如何使用OpenSSL验证Jarsigner创建的* .SF/*.RSA签名 [英] How to use OpenSSL to validate a *.SF / *.RSA signature created by the Jarsigner

问题描述

我有一个要签名的档案，并且想用OpenSSL在C语言中对其进行验证.

I have an archive I want to sign and I want to validate it in C with OpenSSL.

要签署存档，jarsigner似乎是一个好主意，考虑到我不必自己创建某些东西，而且看起来效果很好.使用OpenSSL，我可以验证不同的摘要值，但无法通过它来验证* .SF * .RSA签名.

To sign the archive the jarsigner seemed like a good idea, considering I wouldn't have to create something on my own, and it seems to work great. With OpenSSL I can validate the different digest values, but I can't get it to validate the *.SF *.RSA signature.

我已采取的步骤:

创建密钥库

$ keytool -genkeypair -alias <alias> -keystore <keystore> -validity 360 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA

签署存档

$ jarsigner -keystore <keystore> -signedjar <signedFile>.zip <fileToSign>.zip <alias>

已插入C验证代码

BIO *in = NULL, *indata = NULL;
PKCS7 *p7 = NULL;
int flags = PKCS7_DETACHED;
    flags |= PKCS7_NOVERIFY;
    flags |= PKCS7_BINARY;

OpenSSL_add_all_algorithms();

/* load *.RSA (PKCS7) file */
if (!(in = BIO_new_file(path, "r"))) {
    printf ("Can't open input file %s\n", path);
    status = FAILURE;
}

if (!(p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL))) {
    printf ("Error in reading PKCS7 PEM file.\n");
    status = FAILURE;
}

/* load *.SF file */
if (!(indata = BIO_new_file(path, "r"))) {
    printf("Can't read content file %s\n", path);
    status = FAILURE;
}

/* validate signature */
if (PKCS7_verify(p7, NULL, NULL, indata, NULL, flags))
    printf("Signature verification successful!\n");
else {
    printf("Signature verification failed!\n");
    status = FAILURE;
}

错误

在"PEM_read_bio_PKCS7(...)"中失败.

It fails in "PEM_read_bio_PKCS7(...)".

我正在寻找一种在终端中或使用OpenSSL使用C进行验证的方法. C是首选；)，但是如果您只知道手动操作，我总是可以将命令转换为代码.

I'm looking for either a way to validate it in the terminal or with C using OpenSSL. C is preferred ;) but I can always convert the command to code in case you only know how to do it manually.

推荐答案

我是个白痴.在该项目开始时，我知道签名格式必须为DER或PEM.我以为我已经正确配置了此配置，但是以某种方式最终导致当我想验证PEM签名时Jarsigner的签名为DER格式.

I am an idiot. At the start of this project I knew that the signature format had to be either DER or PEM. I thought I had configured this correctly, but somehow it ended up in the situation where the Jarsigner's signature was in DER format when I wanted to verify a PEM signature.

我的解决方案是始终期待DER签名.这是Jarsigner的默认设置.对于我的OpenSSL签名者/验证者，我必须确保格式和信息为der:-outder der和-inform der.

My solution is to always expect a DER signature. This is default for the Jarsigner. For my OpenSSL signer/verifier I had to make sure the outform and inform was der: -outform der and -inform der.

代码明智，我必须更改此设置:

Code wise I had to change this:

if (!(p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL))) {

对此:

if (!(p7 = d2i_PKCS7_bio(in, NULL))) {

这篇关于如何使用OpenSSL验证Jarsigner创建的* .SF/*.RSA签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！