How can I generate PKCS7 file?

Hello,
I have a PEM certificate issued for my CSR: my-cert.crt, my private key: private key
I can create a PKCS7 file with that command

openssl smime -sign \
          -nodetach \
          -in test.txt \
          -out signed_data \
          -outform PEM \
          -signer my-cert.crt \
          -inkey private key

My question is: how can I create the same in elixir?

I can sign the file in openssl like that:

openssl dgst -sha256 -sign $privatekey -out /tmp/$filename.sha256 $filename
openssl base64 -in /tmp/$filename.sha256 -out signature.sha256

and verify the signature in elixir:

{:ok, signature} = File.read!("signature.sha256") |> Base.decode64(ignore: :whitespace)
pub = File.read!("my-cert.crt") |>  X509.Certificate.from_pem! |> X509.Certificate.public_key 
data = File.read!("test.txt")
:public_key.verify(data, :sha256, signature, pub)
true

But I need to create PKCS7 file.

I’m not good at cryptography and maybe lacking some base knowledge ¯_(ツ)_/¯. Sorry for maybe dump question.
Thank you for your help!

Well… OTP’s :public_key does include the ASN.1 definitions for PKCS#7, but it does not offer any higher-level API for working with those data structures.

Here’s a little something I put together that will generate output similar to your OpenSSL example:

defmodule PKCS7 do
  require Record

  Record.defrecord(:content_info, :ContentInfo, Record.extract(:ContentInfo, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:signed_data, :SignedData, Record.extract(:SignedData, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:signer_info, :SignerInfo, Record.extract(:SignerInfo, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:issuer_and_serial_number, :IssuerAndSerialNumber, Record.extract(:IssuerAndSerialNumber, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:attribute_pkcs7, :"AttributePKCS-7", Record.extract(:"AttributePKCS-7", from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:digest_algorithm_identifier, :DigestAlgorithmIdentifier, Record.extract(:DigestAlgorithmIdentifier, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:digest_encryption_algorithm_identifier, :DigestEncryptionAlgorithmIdentifier, Record.extract(:DigestEncryptionAlgorithmIdentifier, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))

  @idData {1, 2, 840, 113549, 1, 7, 1}
  @idSignedData {1, 2, 840, 113549, 1, 7, 2}

  @idContentType {1, 2, 840, 113549, 1, 9, 3}
  @idMessageDigest {1, 2, 840, 113549, 1, 9, 4}
  @idSigningTime {1, 2, 840, 113549, 1, 9, 5}

  @idSha1 {1, 3, 14, 3, 2, 26}
  @idRsaEncryption {1, 2, 840, 113549, 1, 1, 1}

  def sign(input, cert, key) do
    attributes = {:aaSet, [
      attribute_pkcs7(type: @idContentType, values: [@idData]),
      attribute_pkcs7(type: @idSigningTime, values: [X509.DateTime.new()]),
      attribute_pkcs7(type: @idMessageDigest, values: [:crypto.hash(:sha, input)])
    ]}

    signature = :public_key.sign(aa_tbs(attributes), :sha, key)

    content_info(
      contentType: @idSignedData,
      content: signed_data(
        version: :sdVer1,
        digestAlgorithms: {:daSet, [alg_sha1()]},
        contentInfo: {:ContentInfo, @idData, input},
        certificates: {:certSet, [certificate: cert]},
        # crls: asn1_NOVALUE,
        signerInfos: {:siSet,
          [
            signer_info(
              version: :siVer1,
              issuerAndSerialNumber: issuer_and_serial_number(
                issuer: X509.Certificate.issuer(cert),
                serialNumber: X509.Certificate.serial(cert)
              ),
              digestAlgorithm: alg_sha1(),
              authenticatedAttributes: attributes,
              digestEncryptionAlgorithm: alg_rsa(),
              encryptedDigest: signature
              # unauthenticatedAttributes: :asn1_NOVALUE
            )
          ]
        }
      )
    )
  end

  # rfc2630#section-5.4:
  # A separate encoding of the
  # signedAttributes field is performed for message digest calculation.
  # The IMPLICIT [0] tag in the signedAttributes field is not used for
  # the DER encoding, rather an EXPLICIT SET OF tag is used.  That is,
  # the DER encoding of the SET OF tag, rather than of the IMPLICIT [0]
  # tag, is to be included in the message digest calculation along with
  # the length and content octets of the SignedAttributes value.
  defp aa_tbs(aa) do
    <<0xA0, value :: binary>> = :public_key.der_encode(:SignerInfoAuthenticatedAttributes, aa)
    <<0x31, value :: binary>>
  end

  defp alg_sha1 do
    digest_algorithm_identifier(algorithm: @idSha1, parameters: {:asn1_OPENTYPE, <<5, 0>>})
  end

  defp alg_rsa do
    digest_encryption_algorithm_identifier(algorithm: @idRsaEncryption, parameters: {:asn1_OPENTYPE, <<5, 0>>})
  end
end

At this point it only supports RSA and SHA-1. The certificate needs to be passed in as a Certificate record, rather than an OTPCertificate record. So if you use X509.Certificate.from_pem to read it, make sure to pass :Certificate as the second argument.

