Add authenticated/signed attributes with custom oids to PKCS#7 signing?

StackOverflow https://stackoverflow.com/questions/13127293

  •  15-07-2021
  •  | 
  •  

Question

Is there any way to pass extra authenticated attributes for a PKCS#7 signed message using openssl? I'm stuck with the command-line.

I'm currently using :

openssl smime -sign -outform DER -md sha1 -binary -signer my.crt -inkey my.key

I did not find any releveant option in openssl cli help.

More info :

I'm currently trying to build a SCEP (http://tools.ietf.org/pdf/draft-nourse-scep-23.pdf) server in NodeJS.

SCEP spec requires to build PKCS#7 signed pkiMessages, 

The SignerInfo MUST contain a set of authenticatedAttributes (see PKCS#7 [RFC2315] Section 9.2 as well as Section 3.1.1 in this document). All messages MUST contain
* an SCEP transactionID attribute
* an SCEP messageType attribute
* an SCEP senderNonce attribute
* any attributes required by PKCS#7 [RFC2315] Section 9.2 If the message is a response, it MUST also include

Currently my only option has been to wrap openssl functionality through child_process.spawn.

Was it helpful?

Solution

Unfortunately, it is not possible to add custom attributes to a signed message from the OpenSSL command line (neither with the smime nor the cms command). If you want to add some custom attributes you will have to use the OpenSSL API.

The main steps are:

  • call CMS_sign to create a CMS_ContentInfo
  • create a SignerInfo with CMS_add1_signer
  • add the attributes to this signer with CMS_signed_add1_attr_by_OBJ
  • sign with CMS_final()

More details here: http://www.openssl.org/docs/crypto/CMS_sign.html

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top