0

I'm using Debian and I'm trying to join on a file with a certificate.

I try to file.bin + cert.der => file.p7b. To do so, I've tried with openssl command:

openssl pkcs7 -in cert.der -in file.bin -out file.p7b

But it gives me an error: 

unable to load PKCS7 object
27849:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: PKCS7

I've tried too 

openssl pkcs7 -inform der -in cert.der -in file.bin -out file.p7b

which gave me

unable to load PKCS7 object
28160:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
28160:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=PKCS7
U880D
  • 1,017
  • 2
  • 12
  • 18
cgasp
  • 171
  • 1
  • 14
  • Did you try adding `-inform DER` to tell `openssl` your input files are not in the `PEM` format expected by default? – kostix Apr 17 '13 at 16:11
  • I try the command `openssl pkcs7 -inform der -in cert.der -in file.bin -out file.p7b`, as I write on the description. I test too with `-inform DER`. Have you other suggestion ? – cgasp Apr 18 '13 at 13:03
  • And what exactly is `file.bin` then? Are you sure it's something DER-encoded? – kostix Apr 18 '13 at 13:08
  • The finality of this is for a firmware file. I've a modem and I need to upgrade, but they only accept p7b file. The manufacturer provide me the bin file and Certificate. He can provide me the p7b file but I want to know how I can generate the p7b at my own. Rgrds – cgasp Apr 22 '13 at 13:38
  • OK, so it's more involved. I think the idea *might* be that you need to either sign or encrypt that firmware blob with the provided certificate (so that the modem could check the FW authenticity). If this is the case, you supposedly need not `openssl pkcs7` which just manipulates PKCS#7-formatted files but rather something like `openssl smime -in file.bin -binary -inkey cert.der -outform DER`. See [this](http://www.openssl.org/docs/apps/smime.html) for more info. Note that `openssl smime`'s output might be affected by a truckload of options. – kostix Apr 22 '13 at 18:26
  • Consider posting this comment as [your own answer](http://meta.stackexchange.com/q/17463) and accepting it -- this is not only allowed by the policy but is actually encouraged. – kostix Apr 24 '13 at 10:19
  • I do that. Thanks for your help and pointing the right way. ;) – cgasp Apr 24 '13 at 12:09

1 Answers1

1

What I really want is to sign the firmware. After a research I found the solution and I can't sign the firmware due I don't have the private key of the manufacturers and surely he doesn't will give it to me. Ok I can sign with my own priv. key but firmware will doesn't work because the pub. Key in modem doesn't match.

If I had the priv. key and I want to sign I will have to use the next command :

openssl smime –sign –in <unsigned_file.bin> –signer <sign_cert_file> –outform PEM –binary –inkey <sign_cert_pk_file> –out signed_file.p7b

Ref: https://www.openssl.org/docs/apps/smime.html

cgasp
  • 171
  • 1
  • 14