使用OpenSSL或PHP验证SAP Content Server的签名消息

时间:2014-11-25 09:54:46

标签: php openssl sap

我遇到类似failed to verify a dsawithSha1 signed message against a DSA public key in python/m2crypto中描述的问题。可悲的是,提问者找到了OpenSSL的解决方案,但并没有分享他的知识。

我希望在PHP中实现已签名邮件的验证,或者 - 使用OpenSSL实现后备 -

我有以下证书,最初以PKCS#7的形式提供,我将其转换为PEM格式的X.509(以下PHP中的$ pubKey):

-----BEGIN CERTIFICATE-----
MIIC+zCCArsCByAUBAcGQhAwCQYHKoZIzjgEAzBkMQswCQYDVQQGEwJERTEcMBoG
A1UEChMTU0FQIFRydXN0IENvbW11bml0eTETMBEGA1UECxMKU0FQIFdlYiBBUzEU
MBIGA1UECxMLSTAwMjAxODQ4OTAxDDAKBgNVBAMTA1NFMjAeFw0xNDA0MDcwNjQy
MTBaFw0zODAxMDEwMDAwMDFaMGQxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAg
VHJ1c3QgQ29tbXVuaXR5MRMwEQYDVQQLEwpTQVAgV2ViIEFTMRQwEgYDVQQLEwtJ
MDAyMDE4NDg5MDEMMAoGA1UEAxMDU0UyMIIBtzCCASsGByqGSM44BAEwggEeAoGB
AP/jA7UNBUG5dqASOkGZ0+JLiKqwhHIEqKarqiuCGvho3Fwc8OzWxVr3cyGomHdw
q0UkwvMROGhGsg0DOvJc0u7wY4BKmR1gUkOwg6DzX0JZbZ/hMWW/wzixiC+LtoGD
p3DVvCzLbZ9ujaI4NhkhCaw/OPjli7Q0TbPPNxT15wmdAhUApZDvRmv7txM8IowT
JCJa0igBuw8CgYBqPNctSVdgszu2BJf9rYdafUUN6BP7jCY4JxGPgPqYkEdDsLAs
RdPfLohhjHUD8z6F0XBLvQBuwo+0ShAa3KZ8wEOYUAZ2IyJmoE7OBmW3uIcZ/s7g
jwftGABsfx2uJ8s2mbV6Mak++dw8Yn0WvsTWBD9NaI4cwn3Kw92GSNpQvgOBhQAC
gYEAisABEC7nuf3Stibic8RySBMbmg3CYLvX2N2MgQZcSC8dZ6WI6n39vtKDOT7k
ckS0ogDNFpWvfMZTjv2ZzyJkpcUbKI3K/yjWl5NeGRGuAM7wMZbpkPTe4eNWaW4k
exJWjWCSFz3W11XKgq7xDKzkTeb2oV+IfehxoTdTrJ1ZA2kwCQYHKoZIzjgEAwMv
ADAsAhQWUSemKo/Wa2y0asoNraOFlIE1DwIUGGM/Ll1zejSh5qzQVOrr1MzJRWI=
-----END CERTIFICATE-----

和签名的消息:

MIIBUgYJKoZIhvcNAQcCoIIBQzCCAT8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGCAR4wggEaAgEBMG8wZDELMAkGA1UEBhMCREUxHDAaBgNVBAoTE1NBUCBUcnVzdCBDb21tdW5pdHkxEzARBgNVBAsTClNBUCBXZWIgQVMxFDASBgNVBAsTC0kwMDIwMTg0ODkwMQwwCgYDVQQDEwNTRTICByAUBAcGQhAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE0MTEyNDA4MTYxM1owIwYJKoZIhvcNAQkEMRYEFCId8O7H%2Bwd1LCNg6ZiNNU6TZtJqMAkGByqGSM44BAMELzAtAhR6ELQT%2B8ueklNmizCrSjvG8vVTAwIVAJCi5juWEEBJeH2GUH4KtA8sRrIK

通过urldecode和base64_decode转换为二进制格式,它以DER格式存储在名为seckey.der的文件中(下面的PHP中的$ secKeyDer)

使用OpenSSL,我可以查看ASN.1结构的内容:

openssl asn1parse -in seckey.der -inform der

导致:

