Add authenticated/signed attributes with custom oids to PKCS#7 signing?
-
15-07-2021 - |
Question
Is there any way to pass extra authenticated attributes for a PKCS#7 signed message using openssl? I'm stuck with the command-line.
I'm currently using :
openssl smime -sign -outform DER -md sha1 -binary -signer my.crt -inkey my.key
I did not find any releveant option in openssl cli help.
More info :
I'm currently trying to build a SCEP (http://tools.ietf.org/pdf/draft-nourse-scep-23.pdf) server in NodeJS.
SCEP spec requires to build PKCS#7 signed pkiMessages
,
The SignerInfo MUST contain a set of authenticatedAttributes (see PKCS#7 [RFC2315] Section 9.2 as well as Section 3.1.1 in this document). All messages MUST contain
* an SCEP transactionID attribute
* an SCEP messageType attribute
* an SCEP senderNonce attribute
* any attributes required by PKCS#7 [RFC2315] Section 9.2 If the message is a response, it MUST also include
Currently my only option has been to wrap openssl
functionality through child_process.spawn
.
Solution
Unfortunately, it is not possible to add custom attributes to a signed message from the OpenSSL command line (neither with the smime nor the cms command). If you want to add some custom attributes you will have to use the OpenSSL API.
The main steps are:
- call
CMS_sign
to create aCMS_ContentInfo
- create a SignerInfo with
CMS_add1_signer
- add the attributes to this signer with
CMS_signed_add1_attr_by_OBJ
- sign with
CMS_final()
More details here: http://www.openssl.org/docs/crypto/CMS_sign.html