1

I'm hobbyst developer that uses iOS/macOS utilities, and I'm struggling with some openssl commands. I execute an openssl command in macos termninal

openssl smime -sign -signer *certificate.cer* -inkey *miPrivateKey* -out *outFile* -in *inFile* -outform PEM -nodetach

I would like to know the C functions associated with console commands. In particular this one up. How can I find a reference from terminal commands to the functions that are executed? Is there a way to know which functions are being called. I have successfully loaded all the libraries and call methods but I don't know how to make this one up or which functions to call.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Carlos Maria Caraccia
  • 470
  • 4
  • 22

2 Answers2

1

It depends entirely on the parameters, but this is the gist of it for SMIME signing.. For example, I use this for Apple-Wallet signing (removed error checking to make it simpler):

#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/pkcs12.h>
#include <openssl/pem.h>



int main()
{
    //Setup OpenSSL..
    SSL_library_init();
    OPENSSL_add_all_algorithms_noconf();
    OpenSSL_add_all_digests();

    //Load P12..
    BIO* bio = BIO_new_file("p12", "rb");
    PKCS12* p12 = d2i_PKCS12_bio(bio, nullptr);
    BIO_free_all(bio);

    EVP_PKEY* pkey = nullptr;
    X509* certificate = nullptr;
    PKCS12_parse(p12, "password", &pkey, &certificate, nullptr);
    PKCS12_free(p12);

    //Load certificate..
    bio = BIO_new_file("pem", "rb");
    X509* cert2 = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
    EVP_PKEY* pkey2 = PEM_read_bio_PrivateKey(bio, nullptr, nullptr, nullptr);
    BIO_free_all(bio);


    //Load digest..
    const EVP_MD* md = EVP_get_digestbyname("sha1");

    //Load file to sign..
    bio = BIO_new_file("fileToSign", "rb");

    //Sign the binary..
    PKCS7* pkcs7 = PKCS7_sign(cert2, pkey2, nullptr, bio, PKCS7_BINARY | PKCS7_DETACHED | PKCS7_STREAM);
    PKCS7_sign_add_signer(pkcs7, certificate, pkey, md, PKCS7_BINARY | PKCS7_DETACHED | PKCS7_STREAM);
    PKCS7_add_certificate(pkcs7, cert2);
    PKCS7_final(pkcs7, bio, PKCS7_BINARY | PKCS7_DETACHED | PKCS7_STREAM);
    BIO_free_all(bio);

    //Cleanup..
    X509_free(cert2);
    EVP_PKEY_free(pkey2);
    X509_free(certificate);
    EVP_PKEY_free(pkey);

    //Save the signature to a file..
    bio = BIO_new_file("Signature", "rb");
    i2d_PKCS7_bio(bio, pkcs7);
    BIO_free_all(bio);
    PKCS7_free(pkcs7);

    //Cleanup OpenSSL
    EVP_cleanup();
    CRYPTO_cleanup_all_ex_data();
    return 0;
}

It will read your PrivateKey (p12 format), your signer certificate, the file to be signed, sign it, and output in DER format. You can modify it to output in PEM format and remove the PKCS7_DETACH flag for "-nodetach".

This one signs using the sha1 digest (Apple required it).. You can change the digest if needed.

Brandon
  • 22,723
  • 11
  • 93
  • 186
  • I'm struggling I cannot load the private key. It is in pkcs10 format. So, the result is a NULL pointer. – Carlos Maria Caraccia Aug 01 '17 at 22:10
  • Thanks for your help @Brandon, but I cannot make things work. – Carlos Maria Caraccia Aug 01 '17 at 23:40
  • @CarlosMariaCaraccia; To read PKCS10 aka CSR (Certificate Signing Request), you can use: `X509_REQ *PEM_read_bio_X509_REQ(BIO *bp, X509_REQ **x, pem_password_cb *cb, void *u)` or just convert the CSR to P12. – Brandon Aug 02 '17 at 00:52
  • I cannot make things work with this command. I obtain a partial result. I have posted another question, the flags are confusing me a lot. Do you know any book which I can read from? Or anyway I can make this work? @Brandon Thanks for your help. – Carlos Maria Caraccia Aug 16 '17 at 17:50
1

I'm hobbyst developer that uses iOS/macOS utilities ...

Apple distributes an ancient version of OpenSSL. Its version 0.9.8. It End-of-Life, and its missing lots og goodies like TLS 1.2, Sever Name Indication, most Elliptic Curve gear, etc.

Usually, you use Homebrew or Macports to install a newer version. For that, see:

I execute an openssl command in macos termninal openssl smime...

smime is called a subcommand. OpenSSL has lots of them:

  • enc
  • dec
  • s_client
  • s_server
  • smime
  • etc

I would like to know the C functions associated with console commands. In particular this one up.

The source code for the subcommands are located in the <openssl src>/apps directory. For the smime command see smime.c.

jww
  • 97,681
  • 90
  • 411
  • 885
  • I'd been reading this file and cannot make things work. Thanks for your help @jww. – Carlos Maria Caraccia Aug 01 '17 at 23:38
  • @Carlos - I'm probably splitting hairs, but *"... I cannot make things work"* was never part of your question. In fact, you never stated what you tried or how things did not work. I cited your questions I answered. If you have another question, then you should ask a new question – jww Aug 01 '17 at 23:43
  • Thanks pal! Yeahh you're right I don't want to abuse. – Carlos Maria Caraccia Aug 01 '17 at 23:45
  • I don't mean to bother, you but if you don't mind to tell me, where can I find load_cert and load_key functions? – Carlos Maria Caraccia Aug 03 '17 at 10:28
  • @CarlosMariaCaraccia - `load_cert` is in `apps/apps.c`. Most of the common functions used in subcommands are in `apps.{h|c}`. `$ grep -IR 'load_cert(' | grep X509` is also your friend. – jww Aug 03 '17 at 10:33
  • As you asked I'd asked another question. I don't mean to bother you. @jww – Carlos Maria Caraccia Aug 17 '17 at 00:16