Skip to main content

Sign software artifacts with OpenSSL using PKCS11 library

OpenSSL is a versatile open-source cryptography library that provides a set of tools and libraries for secure communications and digital signatures.

Astuce

OpenSSL does not support the following characters in sign commands: ; ! ‘ ( ) [ &

To avoid errors, remove unsupported characters from file paths before attempting to sign.

Follow these instructions to sign directly using OpenSSL and securely reference your private key stored in DigiCert​​®​​ KeyLocker via our PKCS11 library.

Attention

Scan your systems for uses of OpenSSL 3.0 and above, and if you find any instances, upgrade to 3.0.7. See OpenSSL releases patch for high level vulnerability in versions 3.0 and above.

Types of OpenSSL signatures

OpenSSL supports three types of signatures:

  • DGST

  • SMIME

  • RSA UTL

Prerequisites

Sign with OpenSSL (DGST)

  • DGST signing creates a binary output file.

  • Use the PKCS11 URL for the private key to sign.

  • Use the PKCS11 URL for the x.509 certificate or public key to verify the signature.

Sign with OpenSSL (SMIME)

To sign with SMIME, use:

openssl smime -sign -engine pkcs11 -keyform engine -md sha256 -binary -in <file to be signed> -out <signed output file> -outform smime -inkey “pkcs11:object=<keypair-alias>;type=private” -signer <public key file>                

Sample command:

openssl smime -sign -engine pkcs11 -keyform engine -md sha256 -binary -in example.txt -out example.p7s -outform smime -inkey "pkcs11:object=keytool;type=private" -signer keytool.cer               

 

Download SMIME certificate

To download the certificate using the Sign Manager Controller (SMCTL), use:

  1. To list the certificates, use:

    smctl certificate list
  2. To download the certificate, use:

    smctl certificate download

Verify SMIME signature

To verify the signature, use:

openssl smime -verify -in example.p7s -signer keytool.cer -out example.txt -noverify

Note

The -noverify option skips chain verification of the supplied certificate file.

Sign with OpenSSL (RSA UTL)

  • RSA UTL needs the input file to be pre-digested before requesting a signature.

  • OpenSSL rsautl uses the PKCS11 URL for the x.509 certificate or public key.

Note

On Windows, you also need the Vim editor to use the xxd.

To sign using RSA UTL:

  1. Create a digest of the original file that you want to sign, using:

    openssl dgst –sha256 -binary <input_file> | xxd -p -c 256 > <output_file>

    Sample command:

    openssl dgst -sha256 -binary example.txt | xxd -p -c 256 > example.digest.sha256

    Note

    This command generates a result in hex format.

  2. Sign the digest created, using:

    openssl rsautl -engine pkcs11 -sign -pkcs -in <digest_file> -inkey "pkcs11:object=<keypair-alias>;type=private" -keyform engine -out <signed_digest_file>

    Sample command:

    openssl rsautl -engine pkcs11 -sign -pkcs -in readme.digest.sha256 -inkey "pkcs11:object=keytool;type=private" -keyform engine -out readme.sig.sha256 

    Note

    This command generates a result of the signed digest in binary format.

To verify a signature using RSA UTL:

  1. Verify the signed digest, using:

    openssl rsautl -engine pkcs11 -keyform engine -verify -inkey "pkcs11:object=<keypair-alias>;type=public" -in <signed_digest_file> –out <output_decrypted_file>  

    Command sample:

    openssl rsautl -engine pkcs11 -keyform engine -verify -inkey "pkcs11:object=keytool;type=public" -in readme.sig.sha256 –out output_decrypted_digest_file.sha256 
  2. Validate the signature by comparing the unsigned digest created with the original file that was created by the verify command, using:

P11tool for listing certificates (optional)

If you use the P11tool to manage your certificates, you can list the objects using p11tool to provide a format OpenSSL supports.

To allow DigiCert​​®​​ KeyLocker to retrieve the PKCS11 URL for the private key and its corresponding certificate, use:

p11tool --provider=<absolute path to smpkcs11.so> --list-all 

OPENSSL_CONF=C:\Users\taylo\Downloads\Keylockertools-windows-x64\dc-openssl.conf p11tool --provider=/home/myles/Keylockertools-linux-x64/bin/smpkcs11.so --list-all 

Note

Object 2; Type: Private key and object 0; Type: X.509 Certificate.