    0:d=0  hl=4 l= 338 cons: SEQUENCE
    4:d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
   15:d=1  hl=4 l= 323 cons: cont [ 0 ]
   19:d=2  hl=4 l= 319 cons: SEQUENCE
   23:d=3  hl=2 l=   1 prim: INTEGER           :01
   26:d=3  hl=2 l=  11 cons: SET
   28:d=4  hl=2 l=   9 cons: SEQUENCE
   30:d=5  hl=2 l=   5 prim: OBJECT            :sha1
   37:d=5  hl=2 l=   0 prim: NULL
   39:d=3  hl=2 l=  11 cons: SEQUENCE
   41:d=4  hl=2 l=   9 prim: OBJECT            :pkcs7-data
   52:d=3  hl=4 l= 286 cons: SET
   56:d=4  hl=4 l= 282 cons: SEQUENCE
   60:d=5  hl=2 l=   1 prim: INTEGER           :01
   63:d=5  hl=2 l= 111 cons: SEQUENCE
   65:d=6  hl=2 l= 100 cons: SEQUENCE
   67:d=7  hl=2 l=  11 cons: SET
   69:d=8  hl=2 l=   9 cons: SEQUENCE
   71:d=9  hl=2 l=   3 prim: OBJECT            :countryName
   76:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :DE
   80:d=7  hl=2 l=  28 cons: SET
   82:d=8  hl=2 l=  26 cons: SEQUENCE
   84:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
   89:d=9  hl=2 l=  19 prim: PRINTABLESTRING   :SAP Trust Community
  110:d=7  hl=2 l=  19 cons: SET
  112:d=8  hl=2 l=  17 cons: SEQUENCE
  114:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  119:d=9  hl=2 l=  10 prim: PRINTABLESTRING   :SAP Web AS
  131:d=7  hl=2 l=  20 cons: SET
  133:d=8  hl=2 l=  18 cons: SEQUENCE
  135:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  140:d=9  hl=2 l=  11 prim: PRINTABLESTRING   :I0020184890
  153:d=7  hl=2 l=  12 cons: SET
  155:d=8  hl=2 l=  10 cons: SEQUENCE
  157:d=9  hl=2 l=   3 prim: OBJECT            :commonName
  162:d=9  hl=2 l=   3 prim: PRINTABLESTRING   :SE2
  167:d=6  hl=2 l=   7 prim: INTEGER           :20140407064210
  176:d=5  hl=2 l=   9 cons: SEQUENCE
  178:d=6  hl=2 l=   5 prim: OBJECT            :sha1
  185:d=6  hl=2 l=   0 prim: NULL
  187:d=5  hl=2 l=  93 cons: cont [ 0 ]
  189:d=6  hl=2 l=  24 cons: SEQUENCE
  191:d=7  hl=2 l=   9 prim: OBJECT            :contentType
  202:d=7  hl=2 l=  11 cons: SET
  204:d=8  hl=2 l=   9 prim: OBJECT            :pkcs7-data
  215:d=6  hl=2 l=  28 cons: SEQUENCE
  217:d=7  hl=2 l=   9 prim: OBJECT            :signingTime
  228:d=7  hl=2 l=  15 cons: SET
  230:d=8  hl=2 l=  13 prim: UTCTIME           :141124081613Z
  245:d=6  hl=2 l=  35 cons: SEQUENCE
  247:d=7  hl=2 l=   9 prim: OBJECT            :messageDigest
  258:d=7  hl=2 l=  22 cons: SET
  260:d=8  hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:221DF0EEC7FB07752C2360E9988D354E9366D26A
  282:d=5  hl=2 l=   9 cons: SEQUENCE
  284:d=6  hl=2 l=   7 prim: OBJECT            :dsaWithSHA1
  293:d=5  hl=2 l=  47 prim: OCTET STRING      [HEX DUMP]:302D02147A10B413FBCB9E9253668B30AB4A3BC6F2F5530302150090A2E63B96104049787D86507E0AB40F2C46B20A

在那里,我看到消息摘要,它是原始消息的sha1哈希值。原始消息是(以下PHP中的$ message):

W1005056A57D331ED49CF644B265BC8C33datarcudcCN%3DSE2,OU%3DI0020184890,OU%3DSAPWebAS,O%3DSAPTrustCommunity,C%3DDE20141124101613

此消息的sha1值为:

221df0eec7fb07752c2360e9988d354e9366d26a

与ASN.1结构中的消息摘要相同。 dsaWithSHA1有第二个哈希值。我不知道,如何使用这种算法生成哈希值。

当我尝试通过PHP验证它时:

openssl_verify($message, $secKeyDer, $pubKey, 'sha1');

我收到错误:

error:0906D06C:PEM routines:PEM_read_bio:no start line
error:0606C06E:digital envelope routines:EVP_VerifyFinal:wrong public key type

这让我感到恼火,因为$ pubKey的值是PEM格式,如函数手册中所述。

我现在的问题是:如何使用给定参数(原始邮件,签名邮件(seckey.der),公钥)验证PHP中的邮件。或者使用本机OpenSSL命令。

此致 克里斯。

1 个答案:

答案 0 :(得分:0)

现在我找到了OpenSSL的答案:

openssl cms -verify -in seckey.der -inform der -content message.txt -noverify -certfile certificate.cer

其中seckey.der是DER格式的签名,message.txt是原始消息,certificate.cer是PEM格式的公钥。