Sign with OpenSSL Dgst Command

To sign and verify with OpenSSL Dgst, find the PKCS#11 token and sign with a certificate.

Prerequisites

OpenSSL configured on your Signum Linux Agent or macOS Agent.

Locate PKCS#11 Token

Before signing, find the PKCS#11 token to use.

From OpenSSL 3.0.8, using a specific PKCS#11 URL is the required method for signing, rather than relying solely on a certificate thumbprint.

Run the following command to list the tokens:

p11tool --list-tokens --provider /usr/lib/libsignumpkcs11.so
Token 0:
	URL: pkcs11:model=Linux;manufacturer=Keyfactor;serial=1;token=Signum%20for%20Linux%00
    Label: Signum for Linux
	Type: Hardware token
	Flags: uPIN uninitialized
	Manufacturer: Keyfactor
	Model: Linux
	Serial: 1
	Module:

The command returns a URL for the token.

Put the PKCS#11 URL into the variable pkcs11Token:

Linux URL:

pkcs11Token="pkcs11:model=Linux;manufacturer=Keyfactor;serial=1;token=Signum%20for%20Linux%00"

MacOS URL:

pkcs11Token="pkcs11:model=MacOS;manufacturer=Keyfactor;serial=1;token=Signum%20for%20MacOS%00"

Signing with a Certificate

List the certificates using thesignum-util tool:

signum-util lc
Subject CN     : Signum-RSA-3072
    Issuer CN      : DemoRoot-G2
    Valid Until    : 2029-04-23
    Valid From     : 2024-04-24
    Thumbprint     : 170570A1D56FBB5A4CC780B69ACAEF94010D5DAA
Subject CN     : Signum-RSA-4096
    Issuer CN      : DemoRoot-G2
    Valid Until    : 2029-04-23
    Valid From     : 2024-04-24
    Thumbprint     : 3AB5BFB91DFBB46CF765D5BEE51429618C4857DD
Subject CN     : Signum-RSA-2048
    Issuer CN      : DemoRoot-G2
    Valid Until    : 2030-02-05
    Valid From     : 2025-02-06
    Thumbprint     : F78AE7871FEF1D0CF3EFFB58E9CC85F261438D2B

Create a test file to sign:

echo "Some Data to Sign" >> somefile.txt

Sign the file using the following command with the $pkcs11Token variable:

openssl dgst -engine pkcs11 -keyform engine -sha256 -sign $pkcs11Token test.txt > signature.bin
Engine "pkcs11" set.

Verify the signature using the following command with the $pkcs11Token variable:

openssl dgst -engine pkcs11 -keyform engine -sha256 -verify $pkcs11Token -signature signature.bin < test.txt
Engine "pkcs11" set.
Verified OK

Signing with a Specific Certificate

If you want to select an specific certificate, you need to use the token generated from p11tool for the private key.

Use the following command to list the token for the private key:
```
p11tool --login --list-all "$pkcs11Token"
```
In the output, find the URLs for the tokens, with Type: Private key to be used for signing and Type: Public key for validating the signature.

Put the private and public key URLs into the variables privateKeyURL and publicKeyURL. The following shows an example of the private key variable:

privateKeyURL="pkcs11:model=Linux;manufacturer=Keyfactor;serial=1;token=Signum%20for%20Linux%00;id=%33%2D%B3%5F%9C%6A%34%D7%80%4D%47%20%8B%E8%BC%0F%02%30%77%A8;object=332DB35F9C6A34D7804D47208BE8BC0F023077A8%20-%20Private%20key;type=private"Sign the file using the following command with the $privateKeyURL variable:S

publicKeyURL="pkcs11:model=Linux;manufacturer=Keyfactor;serial=1;token=Signum%20for%20Linux%00;id=%90%89%CD%BB%49%4A%35%57%69%E3%6D%45%97%C6%6A%88%43%B1%62%EB;object=9089CDBB494A355769E36D4597C66A8843B162EB%20-%20Public%20key;type=public"

Sign the .txt file using the private key. Run the following command, with the $privateKeyURL as the public key token:
```
openssl dgst -engine pkcs11 -keyform engine -sha256 -sign $privateKeyURL test.txt > signature.bin
```
Verify the signature using the public key. Run the following command, with the $publicKeyURL as the public key token:
```
openssl dgst -engine pkcs11 -keyform engine -sha256 -verify $publicKeyURL -signature signature.bin < test.txt
```