這是本文件的舊版!
OpenSSL 對電子檔簽章與驗簽方式
- OpenSSL 版本 : openssl-0.9.8b-10.el5_2.1
- 假設簽章者憑證為 jonathan.crt 密鑰檔為 jonathan.key
- jonathan.crt 的發行者憑證為 RootCA.crt
- 對電子檔簽章作法:
- 被簽章的電子檔為 test.txt
- 預計簽完檔案為 test.txt.sig
openssl smime -sign -inkey jonathan.key -signer jonathan.crt -in test.txt -out test.txt.sig
<xtermrtf> [casrv@G2B2C-reg dev_caserver]$ openssl smime -sign -inkey jonathan.key -signer jonathan.crt -in test.txt -out test.txt.sig Enter pass phrase for jonathan.key: [casrv@G2B2C-reg dev_caserver]$ cat test.txt.sig MIME-Version: 1.0 Content-Type: multipart/signed; protocol=“application/x-pkcs7-signature”; micalg=sha1; boundary=“—-15B215678DE5CF4A4D8C9CD60B81A4EC”
This is an S/MIME signed message
——15B215678DE5CF4A4D8C9CD60B81A4EC 總計 156 -rw-rw-r– 1 casrv casrv 0 5月 13 10:37 tst.txt : : : -rw-rw-r– 1 casrv casrv 1050 5月 12 18:25 RootCA.req -rw——- 1 casrv casrv 1751 5月 12 18:23 RootCA.key
——15B215678DE5CF4A4D8C9CD60B81A4EC Content-Type: application/x-pkcs7-signature; name=“smime.p7s” Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=“smime.p7s”
MIIGOAYJKoZIhvcNAQcCoIIGKTCCBiUCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3 DQEHAaCCA48wggOLMIICcwIJALh6V0W0o+9+MA0GCSqGSIb3DQEBBQUAMIGHMQsw CQYDVQQGEwJUVzEPMA0GA1UECBMGVGFpd2FuMQ8wDQYDVQQHEwZUYWlwZWkxDDAK : : pnt3+FtyjJ0H/BY9DWPCQJ+Ms6l/iqtmPKqdwrKsqf2jrsopJ9hj6UmDNR+gr5RR b0L9I8Qc0HtZNYwwYtEl9o3OCpNHwpe/5HuFNu1N20WjtIUH/fYn4DXQORUBuO DvOBanH4+uAX9xYU+4rXL9+dJ8f1rc6ZtEcE5XpfKX+KWN7m9usmik7jTDVCLfwi +kvhv+kapp7nDSN+ ------15B215678DE5CF4A4D8C9CD60B81A4EC-- [casrv@G2B2C-reg dev_caserver]$ </xtermrtf> ++++ <note> 如果想將簽章檔包成 pkcs#7 格式可以直接下 -pk7out 的語法 <xtermrtf> [casrv@G2B2C-reg dev_caserver]$ openssl smime -pk7out -in test.txt.sig -out test.txt.p7b [casrv@G2B2C-reg dev_caserver]$ ls -lt 總計 176 -rw-rw-r-- 1 casrv casrv 2204 5月 13 11:38 test.txt.p7b -rw-rw-r-- 1 casrv casrv 3794 5月 13 11:37 test.txt.sig : : [casrv@G2B2C-reg dev_caserver]$ cat test.txt.p7b -----BEGIN PKCS7----- MIIGOAYJKoZIhvcNAQcCoIIGKTCCBiUCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3 DQEHAaCCA48wggOLMIICcwIJALh6V0W0o+9+MA0GCSqGSIb3DQEBBQUAMIGHMQsw CQYDVQQGEwJUVzEPMA0GA1UECBMGVGFpd2FuMQ8wDQYDVQQHEwZUYWlwZWkxDDAK : : ZH2c77SSfrzfkz+HztNtweNWbbcskVkihHrhjlXAQR4xLnRlg8xR+kxUvuxl8Z5a kxB+wggrFifZpRiUfiX8bAzHlvIWtOrufLAe2hiKT+bhrowqErqJo8XXR5u3eHsL vtiUmxJWh5vtQLf5 -----END PKCS7----- </xtermrtf> </note> ===== - 對電子檔驗簽作法:===== * 只要由 RootCA.crt 發行的憑證所簽章的檔案都可被信任 * 有含簽章的電子檔案為 test.txt.sig * 驗簽成功就取出被簽章的電子檔 test.txt 簽署者憑證檔 test.txt.crt <code sh> openssl smime -verify -in test.txt.sig -signer test.txt.crt -out test.txt -CAfile RootCA.crt </code> ++++看產生結果 <xtermrtf> [casrv@G2B2C-reg tmp]$ openssl smime -verify -in test.txt.sig -signer test.txt.crt -out test.txt -CAfile RootCA.crt Verification successful [casrv@G2B2C-reg tmp]$ ls -lt 總計 192 -rw-rw-r– 1 casrv casrv 1289 5月 13 11:05 test.txt.crt -rw-rw-r– 1 casrv casrv 1171 5月 13 11:05 test.txt </xtermrtf> ++
參考網址
- tech/openssl_signverify.1242187055.txt.gz
- 上一次變更: 2009/05/13 11:57
- 由 jonathan