API由PKCS#7加密信息安全 [英] API secured by PKCS#7 cryptographic message
问题描述
我目前正在打电话,要求我把XML数据的PKCS#7格式的API。结果
该数据被发布到API终点。结果
中的回应还配备了PKCS#7加密邮件(MIME类型是application / PKCS7-MIME)的形式结果
他们提供了一些注意事项:A加密消息不包含任何证书链。数据压缩不被使用。数据加密不被使用。一个加密的消息是在OpenSSL PEM格式。
I am currently trying to call an API that requires me to put XML data in a PKCS#7 format.
This data is posted to the API end point.
The response also comes in a form of a PKCS#7 cryptographic messages (MIME-type is application/pkcs7-mime).
Some Notes they provide: A cryptographic message doesn't contain any certification chains. Data compression is not used. Data encryption is not used. A cryptographic message is in the OpenSSL PEM format.
我一直在提供两个证书。其中一个我创建的请求,并有私钥,另由服务提供商提供给我。结果
我已经设法成功安装这些证书,并可以通过该服务进行通信。
I have been supplied two certificates. One I created the request for and have the private key, the other supplied to me by the service provider.
I have managed to successfully install these certificates, and can communicate with the service.
我似乎将数据发送到这个API服务成功。结果
现在,我试图让我从这个API接收响应的感觉。结果
这种反应看起来像这样
I am seemingly sending data to this API service successfully.
Now I'm trying to make sense of the response I'm receiving from this API.
This response looks like this
-----BEGIN PKCS7-----
WISGCSqGSIb3DQEHSqCSWISCSQExCzSJBgUrDgWCGgUSWISGCSqGSIb3DQEHSSCS
AfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsd
WISGCSqGSIb3DQEHSqCSWISCSQExCzSJBgUrDgWCGgUSWISGCSqGSIb3DQEHSSCS
AfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsd
WISGCSqGSIb3DQEHSqCSWISCSQExCzSJBgUrDgWCGgUSWISGCSqGSIb3DQEHSSCS
AfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsd
WISGCSqGSIb3DQEHSqCSWISCSQExCzSJBgUrDgWCGgUSWISGCSqGSIb3DQEHSSCS
AfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsd
WISGCSqGSIb3DQEHSqCSWISCSQExCzSJBgUrDgWCGgUSWISGCSqGSIb3DQEHSSCS
AfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsd
WISGCSqGSIb3DQEHSqCSWISCSQExCzSJBgUrDgWCGgUSWISGCSqGSIb3DQEHSSCS
AfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsd
WISGCSqGSIb3DQEHSqCSWISCSQExCzSJBgUrDgWCGgUSWISGCSqGSIb3DQEHSSCS
AfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsd
WISGCSqGSIb3DQEHSqCSWISCSQExCzSJBgUrDgWCGgUSWISGCSqGSIb3DQEHSSCS
AfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsdfdAfsdFAD3433423ASfdsd
-----END PKCS7-----
(我混乱了在关闭的机会的内容有什么在那里大小写)
(I jumbled up the contents on the off chance there's anything sensitive in there)
通过这种反应,我需要
- 验证数字签名,以确保由供应商发送的响应
- 从这个响应获取XML格式的消息
我一直主要使用的充气城堡库和MS的 SignedCms类结果
综上所述,我得到绝对行不通的。
I have been primarily using the Bouncy Castle library and the MS SignedCms Class
In summary, I am getting absolutely nowhere.
请能有人指导我在这里做什么,因为我已经在这个约5天,我无处可去快。
Please can someone guide me on what to do here as I've been at this for about 5 days and am going nowhere fast.
下面是一些我在做什么,到目前为止:
Here is some of what I'm doing so far:
请请求
使用HttpWebRequest和HttpWebResponse我用我提供的证书发布的数据服务
Using the HttpWebRequest and HttpWebResponse i am posting data to the service using my supplied certificate
var store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2 cert = store.Certificates.Find(X509FindType.FindByThumbprint, "ACLKJCLKJCLKJCLKJCLKJCLKJCLKJCLKJCLKJCLK", false)[0];
HttpWebRequest request = null;
var uri = new Uri(endPointUri);
request = (HttpWebRequest) WebRequest.Create(uri);
request.Method = "POST";
request.ContentType = "application/pkcs7-mime";
request.ContentLength = requestString.Length;
request.ClientCertificates.Add(cert);
using (Stream writeStream = request.GetRequestStream())
{
var encoding = new UTF8Encoding();
byte[] bytes = encoding.GetBytes(requestString);
writeStream.Write(bytes, 0, bytes.Length);
}
string result = null;
using (var response = (HttpWebResponse) request.GetResponse())
{
using (Stream responseStream = response.GetResponseStream())
{
if (responseStream != null)
{
using (var readStream = new StreamReader(responseStream, Encoding.UTF8))
{
result = readStream.ReadToEnd();
}
}
}
}
return result;
下面我回去从上面。结果
现在的BEGIN PKCS7消息我试图弄清楚如何处理这种
Here I get back the "BEGIN PKCS7" message from above.
