Token Signing with OpenSSL

While Fedora has standardised on NSS for security services, a large swath of the world uses OpenSSL. Here are roughly comparable steps to sign a message with OpenSSL as I previously posted using NSS.

UPDATED: the format of the message is now as small as possible and still compatible with the NSS version. Also, the verification code was wrong before.

I followed the steps here to generate a signing certificate.

To sign a message:

	openssl cms  -sign -in auth_token.json  -nosmimecap  -signer cert.pem -inkey key.pem -outform DER -nodetach -nocerts  -noattr -out auth_token.signed

And to Verify

	openssl cms -verify -in auth_token.signed  -certfile cert.pem -out signedtext.txt -CAfile cacert.pem  -inform DER

I put the whole thing into a makefile.

TARGETS = private/cakey.pem  cacert.pem req.pem req.pem cert.pem


all: $(TARGETS)

cacert.pem  : private/cakey.pem 

private/cakey.pem : private
	openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf

private : 
	mkdir -p private

req.pem:
	openssl req -new -nodes -out req.pem -config ./openssl.cnf



cert.pem : req.pem newcerts index.txt 
	openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem

newcerts:
	mkdir newcerts

index.txt :
	echo '01' >serial
	touch index.txt

# Old version
#auth_token.signed : cert.pem auth_token.json
#	openssl cms -sign -in auth_token.json -text -out auth_token.signed -signer cert.pem -inkey key.pem 



# New Version
auth_token.signed : cert.pem auth_token.json
	openssl cms  -sign -in auth_token.json  -nosmimecap  -signer cert.pem -inkey key.pem -outform DER -nodetach -nocerts  -noattr -out auth_token.signed

Old version, broken
#verify:
#	openssl cms -verify -in auth_token.signed  -signer cert.pem -out signedtext.txt -CAfile cacert.pem


verify:
	openssl cms -verify -in auth_token.signed  -certfile cert.pem -out signedtext.txt -CAfile cacert.pem  -inform DER
display: $(TARGETS)
	openssl x509 -in cacert.pem -noout -text 
	openssl x509 -in cacert.pem -noout -dates 
	openssl x509 -in cacert.pem -noout -purpose 
	openssl req -in req.pem -text -verify -noout


clean:
	rm -f $(TARGETS)


UPDATE: Here is openssl.cnf my Configuration file for OpenSSL


#
# OpenSSL configuration file.
#

# Establish working directory.

dir			= .

[ ca ]
default_ca		= CA_default

[ CA_default ]
serial			= $dir/serial
database		= $dir/index.txt
new_certs_dir		= $dir/newcerts
certificate		= $dir/cacert.pem
private_key		= $dir/private/cakey.pem
default_days		= 365
default_md		= md5
preserve		= no
email_in_dn		= no
nameopt			= default_ca
certopt			= default_ca
policy			= policy_match

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
default_bits		= 1024			# Size of keys
default_keyfile		= key.pem		# name of generated keys
default_md		= md5			# message digest algorithm
string_mask		= nombstr		# permitted characters
distinguished_name	= req_distinguished_name
req_extensions		= v3_req

[ req_distinguished_name ]
# Variable name		  Prompt string
#----------------------	  ----------------------------------
0.organizationName	= Organization Name (company)
organizationalUnitName	= Organizational Unit Name (department, division)
emailAddress		= Email Address
emailAddress_max	= 40
localityName		= Locality Name (city, district)
stateOrProvinceName	= State or Province Name (full name)
countryName		= Country Name (2 letter code)
countryName_min		= 2
countryName_max		= 2
commonName		= Common Name (hostname, IP, or your name)
commonName_max		= 64

# Default values for the above, for consistency and less typing. 
# Variable name   Value 
#------------------------------   ------------------------------ 
0.organizationName_default = Red Hat, Inc
localityName_default = Westford
stateOrProvinceName_default = Massachusetts
countryName_default = US 


[ v3_ca ]
basicConstraints	= CA:TRUE
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer:always

[ v3_req ]
basicConstraints	= CA:FALSE
subjectKeyIdentifier	= hash

Leave a Reply

Your email address will not be published. Required fields are marked *