-1

I am developing an app using Qt, and at some point, I was required to encrypt and "sign" a file provided a private certificate using SHA-256. I did a fair amount of readings on OpenSSL and certificates, but I am incapable of understanding how to conduct the process in a C++ code.

In essence, I am attempting the equivalent of this command:

openssl dgst -sha256 -out output.txt -sign certificate.pem input.txt

I have explored the available Qt classes, namely the following:

The QSslCertificate class has a digest method, which seems relevant. Similarly, I can get the hashed content of the file using QCryptographicHash::hash. But nowhere can I find any mentions of "signing" the file with the certificate containing the RSA key.

I can't say I fully understand the signing process, but the terminology I've heard is "masking" the generated SHA256 hash using an RSA algorithm - which I assumed is achieved by the OpenSSL -sign argument.

If Qt was never meant to achieve that, what would be the easiest, or the typical alternative. I expect I'll need to include another library? Or do I simply dive to explore the OpenSSL libraries and attempt to include them in my project? https://www.openssl.org/docs/manmaster/man3/

Given how small this encryption process will be in my app, I'd appreciate an option that requires minimal integration and learning.

AAS.N
  • 183
  • 1
  • 18

1 Answers1

0

There appears to be a function RSA_sign which does exactly that, if you're into implementing it yourself with OpenSSL. You can manually take the SHA256 of your file (again, with OpenSSL), RSA_sign it, and use RSA_verifyto check its validity.

See here...

Edit: Here is an example on how to extract private key data from a PEM certificate - that is of course in case your certificate is in PEM format. PEM basically includes a human-readable header, and following key data in base64 format. You can check if your certificate file begins with a -----BEGIN RSA PRIVATE KEY----- line.

corsel
  • 315
  • 2
  • 12
  • 'RSA_sign() signs the message digest m of size m_len using the private key **rsa** as specified in PKCS #1 v2.0.' Is the private key rsa indicated the same string I see when I open the private certificate in a text editor? That is, do I simply read the string contents of the certificate and construct an "RSA" key object from it? – AAS.N May 30 '18 at 17:12
  • Fyi, A "certificate file" that begins with `-----BEGIN RSA PRIVATE KEY-----` is *not* a certificate file; it's exactly what the header claims: an RSA private key (PEM encoded, in case that wasn't obvious). Normally certificates with attached private keys are bandied about in PKCS12 stores. The example linked in this answer is for importing a PEM-encoded RSA private key; not a certificate. Odds are it is still relevant, as it is likely the OP actually has the private key somewhere, but still, may as well be accurate. – WhozCraig May 30 '18 at 17:33