You can convert the output to DER format using :public_key.der_encode(:ContentInfo, ci), or to PEM format with :public_key.pem_entry_encode(:ContentInfo, ci) |> List.wrap() |> :public_key.pem_encode().

7 Likes

Many thanks @voltone! You’re a lifesaver!
Yeah, I thought that there is no straightforward implementation and you just proofed it.

I also need an smime encryption, and it seems I need to do a kind a same manipulations to construct encrypted PKCS#7 file. Could you please point me a source I can refer, to construct such file?

Here is openssl command I use:

openssl smime -encrypt \
            -inform PEM \
            -in signed_data \
            -outform PEM \
            -out ENCRYPTED_DATA certificate.crt

I also understand that my ask could be too much for you. Anyways, many thanks for your help! :pray:

P.S. Maybe it worth to be included into your X509 library? I’m just asking :slight_smile:

Encryption is a bit harder. You’d need to import and populate the :EnvelopedData record and its sub-records.

That would require support for additional algorithms (ECDSA and SHA256 in particular), and also for verification and decryption. Those latter operations would be harder to implement, since they’d have to handle all possible variants of record values and algorithms that other implementations might use. If and when someone wants to implement full PKCS7/SMIME support, that would probably belong in a separate package.

Yep, makes total sense to me!
Thank you for your help!

As for encryption, this seems to work…

defmodule PKCS7 do
  require Record

  Record.defrecord(:content_info, :ContentInfo, Record.extract(:ContentInfo, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:signed_data, :SignedData, Record.extract(:SignedData, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:enveloped_data, :EnvelopedData, Record.extract(:EnvelopedData, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:signer_info, :SignerInfo, Record.extract(:SignerInfo, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:recipient_info, :RecipientInfo, Record.extract(:RecipientInfo, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:encrypted_content_info, :EncryptedContentInfo, Record.extract(:EncryptedContentInfo, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:issuer_and_serial_number, :IssuerAndSerialNumber, Record.extract(:IssuerAndSerialNumber, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:attribute_pkcs7, :"AttributePKCS-7", Record.extract(:"AttributePKCS-7", from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:digest_algorithm_identifier, :DigestAlgorithmIdentifier, Record.extract(:DigestAlgorithmIdentifier, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:digest_encryption_algorithm_identifier, :DigestEncryptionAlgorithmIdentifier, Record.extract(:DigestEncryptionAlgorithmIdentifier, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))
  Record.defrecord(:content_encryption_algorithm_identifier, :ContentEncryptionAlgorithmIdentifier, Record.extract(:ContentEncryptionAlgorithmIdentifier, from_lib: "public_key/include/OTP-PUB-KEY.hrl"))

  @idData {1, 2, 840, 113549, 1, 7, 1}
  @idSignedData {1, 2, 840, 113549, 1, 7, 2}
  @idEnvelopedData {1, 2, 840, 113549, 1, 7, 3}

  @idContentType {1, 2, 840, 113549, 1, 9, 3}
  @idMessageDigest {1, 2, 840, 113549, 1, 9, 4}
  @idSigningTime {1, 2, 840, 113549, 1, 9, 5}

  @idSha1 {1, 3, 14, 3, 2, 26}
  @idRsaEncryption {1, 2, 840, 113549, 1, 1, 1}
  @idAes256Cbc {2, 16, 840, 1, 101, 3, 4, 1, 42}

  def sign(input, cert, key) do
    attributes = {:aaSet, [
      attribute_pkcs7(type: @idContentType, values: [@idData]),
      attribute_pkcs7(type: @idSigningTime, values: [X509.DateTime.new()]),
      attribute_pkcs7(type: @idMessageDigest, values: [:crypto.hash(:sha, input)])
    ]}

    signature = :public_key.sign(aa_tbs(attributes), :sha, key)

    content_info(
      contentType: @idSignedData,
      content: signed_data(
        version: :sdVer1,
        digestAlgorithms: {:daSet, [alg_sha1()]},
        contentInfo: {:ContentInfo, @idData, input},
        certificates: {:certSet, [certificate: cert]},
        # crls: asn1_NOVALUE,
        signerInfos: {:siSet,
          [
            signer_info(
              version: :siVer1,
              issuerAndSerialNumber: issuer_and_serial_number(
                issuer: X509.Certificate.issuer(cert),
                serialNumber: X509.Certificate.serial(cert)
              ),
              digestAlgorithm: alg_sha1(),
              authenticatedAttributes: attributes,
              digestEncryptionAlgorithm: alg_rsa(),
              encryptedDigest: signature
              # unauthenticatedAttributes: :asn1_NOVALUE
            )
          ]
        }
      )
    )
  end

