qfaq openssl

Faq openssl

Posted on Posted in Digital signature, Faq, System administrator

Extracting the contents of a digitally signed file (p7m)

Let’s consider the case where the signed document is a pdf (document.pdf.p7m).

To extract the content file we use the openssl command with the smime parameter for signature verification (-verify)

openssl smime -verify -noverify -in document.pdf.p7m -inform DER -out document.pdf

For more information, see the articol

Extraction of the certificate of a digitally signed files (p7m)

Let’s consider the case where the signed document is a pdf (document.pdf.p7m).

To extract the certificate used to sign the p7m we use the openssl command with the pkcs parameter

openssl pkcs7 -inform DER -in document.pdf.p7m -print_certs -out cert.pem

The certificate will be extracted in the cert.pem file. If you want to display textually enough the certificate command x509

openssl x509 -in cert.pem -text -noout

For more information, see the articol

Checking the signature of a p7m document

Consider the case where the signed document is a pdf (document.pdf.p7m).

To verify the signature and extract the content file, we use the openssl command with the smime parameter for signature verification (-verify)

openssl smime -in document.pdf.p7m -inform DER -verify -CAfile CA.pem -out document.pdf

where CA.pem contains the CA certificate (Certificate Authority) that issued the certificate in the p7m.

For more information, see the articol

Trust certificate authority per firma digitale

If you try to verify the signature of a p7m file without the Certification Authority (la CA), the verification fails (“unable to load certificate“) because we do not have CA trust certificates (so-called Trusts).
These Certificate Authorities have been defined by Italian law and are registered on the CNIPA, which since December 2009 has become DigitPA, as a certificate of XML certificates and found them on the same site at https://applicazioni.cnipa.gov.it/TSL/_IT_TSL_signed.xml.
To have openssl manage them you have to put them in its format so:

wget -O - https://applicazioni.cnipa.gov.it/TSL/_IT_TSL_signed.xml | perl -ne 'if (/<X509Certificate>/) {
s/^\s+//; s/\s+$//;
s/<\/*X509Certificate>//g;
print "-----BEGIN CERTIFICATE-----\n";
while (length($_)>64) {
print substr($_,0,64)."\n";
$_=substr($_,64);
}
print $_."\n";
print "-----END CERTIFICATE-----\n";
}' >CA.pem

This way we have all the certificates in a single CA.pem file, unfortunately even those that may have expired. Even if it’s over, we may need to check out an old file so we can also serve the expiration.
For more information, see the article

For script updates, please visit https://github.com/eniocarboni/getTrustCAP7m

Leave a Reply

Your email address will not be published. Required fields are marked *