I want to sign a file using the private key on a smartcard.
Using these commands:
openssl
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
dgst -engine pkcs11 -sign slot_0-id_1 -keyform engine -sha256 -out signature.bin textToSign.txt
quit
it works perfectly in the terminal.
I would like to write a little script which signs a file using these commands.
It looks like this:
#/bin/bash
openssl engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
openssl dgst -engine pkcs11 -sign slot_0-id_1 -keyform engine -sha256 -out signature.bin textToSign.txt
The problem is, that the engine is not present for use in the dgst - command.
Is it possible to start a openssl - session in a script and execute these two commands?
You can use the 'here document' bash functionality << in your script:
#/bin/bash
openssl << EOT
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
dgst -engine pkcs11 -sign slot_0-id_1 -keyform engine -sha256 -out signature.bin textToSign.txt
quit
EOT
Related
I have been trying to import a certificate on MacOS (Monterey).
I managed to convert my key.pem and cert.pem to a .pfx and added it on a Windows machine, and signed a binary using windows's signtool with the pfx file.
When trying something similar on MacOS, it complains that it is the wrong password (and cancel after 3 "failed" attempts).
openssl pkcs12 -export -clcerts -inkey key.pem -in cert.pem -out cert_p12.p12
sudo security import macos_p12.p12 -A -k "/Library/Keychains/System.keychain"
I also tried to generate my own certificate, where I simply just set the password to 1234, and add that, but that also failed with the samme password error:
openssl req -x509 -newkey rsa:4096 -keyout macos_key.pem -out macos_cert.pem -sha256 -days 365
openssl pkcs12 -export -clcerts -inkey macos_key.pem -in macos_cert.pem -out macos_p12.p12
sudo security import macos_p12.p12 -A -k "/Library/Keychains/System.keychain"
So I don't know what I am doing wrong, so I would appriciate any help!
looks like you have openssl 3+. may be -legacy option of pcks12 could help
I am trying to generate a Ed25519 key/pair using
openssl genpkey -algorithm Ed25519 -out ed25519key.pem
However, on my MacOS I get this:
Algorithm Ed25519 not found
I am running OpenSSL / LibreSSL 3.2.5 but I have no idea why this algorithm wouldn't be available.
Is there something I'm missing / need to install?
It seems that the default OpenSSL (LibreSSL) that comes with MacOS (even in MacOS 11.2.3) simply doesn't have the algorithm.
I installed OpenSSL 1.1.1k via brew separately (in /usr/local/opt/openssl#1.1 ) and using that binary the command works.
How can we generate a Curve25519 key pair from the command line?
We have a MacBook Air with Homebrew installed.
Should we use OpenSSL or another command line tool?
How do we use that tool to generate a Curve25519 key pair?
You can use the following command for generating the key pair:
openssl genpkey -algorithm x25519 -out x25519-priv.pem
And for extracting public key:
openssl pkey -in x25519-priv.pem -pubout -out x25519-pub.pem
openssl in MacOS is apples own openssl that does not support Curve25519
you need to install it with brew
brew install openssl
and then link using PATH or using brew link --force openssl(not recommended) for example if you are using zsh
echo 'export PATH="/usr/local/opt/openssl#1.1/bin:$PATH"' >> ~/.zshrc
source ~/.zshrc
to check. if it worked just use the which command
which openssl
now if you see output like this you are good to go
/usr/local/opt/openssl#1.1/bin/openssl
now you can generate Curve25519 keys with using openssl
openssl genpkey -algorithm x25519 -out x25519-priv.pem
I need an OpenSSL wrapper for my windows Universal App. The wrapper should be able to duplicate theses 3 commands:
openssl ecparam -genkey -name secp256k1 -noout -outform DER -out private.key
openssl ec -inform DER -in private.key -noout -text
openssl dgst -sha256 -hex -sign private.key -keyform DER
I tried this NuGet package : https://www.nuget.org/packages/openssl/ but it doesn't work. If anyone has an idea of package or source code to duplicate these commands I wait for your answer.
Thanks
How to validate s/mime signature using OpenSSL. Through command line we can verify with:
openssl smime -verify -in detachedsign.pem -content content.txt
What is the equivalent method for openssl smime -verify command on Mac OSX?
what is the equalant method for openssl smime -verify command in mac osx apps
There is none out of the box. Mac OS X provides OpenSSL 0.9.8y. openssl smime was added at OpenSSL 1.0.0. See smime(1) for details.
0.9.8 is also missing cms. And I don't believe you can use pkcs7 - the sub commands look anemic.
You can use OpenSSL if you build and install OpenSSL on OS X. If you build it, configure with Configure darwin64-x86_64-cc. Once installed, the newer OpenSSL will be located at /usr/local/ssl/bin by default.
Out of the box, for verifiying s/mime signatures on OSX, you have
security cms -D -i smime-message-in-der-format.der
I think you need the message to be in DER instead of PEM format. I don't know about -content, could that be the equivalent of -envelope?