How to see what attributes are signed inside pkcs#7?

前端 未结 1 768
伪装坚强ぢ
伪装坚强ぢ 2021-02-06 13:21

I have a pkcs#7 file, which contains signed data. It successfully verifies:

$ openssl smime -verify -in data.p7s -CAfile root-certificate.pem 
Verification succe         


        
1条回答
  •  梦如初夏
    2021-02-06 13:22

    OK, you don't provide a full sample, but I'll try to navigate you nevertheless, with a different sample.

    OpenSSL asn1parse does not help much identifying the authenticated attributes. You can use OpenSSL cms:

    openssl cms -in data.p7s -noout -cmsout -print
    

    Look for signedAttrs ("signed attributes" is how the "authenticated attributes" are now called, in CMS terminology)

    It will look like this:

        ...
        signerInfos:
            ...
            signedAttrs:
                object: contentType (1.2.840.113549.1.9.3)
                value.set:
                  OBJECT:pkcs7-data (1.2.840.113549.1.7.1)    
                object: signingTime (1.2.840.113549.1.9.5)
                ...
    

    Now go back to asn1parse output, and find the corresponding part, which may look like:

     ...
     1343:d=5  hl=3 l= 216 cons:      cont [ 0 ]
     1346:d=6  hl=2 l=  24 cons:       SEQUENCE
     1348:d=7  hl=2 l=   9 prim:        OBJECT            :contentType
     1359:d=7  hl=2 l=  11 cons:        SET
     1361:d=8  hl=2 l=   9 prim:         OBJECT            :pkcs7-data
     1372:d=6  hl=2 l=  28 cons:       SEQUENCE
     1374:d=7  hl=2 l=   9 prim:        OBJECT            :signingTime
     ...
    

    (for this nice indentation, add -i option)

    Now, extract (dd ...) the data, including the DER context tag header, i.e. offset 1343, length 219, in this case. Then replace the 0xa0 byte at the beginning by 0x31. Why you have to do it, is described in DER encoding - How to convert implicit tag to explicit tag, or RFC5652, section 5.4

    The sha1 hash of this data should now match.

    0 讨论(0)
提交回复
热议问题