Replacing openssl with public_key

Hello Elixir community,

I’m currently working on an app that delivers Apple Wallet passes to its users. Basically I followed the official guidelines, and implemented most of the stuff directly in Elixir. However to correctly sign the passes, Apple states the following:

To create the signature file, make a PKCS #7 detached signature of the manifest file, using the private key associated with your signing certificate. Include the WWDR intermediate certificate as part of the signature. You can download this certificate from Apple’s website. Write the signature to the file signature at the top level of the pass package. Include the date and time that the pass was signed using the S/MIME signing-time attribute.

This sounds like alien language to me :sweat_smile:. Thankfully I also found the these guidelines which states the following command to properly sign the pass:

openssl smime -binary -sign -certfile WWDR.pem -signer passcertificate.pem -inkey passkey.pem -in manifest.json -out signature -outform DER -passin pass:12345

Everything works quite well, however is there a way to do the same without the openssl dependency? I found the :public_key application which is shipped with OTP, but as already mentioned, all the public key/certs stuff is very alien to me. Any ideas?

1 Like

OpenSSL is used when compiling OTP, because it uses the functionality for a lot of it’s basic libraries (crypto, public_key, ssl). The only thing you need to take in consideration is the version of OTP, older versions might have less functionality, you can read more about it here.

From what I see here it is nothing out of the ordinary, you should be able to do this even with older versions of OTP. The only problem I see is the S/MIME encoder, elixir/erlang doesn’t have a general library for dealing with MIME types, usually the libraries use their custom implementations.

If you need to get this working fast, I would just interface with the openssl directly and use the command you provided, there are no downsides as long as don’t leak processes.

Here’s something I wrote once upon a time when someone was asking about producing a PKCS#7 signature: How can I generate PKCS7 file? - #2 by voltone

Your requirement may be slightly different. The best place to start would be decoding a signature produced by OpenSSL to Erlang records using :public_key, e.g. :public_key.der_decode(:ContentInfo,!("signature"))