Archived Forum Post

Index of archived forum posts

Question:

PKCS7 Add Multiple Signers, Resign

Oct 22 '17 at 21:22

Hy! Im working in a system for manage documents in timeline process and the requirement is upload a file, verify the content and digital sign the document.

This process is accomplished by several users in different times.

We are thinking in use your CkCrypt2 library for the simplicity to make pkcs7 "opaque" signatures, we have success with one signature, but we don't know how to do the "resign" process or add more signers.

Thanks for all :D


Answer

Unfortunately, I don't think this can be done with Chilkat. You can create PKCS7 signatures with multiple signers, but once you have an opaque signature, Chilkat doesn't have the capability to add another signer to it.

When you think of it.. a PCKS7 opaque signature with multiple signers is effectively just an archive containing the original data that was signed, along with each of the signatures. Theoretically, if you create a detached signature for each signer, you could package up the original data, and each detached signature in a zip, and for all intents and purposes it's the same thing (right?) To add a signature is to just create a new detached signature and add it to the .zip.


Answer

You are right, perspective is the answer. Finally the Pcks7 its a compress format of data. The type "opaque" or "detached" format its mentioned in RFC 3852, but finally depends of the requirements or purpose of the task.

After that if i want to add new signer to pcks7 i can use openssl cms "-resign" for that purpuse :o because its an standar. But.. what happens if some one sign a document and was an error?

Maybe if is choose use "detached" signature i have the possibility of remove that from my system.

Thanks for All.


Answer

I dont know if a have to open a new post.

But i have some questions about this tools.

How can i extract the signingTime of "pkcs7" do we have some method like: pkcs7ExtractDigest?

This is for the same purpose of time line process.

Thanks again :D