0

There are some file format (PDF, XML, ZIP) that natively support PKCS#11 signing from a certificate that's on a smartcard. For such formats, there are editors that themselves support signing and validating signs.

But I'm unable to find any solution that allows signing any kind of file, including formats that don't support it.

I'd think on something like MD5 validation, that uses a separated .md5 file with 1 hash for each file and can be used to verify if all files are present and if any file had been corrupted, but is unable to verify by itself if any new file was added to the root folder.

Hikari
  • 3,797
  • 12
  • 47
  • 77
  • smartcontract? Do you mean smart card? You should be able to do this with `openssl cms` command, using the engine options, but software recommendations are off-topic. Is that what you are looking for, or for a protocol/format in more abstract sense? – erickson Aug 25 '21 at 18:28
  • lol yes smartcard sorry! Is openssl able to interact with PKCS#11? – Hikari Aug 25 '21 at 19:18
  • Yes; I have never done it, but openssl tries to support that. There is additional software required, and probably a lot of fiddly OS-dependent details to work out. The pros are that CMS is a standard, so anyone could verify your file with their tool of choice, and they wouldn't require the thorny PKCS #11 setup just to verify. CMS is associated with S/MIME so e.g., many email clients support it. – erickson Aug 25 '21 at 19:55
  • **[Open]PGP** (format) although originally associated with email can actually sign and verify any data -- it is commonly used for Linux and much other FOSS distribution; and GnuPG (implementation) has builtin smartcard support. It does have a different trust model that (nowadays) more often requires reliers to make decisions about who to trust than the X.509/PKIX CA model does. Recent GnuPG also supports SMIME (`gpgsm` instead of `gpg` at commandline, GUIs may vary) with the same smartcard support. – dave_thompson_085 Aug 25 '21 at 20:59
  • I pointed to CMS first because smart cards are generally issued under enterprise or government PKIs with issuing authorities, rather than PGP's web-of-trust model. But, of course, just because the public key is wrapped in a certificate doesn't mean you have to use it. PGP tooling is probably better, but I don't think any of these tools will ever be comprehensible to "regular people." – erickson Aug 25 '21 at 21:17

1 Answers1

0

Hash or file content verification does not require PKCS#11 or Smartcard. This can be done in any language or using WebCrypto API in browser.

If you want to sign the hash, (and then verify signature - which again don't require Smartcard or PKCS#11), then you require PKCS#11 and smartcard (only for signing), but you should choose to use Cryptography methods (Language or framework API) provided by your framework which in turn uses CSP (Crypto Service Provider on Windows) to achieve the required cryptographic operation.

Anyhow, you require small knowledge of hash and cryptography to program your custom requirement. This is not programming but architecting question or asking suggestion for software tool.

Refer https://stackoverflow.com/a/63173083/9659885 for Javascript API for signing from modern browsers.

Bharat Vasant
  • 850
  • 3
  • 12
  • 46