Extracting the contents of a digitally signed file (p7m)
Let’s consider the case where the signed document is a pdf (document.pdf.p7m).
To extract the content file we use the openssl command with the smime parameter for signature verification (-verify)
openssl smime -verify -noverify -in document.pdf.p7m -inform DER -out document.pdf
For more information, see the articol
Extraction of the certificate of a digitally signed files (p7m)
Let’s consider the case where the signed document is a pdf (document.pdf.p7m).
To extract the certificate used to sign the p7m we use the openssl command with the pkcs parameter
openssl pkcs7 -inform DER -in document.pdf.p7m -print_certs -out cert.pem
The certificate will be extracted in the cert.pem em> file. If you want to display textually enough the certificate command x509
openssl x509 -in cert.pem -text -noout
For more information, see the articol
Checking the signature of a p7m document
Consider the case where the signed document is a pdf (document.pdf.p7m).
To verify the signature and extract the content file, we use the openssl command with the smime parameter for signature verification (-verify)
openssl smime -in document.pdf.p7m -inform DER -verify -CAfile CA.pem -out document.pdf
where CA.pem contains the CA certificate (Certificate Authority) that issued the certificate in the p7m.
For more information, see the articol
Trust certificate authority per firma digitale
If you try to verify the signature of a p7m file without the Certification Authority (la CA), the verification fails (“unable to load certificate“) because we do not have CA trust certificates (so-called Trusts).
These Certificate Authorities have been defined by Italian law and are registered on the CNIPA, which since December 2009 has become DigitPA, as a certificate of XML certificates and found them on the same site at https://applicazioni.cnipa.gov.it/TSL/_IT_TSL_signed.xml.
To have openssl manage them you have to put them in its format so:
wget -O - https://applicazioni.cnipa.gov.it/TSL/_IT_TSL_signed.xml | perl -ne 'if (/<X509Certificate>/) {
s/^\s+//; s/\s+$//;
s/<\/*X509Certificate>//g;
print "-----BEGIN CERTIFICATE-----\n";
while (length($_)>64) {
print substr($_,0,64)."\n";
$_=substr($_,64);
}
print $_."\n";
print "-----END CERTIFICATE-----\n";
}' >CA.pem
This way we have all the certificates in a single CA.pem file, unfortunately even those that may have expired. Even if it’s over, we may need to check out an old file so we can also serve the expiration.
For more information, see the article
For script updates, please visit https://github.com/eniocarboni/getTrustCAP7m