如何验证SMIME多部分/已签名应用程序/x-pkcs7签名邮件的签名 [英] Howto Verify Signature of a SMIME multipart/signed application/x-pkcs7-signature Mail

问题描述

我正在开发一个更大的应用程序，该应用程序可以通过POP3，IMAP或通过从.msg文件导入(从Outlook导出或从Outlook拖入)导入来接收电子邮件.

I am working on a larger application which receives email by POP3, IMAP or through import from .msg Files (Exported form Outlook or dragged over from Outlook).

最近我收到了一封带有附件"smime.p7m"的电子邮件. 经过进一步检查，结果证明是带有

Recently I received an email with an attachment "smime.p7m". After further inspection it turned out to be a MIME Message with

Content-Type:多部分/已签名； protocol ="application/x-pkcs7-signature";

Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";

其中包括一个部分

Content-Type:应用程序/x-pkcs7签名； name ="smime.p7s" Content-Transfer-Encoding:base64 Content-Disposition:附件； filename ="smime.p7s"

Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s"

我尝试使用OpenPop作为MIME消息解析器并使用SignedCms来检查签名来验证此签名.我的尝试看起来像这样:

I tried to verify this signature using OpenPop as a MIME Message Parser and SignedCms to check the signature. My attempt looks like this:

var datapart = OpenPop.MessagePart[...];
var part3 = OpenPop.MessagePart[3]; // the signature

var ci = new ContentInfo(datapart);            
var sCMS = new SignedCms(ci, detached: true);
sCMS.Decode(part3.Body);
sCMS.CheckHash();

sCMS.CheckSignature(verifySignatureOnly:true);

但是无论我用什么datapart，我总能得到

But no matter what I use for datapart I always get

System.Security.Cryptography.CryptographicException 哈希值不正确.

System.Security.Cryptography.CryptographicException The hash value is not correct.

如何验证签名?

有更好的方法吗?

推荐答案

最简单的方法是使用

The easiest way for you to do this would be to use MimeKit (which is not only open source but also free for commercial use).

由于您只关心验证签名，因此您可以只使用MimeKit.Cryptography.TemporarySecureMimeContext而不是设置自己的签名(如README和其他有关此操作的文档中所述).

Since all you care about is verifying the signatures, you could just use a MimeKit.Cryptography.TemporarySecureMimeContext instead of setting up your own (like the README and other documentation talks about doing).

通常，当您收到通过S/MIME签名的邮件时，几乎总是multipart/signed部分是根级别的MIME部分，这使得此操作有些容易(验证签名的第一步是找到multipart/signed部分).

Typically, when you receive a message signed via S/MIME, it is almost always the root-level MIME part that is the multipart/signed part, which makes this somewhat easier (the first step toward verifying signatures is to locate the multipart/signed part).

var signed = message.Body as MultipartSigned;
if (signed != null) {
    using (var ctx = new TemporaryMimeContext ()) {
        foreach (var signature in signed.Verify (ctx)) {
            try {
                bool valid = signature.Verify ();

                // If valid is true, then it signifies that the signed
                // content has not been modified since this particular
                // signer signed the content.
                //
                // However, if it is false, then it indicates that the
                // signed content has
                // been modified.
            } catch (DigitalSignatureVerifyException) {
                // There was an error verifying the signature.
            }
        }
    }
}

您可以在 www.mimekit.net/docs 中找到MimeKit的API文档.

You can find API documentation for MimeKit at www.mimekit.net/docs.

这篇关于如何验证SMIME多部分/已签名应用程序/x-pkcs7签名邮件的签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！