Question

以下代码

body = "This is the message body"
pkcs7 = OpenSSL::PKCS7.sign @certificate, @pkey, body
pkcs7.detached = true
smime_signed = OpenSSL::PKCS7.write_smime pkcs7, body

将生成

MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----F1B5E0635C071F76431AEFB127A7DF88"

This is an S/MIME signed message

------F1B5E0635C071F76431AEFB127A7DF88
This is the message body
------F1B5E0635C071F76431AEFB127A7DF88
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIIHSgYJKoZIhvcNAQcCoIIHOzCCBzcCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggRqMIIEZjCCA06gAwIBAgIQQNnrBxVw4uQUu6QaUH9huTANBgkq
[omitted]

是否可以为miicalg设置自定义摘要，例如OpenSSL::Digest::SHA1.new？如果可以，怎么办？

我尝试了以下操作：

pkcs7 = OpenSSL::PKCS7.new
pkcs7.type = :signed
signer = OpenSSL::PKCS7::Signer.new(@certificate, @pkey, OpenSSL::Digest::SHA1.new)
pkcs7.add_data body
pkcs7.add_certificate(@certificate)
pkcs7.add_signer signer
pkcs7.detached = true
smime_signed = OpenSSL::PKCS7.write_smime pkcs7, body

这将生成

MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="----0986A4FB87D37510B8051AB492BBF7A2"

This is an S/MIME signed message

------0986A4FB87D37510B8051AB492BBF7A2
This is the message body
------0986A4FB87D37510B8051AB492BBF7A2
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIIFcwYJKoZIhvcNAQcCoIIFZDCCBWACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3
DQEHAaCCBGowggRmMIIDTqADAgECAhBA2esHFXDi5BS7pBpQf2G5MA0GCSqGSIb3
[omitted]

这似乎可以工作并更改micalg，但是区别是pkcs7#data now returns #<OpenSSL::PKCS7:0x007fbe866d9420 @data=nil>

因此，是否可以对OpenSSL::PKCS7.sign使用不同的摘要？如果不是，则等于

body = "This is the message body"
pkcs7 = OpenSSL::PKCS7.sign @certificate, @pkey, body
pkcs7.detached = true
smime_signed = OpenSSL::PKCS7.write_smime pkcs7, body

在openssl中？

Answer 1

我不知道是否可以使用Ruby绑定指定摘要算法，但是等效的OpenSSL命令是：

openssl smime -sign -in body.txt -out out.txt -signer cert.pem -inkey key.pem -md sha1

您可以使用以下方法验证摘要签名：

openssl smime -verify -in out.txt -noverify

创建SMIME消息时，如何在使用OpenSSL :: PKCS7.sign签名期间使用SHA1摘要

1 个答案: