Error validating CMS signature

不问归期 提交于 2021-01-28 09:21:03

问题


For the past 2 weeks I've been banging my head against a wall trying to create and validate CMS signatures in Swift 4 using OpenSSL. My code is ultimately destined to be run on Linux, so I can't use the macOS Security framework. I believe I have finally gotten CMS signature creation working properly. My code for that looks like this:

let testBundle = Bundle(for: type(of: self))

guard let textUrl = testBundle.url(forResource: "test_message", withExtension: "txt"),
    let signingKeyUrl = testBundle.url(forResource: "signing_key", withExtension: "pem"),
    let signingCertUrl = testBundle.url(forResource: "signing_cert", withExtension: "pem") else {
        exit(1)
}

let certFileObject = signingCertUrl.path.withCString { filePtr in
    return fopen(filePtr, "rb")
}
defer {
    fclose(certFileObject)
}

let keyFileObject = signingKeyUrl.path.withCString { filePtr in
    return fopen(filePtr, "rb")
}
defer {
    fclose(keyFileObject)
}

guard let key = PEM_read_PrivateKey(keyFileObject, nil, nil, nil),
    let cert = PEM_read_X509(certFileObject, nil, nil, nil) else {
        exit(1)
}

OpenSSL_add_all_ciphers()
OpenSSL_add_all_digests()
OPENSSL_add_all_algorithms_conf()

guard let textData = FileManager.default.contents(atPath: textUrl.path) else {
    exit(1)
}

guard let textBIO = BIO_new(BIO_s_mem()) else {
    print("Unable to create textBIO")
    exit(1)
}

_ = textData.withUnsafeBytes({dataBytes in
    BIO_write(textBIO, dataBytes, Int32(textData.count))
})

guard let cms = CMS_sign(cert, key, nil, textBIO, UInt32(CMS_BINARY)) else {
    exit(1)
}

When I debug this code, I see that the cms object is being set after the CMS_sign call, so I believe that the signature was generated properly. Right after this, I'm trying to validate the signature I just created. That code looks like this:

 let store = X509_STORE_new()
 X509_STORE_add_cert(store, cert)

 let outBIO = BIO_new(BIO_s_mem())
 let result = CMS_verify(cms, nil, store, nil, outBIO, 0)
 print("result : \(result)")

 if result != 1 {
     let errorCode: UInt = ERR_get_error()
     print("ERROR : \(String(format: "%2X", errorCode))")
 }

When I run this code, however, result == 0, indicating an error. The error code that OpenSSL is returning is 0x2E099064. I ran this command:

openssl errstr 0x2E099064

Which gave me this info about the error:

error:2E099064:CMS routines:func(153):reason(100)

After a bit more digging, I think that the error corresponds to PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH. I got that from the pkcs7.h file here. I'm not 100% that this is the correct error message, however.

My question is, why is my signature validation failing? I'm using the exact same certificate to validate the signature. All of this code is inline, so nothing is getting lost anywhere. Can any of you give me an idea where things are going wrong?

来源:https://stackoverflow.com/questions/49889256/error-validating-cms-signature

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!