs/crypto/CMS_sign.html
这篇关于将具有自定义oid的已认证/已签名属性添加到PKCS#7签名?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!