Can SSL cert be used to digitally sign files?

元气小坏坏 提交于 2020-01-14 07:59:09

问题


I want to ask a thing about digital signing I am not very sure. Instead of creating a self signed certificate to use to sign some (PDF) files, I wanted to take my SSL cert which have my data already verified.

But the question is: Can a SSL cert be used to digital sign files or is it incompatible in some manner?

EDIT: To clarify, this question is not about how to sign PDFs, is only about if a SSL cert can be used (or converted in any way) to sign files.


回答1:


To support digital signing certificate must have digitalSignature option in it's keyUsage field (and codeSigning option in it's extendedKeyUsage field if your want to sign programs with it).

Signing may be done with existing tools or manually (java example, you are not asking for it, but this code snippet might be useful anyway):

byte[] bytesToSign = loadMyData();
KeyStore ks = KeyStore.getInstance("pkcs12", "SunJSSE");
ks.load(new FileInputStream("cert.p12"), "passwd1".toCharArray());
PrivateKey privateKey = (PrivateKey) ks.getKey("myalias", "passwd2".toCharArray());
Signature sig = Signature.getInstance("SHA1withRSA", ks.getProvider());
sig.initSign(privateKey);
sig.update(bytesToSign);
byte[] signature = sig.sign();

To make your own not self-signed certificate with openssl see this SO answer.

Also curious about signing PDF's - aren't separate hash sums of these files enough in your case?

edit: if you want any sign, not exactly X.509 sign by existing tools, you can extract RSA key from your cert and do signing without bothering about keyUsage field.




回答2:


At the core, the certificate is just a normal RSA public key that's been signed by several authorities.

So yes, definitely possible.

Though I don't know of any easy-to-use widespread tools for the end-user for this.




回答3:


Yes, you can sign and verify the signature of files using SSL certificates

Here is an example:

SSLCERT='/XXXX/ssl/certs/fqdn.pem'
SSLKEY='/XXXX/ssl/private_keys/fqdn.pem'
# You might not need to specify a CA
CACERTFILE='/XXXX/ssl/certs/ca.pem'
# File to sign
FILE='YYYYYYY'

# Signs, needs ${SSLKEY} and ${FILE}
openssl dgst -sha512 -sign ${SSLKEY} -out ${FILE}.sha512 ${FILE}

# Then transfer the following files to another server:
#  - ${CACERTFILE}
#  - ${SSLCERT}
#  - ${FILE}
#  - ${FILE}.sha512

# Check the certificate is valid
openssl verify -verbose -CAfile ${CACERTFILE} ${SSLCERT}
# Extract the pub key from the cert
openssl x509 -in ${SSLCERT} -pubkey -noout > ${SSLCERT}.pub
# Check the signature
openssl dgst -sha512 -verify ${SSLCERT}.pub -signature ${FILE}.sha512 ${FILE}


来源:https://stackoverflow.com/questions/9691521/can-ssl-cert-be-used-to-digitally-sign-files

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!