  def encrypt(input, cert) do
    key = :crypto.strong_rand_bytes(32)
    iv = :crypto.strong_rand_bytes(16)

    padded_input = with_padding(input)
    ciphertext = :crypto.crypto_one_time(:aes_256_cbc, key, iv, padded_input, true)

    recipient_public_key = X509.Certificate.public_key(cert)
    encrypted_key = :public_key.encrypt_public(key, recipient_public_key)

    content_info(
      contentType: @idEnvelopedData,
      content: enveloped_data(
        version: :edVer0,
        recipientInfos: {:riSet,
          [
            recipient_info(
              version: :riVer0,
              issuerAndSerialNumber: issuer_and_serial_number(
                issuer: X509.Certificate.issuer(cert),
                serialNumber: X509.Certificate.serial(cert)
              ),
              keyEncryptionAlgorithm: alg_rsa(),
              encryptedKey: encrypted_key
            )
          ]},
        encryptedContentInfo: encrypted_content_info(
          contentType: @idData,
          contentEncryptionAlgorithm: alg_aes256cbc(iv),
          encryptedContent: ciphertext
        )
      )
    )
  end

  # rfc2630#section-5.4:
  # A separate encoding of the
  # signedAttributes field is performed for message digest calculation.
  # The IMPLICIT [0] tag in the signedAttributes field is not used for
  # the DER encoding, rather an EXPLICIT SET OF tag is used.  That is,
  # the DER encoding of the SET OF tag, rather than of the IMPLICIT [0]
  # tag, is to be included in the message digest calculation along with
  # the length and content octets of the SignedAttributes value.
  defp aa_tbs(aa) do
    <<0xA0, value :: binary>> = :public_key.der_encode(:SignerInfoAuthenticatedAttributes, aa)
    <<0x31, value :: binary>>
  end

  defp with_padding(input) do
    case rem(byte_size(input), 16) do
      0 ->
        input

      n ->
        pad_len = 16 - n
        input <> String.duplicate(<<pad_len>>, pad_len)
    end
  end

  defp alg_sha1 do
    digest_algorithm_identifier(algorithm: @idSha1, parameters: {:asn1_OPENTYPE, <<5, 0>>})
  end

  defp alg_rsa do
    digest_encryption_algorithm_identifier(algorithm: @idRsaEncryption, parameters: {:asn1_OPENTYPE, <<5, 0>>})
  end

  defp alg_aes256cbc(iv) do
    content_encryption_algorithm_identifier(algorithm: @idAes256Cbc, parameters: {:asn1_OPENTYPE, <<4, 16, iv :: binary>>})
  end
end
2 Likes

@voltone, you’re my hero! Thank you so much!

1 Like

Hi, I’m trying to implement a Signature wrapped in PKCS7, I’ve followed you example converting it to erlang but for the type of signature I want to use it’s necessary to add SigningCertificateV2 to the authenticatedAttributes.
Unforunately it doesn’t behave like the 3 you added as it requires to use an asn1_OPENTYPE to encode it.

IdSigningCertificateV2 = {1, 2, 840, 113549, 1, 9, 16, 2, 47},
TbsCert = Certificate#'Certificate'.tbsCertificate,

IssuerAndSerialNumber = #'IssuerAndSerialNumber'{
                           issuer=TbsCert#'TBSCertificate'.issuer,
                           serialNumber=TbsCert#'TBSCertificate'.serialNumber
                          },
Attributes = {aaSet, [
                      #'AttributePKCS-7'{type = IdContentType,
                                         values= [IdData]},
                      #'AttributePKCS-7'{type = IdMessageDigest,
                                         values = [ crypto:hash(sha256, Message)]},
                      #'AttributePKCS-7'{type = IdSigningCertificateV2,
                                         values = [CertHash]}
                     ]},

So far i’ve implemented it like this, but I’m not able complete the encode as the der_encode function return an error.
Do you have any suggestion on how this could be done? As I haven’t found any examples or documentation for this.

Hi @mtodescato if you are trying to convert it TO erlang you may have more success on the erlang forums.

No the point is not converting it to erlang, is actually making it work. I can accept a response in elixir and i will convert it myself, in fact i used this post to understand how to make it in erlang. The point is that this post seems the only point you can find an example to work on regardless of the language you are trying to use.

An ASN.1 OPENTYPE value is represented in Erlang as {asn1_OPENTYPE, DER}, where DER is the binary DER encoded value of the object that needs to be embedded.

If you have a complete encoded signature (or you can produce one with e.g. OpenSSL) you can have public_key decode it and you’ll see the Erlang record structure you’d have the pass in to the encoder.

Ok I was missing the part of the content of the asn1_OPENTYPE of being already a der encoded object.
Since the SigningCertificateV2 is not defined in public_key I need to create the .asn1 files and use those to encode it to der, seems reasonable.
Thank you for your help.