====== OpenSSL 對電子檔簽章與驗簽方式 ======
  * OpenSSL 版本 : openssl-0.9.8b-10.el5_2.1
  * 假設簽章者憑證為 jonathan.crt 密鑰檔為 jonathan.key
  * jonathan.crt 的發行者憑證為 RootCA.crt
===== - 對電子檔簽章作法：=====
  * 被簽章的電子檔為 test.txt
  * 預計簽完檔案為 test.txt.sig
<code sh>
openssl smime -sign -inkey jonathan.key -signer jonathan.crt -in test.txt -out test.txt.sig
</code>
++++看產生結果|
<cli>
[casrv@G2B2C-reg dev_caserver]$ openssl smime -sign -inkey jonathan.key -signer jonathan.crt -in test.txt -out test.txt.sig
Enter pass phrase for jonathan.key:
[casrv@G2B2C-reg dev_caserver]$ cat test.txt.sig
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="----15B215678DE5CF4A4D8C9CD60B81A4EC"

This is an S/MIME signed message

------15B215678DE5CF4A4D8C9CD60B81A4EC
總計 156
-rw-rw-r-- 1 casrv casrv    0  5月 13 10:37 tst.txt
:
:
:
-rw-rw-r-- 1 casrv casrv 1050  5月 12 18:25 RootCA.req
-rw------- 1 casrv casrv 1751  5月 12 18:23 RootCA.key

------15B215678DE5CF4A4D8C9CD60B81A4EC
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIIGOAYJKoZIhvcNAQcCoIIGKTCCBiUCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3
DQEHAaCCA48wggOLMIICcwIJALh6V0W0o+9+MA0GCSqGSIb3DQEBBQUAMIGHMQsw
CQYDVQQGEwJUVzEPMA0GA1UECBMGVGFpd2FuMQ8wDQYDVQQHEwZUYWlwZWkxDDAK
:
:
pnt3+FtyjJ0H/BY9DWPCQJ+Ms6l/iqtmPKqdwrKsqf2jrsopJ9hj6UmDNR+gr5RR
b0++L9I8Qc0HtZNYwwYtEl9o3OCpNHwpe/5HuFNu1N20WjtIUH/fYn4DXQORUBuO
DvOBanH4+uAX9xYU+4rXL9+dJ8f1rc6ZtEcE5XpfKX+KWN7m9usmik7jTDVCLfwi
+kvhv+kapp7nDSN+

------15B215678DE5CF4A4D8C9CD60B81A4EC--

[casrv@G2B2C-reg dev_caserver]$
</cli>
++++

<note>
如果想將簽章檔包成 pkcs#7 格式可以直接下 -pk7out 的語法
<cli>
[casrv@G2B2C-reg dev_caserver]$ openssl smime -pk7out -in test.txt.sig -out test.txt.p7b
[casrv@G2B2C-reg dev_caserver]$ ls -lt
總計 176
-rw-rw-r-- 1 casrv casrv 2204  5月 13 11:38 test.txt.p7b
-rw-rw-r-- 1 casrv casrv 3794  5月 13 11:37 test.txt.sig
:
:
[casrv@G2B2C-reg dev_caserver]$ cat test.txt.p7b
-----BEGIN PKCS7-----
MIIGOAYJKoZIhvcNAQcCoIIGKTCCBiUCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3
DQEHAaCCA48wggOLMIICcwIJALh6V0W0o+9+MA0GCSqGSIb3DQEBBQUAMIGHMQsw
CQYDVQQGEwJUVzEPMA0GA1UECBMGVGFpd2FuMQ8wDQYDVQQHEwZUYWlwZWkxDDAK
:
:
ZH2c77SSfrzfkz+HztNtweNWbbcskVkihHrhjlXAQR4xLnRlg8xR+kxUvuxl8Z5a
kxB+wggrFifZpRiUfiX8bAzHlvIWtOrufLAe2hiKT+bhrowqErqJo8XXR5u3eHsL
vtiUmxJWh5vtQLf5
-----END PKCS7-----
</cli>
</note>

===== - 對電子檔驗簽作法：=====
  * 只要由 RootCA.crt 發行的憑證所簽章的檔案都可被信任
  * 有含簽章的電子檔案為 test.txt.sig
  * 驗簽成功就取出被簽章的電子檔 test.txt 簽署者憑證檔 test.txt.crt
<code sh>
openssl smime -verify -in test.txt.sig -signer test.txt.crt -out test.txt -CAfile RootCA.crt
</code>
++++看產生結果|
<cli>
[casrv@G2B2C-reg tmp]$ openssl smime -verify -in test.txt.sig -signer test.txt.crt -out test.txt -CAfile RootCA.crt
Verification successful
[casrv@G2B2C-reg tmp]$ ls -lt
總計 192
-rw-rw-r-- 1 casrv  casrv  1289  5月 13 11:05 test.txt.crt
-rw-rw-r-- 1 casrv  casrv  1171  5月 13 11:05 test.txt
</cli>
++++

<note>
當驗證失敗時, 會產生 0 byte 的 test.txt 檔案
<cli>
[casrv@G2B2C-reg tmp]$ openssl smime -verify -in test.txt.sig -signer test.txt.crt -out test.txt -CAfile /var/www/html/dev_ca/jonathan.crt
Verification failure
17047:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:231:Verify error:unable to get local issuer certificate
[casrv@G2B2C-reg tmp]$ ls -lt
總計 188
-rw-rw-r-- 1 casrv  casrv     0  5月 13 11:32 test.txt
:
</cli>
</note>

===== 參考網址 =====
  * http://linux.chinaunix.net/bbs/archiver/?tid-1008796.html

{{tag>openssl ca pki}}