How to do this PKCS7 signing in node.js?

Question

So I'm porting a ruby library to node.js, and need to create a PKCS7 signature.

Here's what the ruby lib is doing:

p12_certificate = OpenSSL::PKCS12::new(File.read('some-path.c12'), self.certificate_password)
x509_certificate = OpenSSL::X509::Certificate.new(File.read('some-other-path.pem'))


flag = OpenSSL::PKCS7::BINARY|OpenSSL::PKCS7::DETACHED
signed = OpenSSL::PKCS7::sign(p12_certificate.certificate, p12_certificate.key, File.read('some-manifest'), [x509_certificate], flag)

How would I achieve the same thing in node? I assume it would be something like:

crypto.createCredentials({
  pfx : fs.readFileSync('some-cert.p12'),
  passphrase : this.certificate_password,
  cert : fs.readFileSync('some-path.pem','some-encoding'),
})

Questions:

• Is this the right way to do this?
• Do I need to specify a key, ca list, crl list, or ciphers list?
• what encoding should I use to read the cert?
• what is the node equivalent of line setting signed
• what is the node equivalent of signed.to_der

Answer 1

this code can help you. Is designed for PKCS7, but you can modify de openssl command line as you wish.

    var util = require('util');
var spawn = require('child_process').spawn;
var Promise = require('promise');

// Expose methods.
exports.sign = sign;

/**
 * Sign a file.
 *
 * @param {object} options Options
 * @param {stream.Readable} options.content Content stream
 * @param {string} options.key Key path
 * @param {string} options.cert Cert path
 * @param {string} [options.password] Key password
 * @param {function} [cb] Optional callback
 * @returns {object} result Result
 * @returns {string} result.pem Pem signature
 * @returns {string} result.der Der signature
 * @returns {string} result.stdout Strict stdout
 * @returns {string} result.stderr Strict stderr
 * @returns {ChildProcess} result.child Child process
 */

function sign(options, cb) {
    return new Promise(function (resolve, reject) {
        options = options || {};

        if (!options.content)
            throw new Error('Invalid content.');

        if (!options.key)
            throw new Error('Invalid key.');

        if (!options.cert)
            throw new Error('Invalid certificate.');

        var command = util.format(
            'openssl smime -sign -text -signer %s -inkey %s -outform DER -nodetach',
            options.cert,
            options.key
        );

        if (options.password)
            command += util.format(' -passin pass:%s', options.password);

        var args = command.split(' ');
        var child = spawn(args[0], args.splice(1));

        var der = [];

        child.stdout.on('data', function (chunk) {
            der.push(chunk);
        });

        child.on('close', function (code) {
            if (code !== 0)
                reject(new Error('Process failed.'));
            else
                resolve({
                    child: child,
                    der: Buffer.concat(der)
                });
        });

        options.content.pipe(child.stdin);
    })
        .nodeify(cb);
}

My file is called: signHelper. This is the code to call it:

signHelper.sign({
            content: s, 
            key: path.join(__dirname, '../certs/test/' + "keyfile.key")//,
            cert: path.join(__dirname, '../certs/test/' + "certfile.crt"),
            password: 'password'
        }).catch(function (err) {
            logger.error("Error signing: " + err.stack);
            callback(err);
        }).then(function (result) {
            logger.info("signTicket ++++++++++++");
            callback(null, result.der); //result.der is the signed certificate
        });

You only must understand how to do what you need with openssl. I hope it works for you.