当前位置: 文江博客话题详情

当源消息具有 unix 行结尾时,Openssl 验证不起作用

发布于 2025-01-10 18:50:44 字数 1661 浏览 0 评论 0原文

我正在构建一个从外部合作伙伴接收 AS2 消息的系统。 我能够成功解密并验证消息的签名。但是,当我们的合作伙伴向我们发送带有 unix 行结尾的文件时,我无法验证签名:

Verification failure
140390438954304:error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure:../crypto/cms/cms_sd.c:847:
140390438954304:error:2E09D06D:CMS routines:CMS_verify:content verify error:../crypto/cms/cms_smime.c:393:

任何其他在签名、加密之前具有 dos 行结尾的源文件都可以在我这边进行验证。

验证命令:

openssl cms -verify -noverify -nointern -in message_dos_signed.txt -out verified.txt -certfile mb24arcesb.cer

我已经上传了带有unix和dos行结尾的示例文件,我们可以看到示例文件message_unix_signed.txt在消息部分具有unix行结尾,但在签名部分具有dos行结尾,因为源消息具有unix结尾。

https://www.mediafire.com/folder/8svkcvq86elgg/Testfiles

没有发生这种情况的明显原因。我们的合作伙伴正在使用 arcesb 进行 AS2 通信。如果他将这两个文件发送到另一个 arcesb 实例,则两个文件都可以被解密和验证。他使用相同的测试证书和测试密钥。对于我们真正的证书文件,其行为是相同的。那么也许我在验证步骤中遗漏了一些东西?

更新

我能够在本地重现该问题。使用这些命令,它适用于任何行结尾。

openssl cms -sign -in msg/RAW.edi -out msg/1_SIGNED.edi -inkey ../certs/mb24arcesb.pem -signer ../certs/mb24arcesb.cer 
openssl cms -encrypt -in msg/1_SIGNED.edi -out msg/2_ENCRYPTED.edi ../certs/mb24arcesb.cer 
openssl cms -decrypt -in msg/2_ENCRYPTED.edi -recip ../certs/mb24arcesb.cer -inkey ../certs/mb24arcesb.pem -out msg/3_DECRYPTED.edi 
openssl cms -verify -nointern -noverify -in msg/3_DECRYPTED.edi -out msg/4_EDIFACT.edi -certfile ../certs/mb24arcesb.cer

但是,当我使用 -binary 选项对文件进行签名时,只有当源文件具有 dos 行结尾时验证才会起作用。所以我猜我们合作伙伴的软件正在使用 -binary 选项对其进行签名。我怎样才能通过这种方式验证呢? “验证-二进制”不起作用。

原文

I am building a system that receives AS2 messages from an external Partner.
I am able to successfully decrypt and verify the signature of the message. However, I am unable to verify the signature when our partner sends us files with unix line endings:

Verification failure
140390438954304:error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure:../crypto/cms/cms_sd.c:847:
140390438954304:error:2E09D06D:CMS routines:CMS_verify:content verify error:../crypto/cms/cms_smime.c:393:

Any other source files that had dos line endings before signing, encryption, can be verified on my side.

Verify command:

openssl cms -verify -noverify -nointern -in message_dos_signed.txt -out verified.txt -certfile mb24arcesb.cer

I have uploaded the sample files with unix and dos line endings, there we can see that the sample file message_unix_signed.txt has unix line endings in the message part but dos line endings in the signature part because the source message had unix endings.

https://www.mediafire.com/folder/8svkcvq86elgg/Testfiles

There is no obvious reason why this could be happening. Our partner is using arcesb for AS2 communication. If he sends both files to another arcesb instance, both can be decrypted and verified. He used the same test cert and test key. With our real cert files, its the same behaviour. So maybe I am missing something on my verification step?

UPDATE

I am able to reproduce the issue locally. With these commands, it works with any line ending.

openssl cms -sign -in msg/RAW.edi -out msg/1_SIGNED.edi -inkey ../certs/mb24arcesb.pem -signer ../certs/mb24arcesb.cer 
openssl cms -encrypt -in msg/1_SIGNED.edi -out msg/2_ENCRYPTED.edi ../certs/mb24arcesb.cer 
openssl cms -decrypt -in msg/2_ENCRYPTED.edi -recip ../certs/mb24arcesb.cer -inkey ../certs/mb24arcesb.pem -out msg/3_DECRYPTED.edi 
openssl cms -verify -nointern -noverify -in msg/3_DECRYPTED.edi -out msg/4_EDIFACT.edi -certfile ../certs/mb24arcesb.cer

But when I sign the file with the -binary option, the verification will only work if the source file has dos line endings. So I guess our partner's software is signing it with the -binary option. How can I verify it this way? "verify -binary" does not work.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

放赐 2025-01-17 18:50:44

尝试使用 openssl cms 命令的 -binary 选项。从手册页:

https://www.openssl.org /docs/man3.0/man1/openssl-cms.html

       -binary
           Normally the input message is converted to "canonical" format which
           is effectively using CR and LF as end of line: as required by the
           S/MIME specification. When this option is present no translation
           occurs. This is useful when handling binary data which may not be
           in MIME format.

Try using the -binary option to the openssl cms command. From the man page:

https://www.openssl.org/docs/man3.0/man1/openssl-cms.html

       -binary
           Normally the input message is converted to "canonical" format which
           is effectively using CR and LF as end of line: as required by the
           S/MIME specification. When this option is present no translation
           occurs. This is useful when handling binary data which may not be
           in MIME format.
回复 原文
贵在坚持 2025-01-17 18:50:44

这是 openssl 版本 <= 1.1.1 中的错误。
https://github.com/openssl/openssl/issues/17797

This is a bug in openssl version <= 1.1.1.
https://github.com/openssl/openssl/issues/17797

回复 原文
~没有更多了~

关于作者

日暮斜阳

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

微信用户

文章 0 评论 0

小情绪

文章 0 评论 0

追我者格杀勿论

文章 0 评论 0

ゞ记忆︶ㄣ

文章 0 评论 0

笨死的猪

文章 0 评论 0

彭明超

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文