如何检查SignedCms信封的签名? [英] How can I check signature of a SignedCms envelope?

问题描述

我不太了解如何处理PKCS#7消息.

I don't really understand how to work with PKCS#7 messages.

我用我拥有的X509Certificate2签署了一些字节数组，并且还获得了一个字节数组.

I sign some byte array with a X509Certificate2 I have and get also a byte array.

byte[] data = new byte[5] { 110, 111, 112, 113, 114 }, signedData;

X509Certificate2 cert = new X509Certificate2(certPath, password);

ContentInfo content = new ContentInfo(data);
SignedCms envelope = new SignedCms(content);
CmsSigner cmsSigner = new CmsSigner(cert);
envelope.ComputeSignature(cmsSigner);
signedData = envelope.Encode();

signedData被传输到某个远程收件人，他获得了SignedCms信封.

The signedData is transmitted to some remote recipient and he gets the SignedCms envelope.

SignedCms envelope = new SignedCms();
envelope.Decode(signedData);

他如何解码信封?他没有将我的公钥作为参数传递.信封中有我的公共密钥，位于SignerInfo属性中，但是是否有任何原因，导致任何人都可以用整个签名替换它?

How can he decode the envelope? He doesn't pass my public key as a parameter. There's my public key in the envelope, in SignerInfo property, but is there any reason for that, cause anyone can replace it with the whole signature?

他可以使用我拥有的公共密钥来确定收件人的实际发件人是我吗?

He can the recipient make sure, using my public key that he has, that the actual sender of the envelope is me?

有方法 envelope.CheckSignature(new X509Certificate2Collection(certificate)，true); ，但是我尝试使用错误的证书，没有抛出异常.

There's method envelope.CheckSignature(new X509Certificate2Collection(certificate), true); but I tried to use wrong certificate and there was no exception thrown.

推荐答案

一个PKCS#7本身只是一个签名，可以替换吗?当然.Envelope.CheckSiganture只是验证pkcs#7的格式和长度正确，换句话说，检查pkcs#7的结构是否正确.

A PKCS#7 by itself is just a signature, could it be replaced? sure. envelope.CheckSiganture just validates that pkcs#7 has the right format and length, in other words checks if a pkcs#7 is well constructed.

广泛地说，您需要实现PKI(私有密钥基础结构).一方面，您使用公钥构造pkcs#7；另一方面，您必须验证所拥有的pkcs#7实际上具有一个有效的证书，并将其识别为您自己的证书.您必须实施OCSP来验证那些证书，并且如果一切都检查正确，您应该并且必须向第三方请求时间戳以担保pkcs#7.另外，您还需要一个保管库(数据库)来跟踪所有内容:pkcs#7，数据散列，时间戳，原始数据，ocsp响应...

Broadly putted, you need to implement a PKI (Private Key Infrastructure). Where in one end you construct your pkcs#7 using a public key, and on the other end you must validate that the pkcs#7 you have actually has a valid certificate that you recognize as your own. You must implement an OCSP to validate those certificates and if everything checks out all right you should and must request a timestamp to a third party to vouch for your pkcs#7. Also you will need a vault (database) to keep track of everything: pkcs#7's, data hashes, timestamps, original data, ocsp responses...

但是，如果您只想知道如何识别pkcs#7，可以使用多种工具来解码PKCS#7，此操作将返回其中包含的所有信息.或者，您也可以使用c#创建自己的照片.

But if you are only interested in knowing how to identify a pkcs#7, there are various tools you could use to decode a PKCS#7, this action gives back all the information contained in it. Or you could create your own using c#.

这篇关于如何检查SignedCms信封的签名?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！