Skip to main content

OpenSSL DGST による XML の分離署名

Integrate the DigiCert​​®​​ Software Trust Manager PKCS11 library with OpenSSL to sign XML files for detached signature.

注記

A .spk file cannot be signed using SMCTL; however, a .spk file can be signed using the detached signature method.

Prerequisites

  • DigiCert ONE API key

  • DigiCert ONE client authentication certificate

  • Software Trust Manager keypair

  • OpenSSL with DigiCert​​®​​ Software Trust Manager PKCS11 library

  • Configure your credentials

  • Public key

  • XML file that needs signing

Install and configure Software Trust Manager PKCS11 with OpenSSL

Follow these instructions to install OpenSSL and configure it with Software Trust Manager PKCS11 library.

XML コマンド

Copy the file to the desired location to permit signing.

コマンド

openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:object=<keypair alias>;type=private" -sha256 -out <Detached signature output file> -sha256 <Unsigned XML File>

出力例

root@dcd6f73b44b0:~/xmlsign# openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:object=sid-xmlsign-keypair;type=private" -sha256 -out xml-detached.sig -sha256 unsigned.xml engine "pkcs11" set.

Verify XML signature

The public key is required to verify the signature.

You can retrieve the public key using the Software Trust Manager UI, CLI, or OpenSSL.

To retrieve the public key via OpenSSL, use:

openssl x509 -pubkey -noout -in <keypair alias>.pem > pubkey.pem

コマンド

openssl  dgst -verify pubkey.pem -signature <Detached signature output file> <Unsigned XML file>

出力例

root@dcd6f73b44b0:~/xmlsign# openssl  dgst -verify pubkey.pem -signature xml-detached.sig unsigned.xml  
Verified OK