OpenSSL の設定と署名
OpenSSL is a versatile open-source cryptography library that provides a set of tools and libraries for secure communications and digital signatures.
ヒント
OpenSSL does not support the following characters in sign commands: ; ! ‘ ( ) [ &
To avoid errors, remove unsupported characters from file paths before attempting to sign.
Follow these instructions to sign directly using OpenSSL and securely reference your private key stored in Software Trust Manager via our PKCS11 library.
注意
Scan your systems for uses of OpenSSL 3.0 and above, and if you find any instances, upgrade to 3.0.7. See OpenSSL releases patch for high level vulnerability in versions 3.0 and above.
Types of OpenSSL signatures
OpenSSL supports three types of signatures:
DGST
SMIME
RSA UTL
Prerequisites
Download and configure Software Trust Manager clients
Install OpenSSL and configure it with Software Trust Manager PKCS11 library
Keypair alias
Sign with OpenSSL (DGST)
DGST signing creates a binary output file.
Use the PKCS11 URL for the private key to sign.
Use the PKCS11 URL for the x.509 certificate or public key to verify the signature.
OpenSSL 署名
以下を使用して、SMIME署名を作成します。
openssl smime -sign -engine pkcs11 -keyform engine -md sha256 -binary -in <file to be signed> -out <signed output file> -outform smime -inkey “pkcs11:object=<keypair-alias>;type=private” -signer <public key file>
例:
openssl smime -sign -engine pkcs11 -keyform engine -md sha256 -binary -in example.txt -out example.p7s -outform smime -inkey "pkcs11:object=keytool;type=private" -signer keytool.cer
証明書をダウンロードする (SMIME)
Download SMIME certificate
SMCTLを使用して証明書をダウンロードするには、以下を使用します。
To list the certificates, use:
smctl certificate list
To download the certificate, use:
smctl certificate download
署名を検証する(SMIME)
以下を使用して、ファイルが署名されていることを確認します。
openssl smime -verify -in example.p7s -signer keytool.cer -out example.txt -noverify
注記
noverify オプションを使うと、提供されている証明書ファイルのチェーン検証をスキップします。
Sign with OpenSSL (RSA UTL)
RSA UTL needs the input file to be pre-digested before requesting a signature.
OpenSSL rsautl uses the PKCS11 URL for the x.509 certificate or public key.
注記
On Windows, you also need the Vim editor to use the xxd.
To sign using RSA UTL:
Create a digest of the original file that you want to sign, using:
openssl dgst –sha256 -binary <input_file> | xxd -p -c 256 > <output_file>
Sample command:
openssl dgst -sha256 -binary example.txt | xxd -p -c 256 > example.digest.sha256
注記
This command generates a result in hex format.
Sign the digest created, using:
openssl rsautl -engine pkcs11 -sign -pkcs -in <digest_file> -inkey "pkcs11:object=<keypair-alias>;type=private" -keyform engine -out <signed_digest_file>
Sample command:
openssl rsautl -engine pkcs11 -sign -pkcs -in readme.digest.sha256 -inkey "pkcs11:object=keytool;type=private" -keyform engine -out readme.sig.sha256
注記
This command generates a result of the signed digest in binary format.
To verify a signature using RSA UTL:
Verify the signed digest, using:
openssl rsautl -engine pkcs11 -keyform engine -verify -inkey "pkcs11:object=<keypair-alias>;type=public" -in <signed_digest_file> –out <output_decrypted_file>
Command sample:
openssl rsautl -engine pkcs11 -keyform engine -verify -inkey "pkcs11:object=keytool;type=public" -in readme.sig.sha256 –out output_decrypted_digest_file.sha256
Validate the signature by comparing the unsigned digest created with the original file that was created by the verify command, using:
証明書の一覧表示に P11TooLをオプションで使用
OpenSSLがサポートする形式を提供するために、p11tooLを使用してオブジェクトを一覧表示します。このオプションを使って、秘密鍵とそれに対応する証明書のPKCS11URLを取得することができます。(オブジェクト2; タイプ:秘密鍵とオブジェクト0; タイプ:以下に X.509 証明書)。
To allow Software Trust Manager to retrieve the PKCS11 URL for the private key and its corresponding certificate, use:
p11tool --provider=<absolute path to smpkcs11.so> --list-all
OPENSSL_CONF=C:\Users\taylo\Downloads\smtools-windows-x64\dc-openssl.conf p11tool --provider=/home/myles/smtools-linux-x64/bin/smpkcs11.so --list-all
注記
Object 2; Type: Private key and object 0; Type: X.509 Certificate.