Sign software artifacts with OpenSSL using PKCS11 library
OpenSSL is a versatile open-source cryptography library that provides a set of tools and libraries for secure communications and digital signatures.
Astuce
OpenSSL does not support the following characters in sign commands: ; ! ‘ ( ) [ &
To avoid errors, remove unsupported characters from file paths before attempting to sign.
Follow these instructions to sign directly using OpenSSL and securely reference your private key stored in DigiCert® KeyLocker via our PKCS11 library.
Attention
Scan your systems for uses of OpenSSL 3.0 and above, and if you find any instances, upgrade to 3.0.7. See OpenSSL releases patch for high level vulnerability in versions 3.0 and above.
Types of OpenSSL signatures
OpenSSL supports three types of signatures:
DGST
SMIME
RSA UTL
Prerequisites
Sign with OpenSSL (DGST)
DGST signing creates a binary output file.
Use the PKCS11 URL for the private key to sign.
Use the PKCS11 URL for the x.509 certificate or public key to verify the signature.
Sign with OpenSSL (SMIME)
To sign with SMIME, use:
openssl smime -sign -engine pkcs11 -keyform engine -md sha256 -binary -in <file to be signed> -out <signed output file> -outform smime -inkey “pkcs11:object=<keypair-alias>;type=private” -signer <public key file>
Sample command:
openssl smime -sign -engine pkcs11 -keyform engine -md sha256 -binary -in example.txt -out example.p7s -outform smime -inkey "pkcs11:object=keytool;type=private" -signer keytool.cer
Download SMIME certificate
To download the certificate using the Sign Manager Controller (SMCTL), use:
To list the certificates, use:
smctl certificate list
To download the certificate, use:
smctl certificate download
Verify SMIME signature
To verify the signature, use:
openssl smime -verify -in example.p7s -signer keytool.cer -out example.txt -noverify
Note
The -noverify
option skips chain verification of the supplied certificate file.
Sign with OpenSSL (RSA UTL)
RSA UTL needs the input file to be pre-digested before requesting a signature.
OpenSSL rsautl uses the PKCS11 URL for the x.509 certificate or public key.
Note
On Windows, you also need the Vim editor to use the xxd.
To sign using RSA UTL:
Create a digest of the original file that you want to sign, using:
openssl dgst –sha256 -binary <input_file> | xxd -p -c 256 > <output_file>
Sample command:
openssl dgst -sha256 -binary example.txt | xxd -p -c 256 > example.digest.sha256
Note
This command generates a result in hex format.
Sign the digest created, using:
openssl rsautl -engine pkcs11 -sign -pkcs -in <digest_file> -inkey "pkcs11:object=<keypair-alias>;type=private" -keyform engine -out <signed_digest_file>
Sample command:
openssl rsautl -engine pkcs11 -sign -pkcs -in readme.digest.sha256 -inkey "pkcs11:object=keytool;type=private" -keyform engine -out readme.sig.sha256
Note
This command generates a result of the signed digest in binary format.
To verify a signature using RSA UTL:
Verify the signed digest, using:
openssl rsautl -engine pkcs11 -keyform engine -verify -inkey "pkcs11:object=<keypair-alias>;type=public" -in <signed_digest_file> –out <output_decrypted_file>
Command sample:
openssl rsautl -engine pkcs11 -keyform engine -verify -inkey "pkcs11:object=keytool;type=public" -in readme.sig.sha256 –out output_decrypted_digest_file.sha256
Validate the signature by comparing the unsigned digest created with the original file that was created by the verify command, using:
P11tool for listing certificates (optional)
If you use the P11tool to manage your certificates, you can list the objects using p11tool to provide a format OpenSSL supports.
To allow DigiCert® KeyLocker to retrieve the PKCS11 URL for the private key and its corresponding certificate, use:
p11tool --provider=<absolute path to smpkcs11.so> --list-all
OPENSSL_CONF=C:\Users\taylo\Downloads\Keylockertools-windows-x64\dc-openssl.conf p11tool --provider=/home/myles/Keylockertools-linux-x64/bin/smpkcs11.so --list-all
Note
Object 2; Type: Private key and object 0; Type: X.509 Certificate.