验证CMS签名时出错

时间:2018-04-18 00:17:36

标签: swift openssl cryptography digital-signature pkcs#7

在过去的两周里,我一直在试图使用OpenSSL在Swift 4中创建和验证CMS签名。我的代码最终注定要在Linux上运行,所以我不能使用macOS安全框架。我相信我终于让CMS签名创建正常工作了。我的代码如下:

let testBundle = Bundle(for: type(of: self))

guard let textUrl = testBundle.url(forResource: "test_message", withExtension: "txt"),
    let signingKeyUrl = testBundle.url(forResource: "signing_key", withExtension: "pem"),
    let signingCertUrl = testBundle.url(forResource: "signing_cert", withExtension: "pem") else {
        exit(1)
}

let certFileObject = signingCertUrl.path.withCString { filePtr in
    return fopen(filePtr, "rb")
}
defer {
    fclose(certFileObject)
}

let keyFileObject = signingKeyUrl.path.withCString { filePtr in
    return fopen(filePtr, "rb")
}
defer {
    fclose(keyFileObject)
}

guard let key = PEM_read_PrivateKey(keyFileObject, nil, nil, nil),
    let cert = PEM_read_X509(certFileObject, nil, nil, nil) else {
        exit(1)
}

OpenSSL_add_all_ciphers()
OpenSSL_add_all_digests()
OPENSSL_add_all_algorithms_conf()

guard let textData = FileManager.default.contents(atPath: textUrl.path) else {
    exit(1)
}

guard let textBIO = BIO_new(BIO_s_mem()) else {
    print("Unable to create textBIO")
    exit(1)
}

_ = textData.withUnsafeBytes({dataBytes in
    BIO_write(textBIO, dataBytes, Int32(textData.count))
})

guard let cms = CMS_sign(cert, key, nil, textBIO, UInt32(CMS_BINARY)) else {
    exit(1)
}

当我调试此代码时,我发现在cms调用之后正在设置CMS_sign对象,所以我相信签名是正确生成的。在此之后,我正在尝试验证我刚刚创建的签名。该代码如下所示:

 let store = X509_STORE_new()
 X509_STORE_add_cert(store, cert)

 let outBIO = BIO_new(BIO_s_mem())
 let result = CMS_verify(cms, nil, store, nil, outBIO, 0)
 print("result : \(result)")

 if result != 1 {
     let errorCode: UInt = ERR_get_error()
     print("ERROR : \(String(format: "%2X", errorCode))")
 }

但是,当我运行此代码时,result == 0,表示错误。 OpenSSL返回的错误代码是0x2E099064。我运行了这个命令:

openssl errstr 0x2E099064

这给了我关于错误的信息:

  

错误:2E099064:CMS例程:func(153):reason(100)

经过一番挖掘,我认为该错误对应于PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH。我从pkcs7.h file here.我得到的不是100%,这是正确的错误信息。

我的问题是,为什么我的签名验证失败了?我使用完全相同的证书来验证签名。所有这些代码都是内联的,所以任何地方都没有丢失。你们中的任何人都可以告诉我哪里出了问题吗?

0 个答案:

没有答案