I am using openssl to sign files using a security token The command that I use is
OpenSSL> smime -md sha256 -nodetach -binary -outform DER -sign -signer my.pem -inkey id_XXXXXXXX -keyform engine -in test.txt -out test.p7m -engine pkcs11
and it works. The application that I use to verify the signature says that the signature is good, but that the id-aa-signingCertificateV2 is missing. I tried to google, and I discovered that this attribute is mandated by the CADES (CMS Advanced Electronic Signatures) specs.
My questions are:
- Is this attribute supported by openssl?
- If yes, how should I change the command?
- If not, what can I use to do it instead of openssl?
After trying to ask on openssl-users and getting no answer, I found the answer on my own.
openssl currently lacks this feature, but it is possible to implement it. I sent a patch to openssl-dev, which implements it for smime. I hope to get feedback and have the patch merged in the future.