Fatal编程技术网
  • openssl/
  • OpenSSL:PKCS7,验证失败,PEM中有效负载的校验和?

OpenSSL:PKCS7,验证失败,PEM中有效负载的校验和?

openssl

OpenSSL:PKCS7,验证失败,PEM中有效负载的校验和?,openssl,pkcs#7,smime,Openssl,Pkcs#7,Smime,SMIME消息中存在验证错误,我尝试手动检查 PEM的ASN1与有效载荷摘要之间是否存在明显关系 我尝试以下方法: 制作SMIME的消息签名的PEM openssl cms -sign -in x.txt -md sha1 -signer cer.cer -inkey key.key -outform PEM > mypem 对有效负载进行SHA校验和: sha1sum x.txt 解析PEM: openssl asn1parse -in mypem 因此,我会在asn1parse的

SMIME消息中存在验证错误,我尝试手动检查

PEM的ASN1与有效载荷摘要之间是否存在明显关系

我尝试以下方法:

制作SMIME的消息签名的PEM

openssl cms -sign -in x.txt -md sha1 -signer cer.cer -inkey key.key -outform PEM > mypem
对有效负载进行SHA校验和:

sha1sum x.txt
解析PEM:

openssl asn1parse -in mypem
因此,我会在asn1parse的输出中找到sha1sum的SHA校验和吗?

如果在最后一个openssl命令中添加-notify pem,您将看到更多信息:

 openssl asn1parse -inform pem -in mypem
查看八位字节字符串输出的末尾。在我的例子中,我有2K RSA密钥,该对象是512字节

此hexdump是PKCS7签名的加密部分

将此字符串转换为二进制,我喜欢xxd,并再次使用openssl对其进行解码,前提是您还拥有RSA密钥:

$ echo "07CD61E81878C803ACA4B41713845320D46577ED9B4F70FA04F18C31B27F08622B4D919C30147B99EF2135A402C5DC11639F0412648DA84183284A2E9F51EC05C3F354ECDC7A7F9BB540785ACC192BFAE2643C796FBD3CD8CD9ADB8591ABF042F9FC6F520250D50B0DC52E2207A1D7116878AC75EFE87031CC728822D01A0FCB75E528239CA9FD94EC4C6161696A33A35D5CA7E182FF486E8DF7CBA7944840F130612415ED3FCD42C4F92E2BF193CCC265A4B5D153362A51A3CA00F8EF0D7E4D3F7516299C74271E4AF6307AFA5FF2897297F7076E3D7A21A0BCA4B22A699D9D6F5C3AD044DC91145B34B3564EE9825DC9E9DE19A453296A8C1E520D292A7861" | 
xxd -r -ps -c512 | openssl rsautl -encrypt -inkey key.key -raw -hexdump
Enter pass phrase for key.key:
0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
0070 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
0080 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
0090 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
00a0 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
00b0 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
00c0 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
00d0 - ff ff ff ff ff ff ff ff-ff ff ff ff 00 30 21 30   .............0!0
00e0 - 09 06 05 2b 0e 03 02 1a-05 00 04 14 d2 b9 cb a5   ...+............
00f0 - 53 a5 e2 da d9 da 75 c5-bc ad a5 1b f6 2a eb 13   S.....u......*..
您将识别PCKS1 v1.5填充

提取最后的字节,使用openssl asn1解析器对其进行解码,最终得到所需的哈希:

$ echo 3021300906052b0e03021a05000414d2b9cba553a5e2dad9da75a5bcada51bf62aeb13 | xxd -r -ps | openssl asn1parse -inform der
  0:d=0  hl=2 l=  33 cons: SEQUENCE
  2:d=1  hl=2 l=   9 cons: SEQUENCE
  4:d=2  hl=2 l=   5 prim: OBJECT            :sha1
 11:d=2  hl=2 l=   0 prim: NULL
 13:d=1  hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:D2B9CBA553A5E2DAD9DA75A5BCADA51BF62AEB13