如何使用OpenSSL验证Jarsigner创建的* .SF/*.RSA签名 [英] How to use OpenSSL to validate a *.SF / *.RSA signature created by the Jarsigner
问题描述
我有一个要签名的档案,并且想用OpenSSL在C语言中对其进行验证.
I have an archive I want to sign and I want to validate it in C with OpenSSL.
要签署存档,jarsigner似乎是一个好主意,考虑到我不必自己创建某些东西,而且看起来效果很好.使用OpenSSL,我可以验证不同的摘要值,但无法通过它来验证* .SF * .RSA签名.
To sign the archive the jarsigner seemed like a good idea, considering I wouldn't have to create something on my own, and it seems to work great. With OpenSSL I can validate the different digest values, but I can't get it to validate the *.SF *.RSA signature.
我已采取的步骤:
创建密钥库
$ keytool -genkeypair -alias <alias> -keystore <keystore> -validity 360 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA
签署存档
$ jarsigner -keystore <keystore> -signedjar <signedFile>.zip <fileToSign>.zip <alias>
已插入C验证代码
BIO *in = NULL, *indata = NULL;
PKCS7 *p7 = NULL;
int flags = PKCS7_DETACHED;
flags |= PKCS7_NOVERIFY;
flags |= PKCS7_BINARY;
OpenSSL_add_all_algorithms();
/* load *.RSA (PKCS7) file */
if (!(in = BIO_new_file(path, "r"))) {
printf ("Can't open input file %s\n", path);
status = FAILURE;
}
if (!(p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL))) {
printf ("Error in reading PKCS7 PEM file.\n");
status = FAILURE;
}
/* load *.SF file */
if (!(indata = BIO_new_file(path, "r"))) {
printf("Can't read content file %s\n", path);
status = FAILURE;
}
/* validate signature */
if (PKCS7_verify(p7, NULL, NULL, indata, NULL, flags))
printf("Signature verification successful!\n");
else {
printf("Signature verification failed!\n");
status = FAILURE;
}
错误
在"PEM_read_bio_PKCS7(...)"中失败.
It fails in "PEM_read_bio_PKCS7(...)".
我正在寻找一种在终端中或使用OpenSSL使用C进行验证的方法. C是首选;),但是如果您只知道手动操作,我总是可以将命令转换为代码.
I'm looking for either a way to validate it in the terminal or with C using OpenSSL. C is preferred ;) but I can always convert the command to code in case you only know how to do it manually.
推荐答案
我是个白痴.在该项目开始时,我知道签名格式必须为DER或PEM.我以为我已经正确配置了此配置,但是以某种方式最终导致当我想验证PEM签名时Jarsigner的签名为DER格式.
I am an idiot. At the start of this project I knew that the signature format had to be either DER or PEM. I thought I had configured this correctly, but somehow it ended up in the situation where the Jarsigner's signature was in DER format when I wanted to verify a PEM signature.
我的解决方案是始终期待DER签名.这是Jarsigner的默认设置.对于我的OpenSSL签名者/验证者,我必须确保格式和信息为der:-outder der和-inform der.
My solution is to always expect a DER signature. This is default for the Jarsigner. For my OpenSSL signer/verifier I had to make sure the outform and inform was der: -outform der and -inform der.
代码明智,我必须更改此设置:
Code wise I had to change this:
if (!(p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL))) {
对此:
if (!(p7 = d2i_PKCS7_bio(in, NULL))) {
这篇关于如何使用OpenSSL验证Jarsigner创建的* .SF/*.RSA签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!