Creates a CMS object of type SignedData from an input data file.
Public Declare Function CMS_MakeSigData Lib "diCrPKI.dll" (ByVal strFileOut As String, ByVal strFileIn As String, ByVal strCertList As String, ByVal strPrivateKey As String, ByVal nOptions As Long) As Long
nRet = CMS_MakeSigData(strFileOut, strFileIn, strCertList, strPrivateKey, nOptions) As Long
long __stdcall CMS_MakeSigData(const char *szFileOut, const char *szFileIn, const char *szCertList, const char *szPrivateKey, long nOptions);
sha1WithRSAEncryption) (default - CAUTION)
sha256WithRSAEncryption) [minimum recommended]
md5WithRSAEncryption) [legacy, not recommended for new implementations]
Ed25519[New in v20.0]
Ed448[New in v22.0]
PKI_CMS_INCLUDE_ATTRSoption flag is included, optionally add any of the following:
If successful, the return value is zero;
otherwise it returns a nonzero error code. Further error information may be available by calling
Cms.MakeSigData Method ( String, String, String, String, Cms.SigAlg, Cms.SigDataOptions)
Cms.MakeSigData Method ( String, String, String, String, HashAlgorithm, Cms.SigDataOptions)
static int dipki::Cms::MakeSigData (const std::string &outputFile, const std::string &inputFile, const std::string &certList, const std::string &privateKey, SigAlg sigAlg=SigAlg::Default, SigDataOptions opts=SigDataOptions::Default_SigDataOpt, Format format=Format::Default, bool bigFile=false)
static Cms.make_sigdata(outputfile, inputfile, certlist, prikeystr, sigalg=SigAlg.DEFAULT, opts=SigDataOpts.DEFAULT, bigfile=False)
A SignedData CMS object with a single SignerInfo is created with the message data included by default in the eContent.
The signer's certificate must be included in the certificate list.
All certificates in the list will be included in the output by default.
Signed attributes are not included by default but can be added by using the
PKI_CMS_INCLUDE_ATTRS option flag (see below).
Unsigned attributes and attribute certificates are not supported.
The default signature algorithm is RSASSA-PKCS-v1_5 with SHA-1 (SHA-1 caution!).
The message digest algorithm always matches the digest algorithm used in the signature.
Only one SignerInfo can be included.
The CMSVersion is always 1 and the SignerInfo structure is always version 1.
The encapContentInfo eContentType is always
The signer's public key can only be referenced by using
for SignerIdentifier as required by S/MIME v3, so the signer's certificate is always required whether or not
the certificate itself is included in the final output.
It is an error (
NO_MATCH_ERROR) if the private key does not match any certificate in the certificate list.
[New in v12.2] A PKCS#7 certificate chain file (.p7c/.p7b) may be specified as an argument for szCertList. The signer's certificate can now exist anywhere in the certificate list (previously it had to be the first).
PKI_CMS_CERTS_ONLY: To create a PKCS#7 certificate chain
(a degenerate "certs-only" signed data object), include the option flag
The szCertList can contain references to any existing certificate files in any order, separated by semi-colons.
The szFileIn and szPrivateKey parameters are ignored and can be left empty.
See the second example below.
Signed attributes are not included by default. To add signed attributes use the
PKI_CMS_INCLUDE_ATTRS option flag.
This will add the content-type and message-digest attributes plus any other attributes specified using a
PKI_CMS_ADD_SIGNINGCERT: [New in v12.4] Include the PKI_CMS_ADD_SIGNINGCERT option to add an ESS Signing Certificate Attribute to the signed attributes. This is required for B-level compliance with CAdES-BES [CADES] and with ESS [RFC2634] and [RFC5035].
PKI_CMS_ADD_ALGPROTECT: [New in v12.4] Include the PKI_CMS_ADD_ALGPROTECT option to add an Algorithm Protection Attribute to the signed attributes. This is in accordance with [RFC6211]. If a CMS validator supports this attribute, then additional checks can be made against algorithm substitution attacks.
PKI_CMS_BIGFILE: Include the PKI_CMS_BIGFILE option to cope more efficiently with large files. This only works in binary-file-to-binary-file mode, and only for RSA signatures, but makes a significant difference in processing times. The option flags PKI_CMS_EXCLUDE_DATA, PKI_CMS_CERTS_ONLY, PKI_CMS_FORMAT_BASE64, and PKI_CMS_NO_OUTER are not permitted with this option.
PKI_PSS_SALTLEN_ZERO: [New in v12.0]
Include the PKI_PSS_SALTLEN_ZERO with an RSA-PSS scheme to set the salt length parameter to be zero. This results in a deterministic signature value.
The default salt length is otherwise always
hLen, the length of the output of the hash function.
There are no other salt length options available for this function. See RSA signature and encryption schemes.
