Convert signature (and other data) from DER to PEM

Question

I have signature of in DER format. How to convert it into PEM?

I know command that converts certificate in DER to PEM format:

openssl x509 -inform der -in certificatename.der -out certificatename.pem

But I suppose it is not applicable to signatures and other data?

Answer 1

Signatures do not exist in a vacuum, generally they are usually part of a protocol. If you want to have e.g. functionality such as signed (and/or encrypted) email then you'd use a higher level protocol such as PKCS#7, specifying the Cryptographic Message Syntax or CMS.

CMS supports both encryption (enveloped data) and signatures, including detached signatures (where the signature is in CMS format, but the message needs to be supplied separately). The advantage of CMS is that it defines both the signature algorithm (something missing from raw signatures) as well as one or more certificates that contain the public key that can be used to verify the signatures (in combination with a trusted certificate stored at the verifier, of course).

---

Otherwise, if you just need a textual representation of a signature then you can simply base64 encode it.

There is, as far as I know no PEM header specification for signatures. Of course, if you have access to a generic PEM library that performs encoding for any header, then you are free to, say, specify one for your specific signature format. However, as nobody uses these it doesn't make all that much sense.

The most common PEM encodings have been specified in RFC 7468. Note that these have been specified to formalize existing practices, the use of these predates the RFC.