PKI_CMS_ALT_ALGID option flag is present, an alternative
Signature Algorithm Identifier will be used as follows (RSAES-PKCS-v1_5 only):
|Message Digest Algorithm||Default Signature Algorithm Identifier||Alternative ID with
|SHA-1 (default, ||rsaEncryption (1.2.840.113549.1.1)||sha1withRSAEncryption (1.2.840.113518.104.22.168)|
|MD5 (with ||rsaEncryption (1.2.840.113549.1.1)||md5withRSAEncryption (1.2.840.113522.214.171.124)|
|SHA-224 (with ||rsaEncryption (1.2.840.113549.1.1)||sha224withRSAEncryption (1.2.840.1135126.96.36.199)|
|SHA-256 (with ||rsaEncryption (1.2.840.113549.1.1)||sha256withRSAEncryption (1.2.840.1135188.8.131.52)|
|SHA-384 (with ||rsaEncryption (1.2.840.113549.1.1)||sha384withRSAEncryption (1.2.840.1135184.108.40.206)|
|SHA-512 (with ||rsaEncryption (1.2.840.113549.1.1)||sha512withRSAEncryption (1.2.840.1135220.127.116.11)|
The default is to use the
rsaEncryption identifier specified in Section 3.2 of [CMSALG].
PKI_CMS_PSEUDOSIG: [New in v20.2] Include the PKI_CMS_PSEUDOSIG option to create a create a "pseudo" SignedData object. The idea here is that we create an intermediate file which has the same structure as a CMS SignedData object except the signature is a dummy placeholder. We use the term "pseudo" file here to describe this intermediate file.
This pseudo file has the same digest value as the final signed object (as the digest is not calculated over the final signature). We send this digest value to a signing authority (say, Aruba), they sign it, and send back the actual signature value. This can be substituted in the intermediate pseudo file to produce the final SignedData object (.p7m file) using CMS_MakeSigDataFromSigValue with the PKI_CMS_PSEUDOSIG option. RSASSA-PKCS1V1_5 only.
Specialist Option: If the
PKI_CMS_NO_OUTER option flag is present, the output will be a "naked"
SignedData object without an
This is not permitted by the CMS standard [CMS]
but is allowed by PKCS#7 version 1.6 [PKCS7-EXT].
Some profiles (e.g. Royal Thai Customs) require this.
This example duplicates example 4.2 from [SMIME-EX]. It uses Alice's RSA private key to sign the message stored in the file excontent.txt (which contains the text "This is some sample content."). The output is a binary BER-encoded CMS signedData object which includes her certificate and the data but has no signed attributes. The output file should match the file 4.2.bin from [SMIME-EX].
Dim strPriFile As String Dim strPrivateKey As String Dim nIntKeyLen As Long Dim nRet As Long Dim strInputFile As String Dim strOutputFile As String Dim strCertFile As String strPriFile = "AlicePrivRSASign.pri" strCertFile = "AliceRSASignByCarl.cer" strInputFile = "excontent.txt" strOutputFile = "BasicSignByAlice.bin" ' First we need to read in the private key string ' NB: This version is not encrypted, so no password needed nIntKeyLen = RSA_ReadAnyPrivateKey("", 0, strPriFile, "", 0) Debug.Print "nIntKeyLen = " & nIntKeyLen If nIntKeyLen <= 0 Then Debug.Print pkiGetLastError() MsgBox "Unable to retrieve private key" Exit Sub End If ' Pre-dimension the string to receive data strPrivateKey = String(nIntKeyLen, " ") ' Read in the Private Key nRet = RSA_ReadAnyPrivateKey(strPrivateKey, nIntKeyLen, strPriFile, "", 0) Debug.Print "Key size=" & RSA_KeyBits(strPrivateKey) & " bits" ' Now we can sign our message nRet = CMS_MakeSigData(strOutputFile, strInputFile, strCertFile, strPrivateKey, 0) Debug.Print "CMS_MakeSigData returns " & nRet
In this second example, we create a PKCS#7 certficate chain file containing Carl's and Alice's X.509 certificates.
Dim nRet As Long Dim strOutputFile As String Dim strCertList As String ' Make a list of certs separated by semi-colons (;) strCertList = "CarlRSASelf.cer;" & "AliceRSASignByCarl.cer" Debug.Print "CertList=" & strCertList strOutputFile = "SigDataCertsOnly.p7c" ' Create a certs-only .p7c chain nRet = CMS_MakeSigData(strOutputFile, "", strCertList, "", PKI_CMS_CERTS_ONLY) Debug.Print "CMS_MakeSigData returns " & nRet If nRet <> 0 Then Debug.Print pkiGetLastError()
CMS_MakeSigDataFromString CMS_MakeSigDataFromSigValue CMS_MakeDetachedSig