Now I'm trying to figure out what to do with this
MS签名CMS类方法
SignedCms signedCms = new SignedCms();
signedCms.Decode(Encoding.Default.GetBytes(resultString));
try
{
signedCms.CheckSignature(new X509Certificate2Collection(cert1), true);
}
catch (System.Security.Cryptography.CryptographicException e)
{
_Log.Error(e.Message)
}
这将引发对signedCms.Decode例外ASN1坏标记值满足。
This throws the exception on "signedCms.Decode" of "ASN1 bad tag value met."
BouncyCastle的ISigner
下面的文件是不存在的。结果
所以首先我救我的回应到一个文件中,并使用的TextReader对象,试图测试与BouncyCastle的
Here the documentation is non-existent.
So first I save my response to a file and use the TextReader object to try test with BouncyCastle
using (TextReader reader = File.OpenText(@"c:\temp\resultString.txt"))
{
PemReader pemRd = new PemReader(reader);
ContentInfo d = (ContentInfo)pemRd.ReadObject();
Console.WriteLine(d.ContentType.ToString());
}
这返回结果:1.2.840.113549.1.7.2
从我可以告诉,这意味着它的PKCS7签名数据结果
呜呼,一些看起来像它的工作。结果
,而从这里,我怎么验证,做我如何提取此
This returns the result: "1.2.840.113549.1.7.2"
From what i can tell, this means its "Pkcs7 Signed Data"
Woohoo, something looks like its working.
But from here, how do I verify, and how do I extract any information from this
我的验证尝试
using (TextReader reader = File.OpenText(@"c:\temp\resultString.txt"))
{
PemReader pemRd = new PemReader(reader);
var signature = new CmsSignedData(pemRd.ReadObject());
}
失败 - 签名是空
Fail - signature is null
var store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2 cert = store.Certificates.Find(X509FindType.FindByThumbprint, "ACLKJCLKJCLKJCLKJCLKJCLKJCLKJCLKJCLKJCLK", false)[0]; //tried with both certs
ISigner signer = SignerUtilities.GetSigner("RSA");
var bouncyx509 = DotNetUtilities.FromX509Certificate(cert1);
signer.Init(true, DotNetUtilities.FromX509Certificate(cert1).GetPublicKey());
失败 - 需要私钥创建签名
Fail - need private key to create signer
结束语
我希望我已经提供了足够的信息在这里得到一些帮助。结果
也许我在完全错误的方向前进。
I hope I have provided enough information to get some help here.
Maybe I'm heading in completely the wrong direction.
我的问题是:
- 我如何验证数字签名
- 我如何从这种反应得到一个XML格式的信息?
的解决方案
由于gtrig,我终于有解决的办法。结果
使用MS SignedCms对象,我不得不先删除页眉和页脚形成信息,然后Convert.FromBase64String
Thanks to gtrig, i finally have a solution.
Using the MS SignedCms object I had to first remove the Header and Footer form the message, then Convert.FromBase64String
工作液
SignedCms signedCms = new SignedCms();
resultString = resultString.Replace("\n", "").Replace("-----BEGIN PKCS7-----", "").Replace("-----END PKCS7-----", "");
signedCms.Decode(Convert.FromBase64String(resultString));
现在signedCms.ContentInfo.Content包含效应初探XML消息我希望
Now signedCms.ContentInfo.Content contains the reponse Xml message I expect
推荐答案
这是一个不完整的答案,但它可能会相处你远一点。
This is an incomplete answer, but it may get you a little further along.
如果您有机会获得OpenSSL的,试试这个命令,看它是否可以读取数据:
If you have access to openssl, try this command to see if it can read the data:
OpenSSL的PKCS7 -in resultString.txt -text
之后,试试这个在您的代码(从你不得不为内容,而不是ContentType的唯一的区别是:
After that try this in your code (The only difference from what you had is "Content" instead of "ContentType":
Console.WriteLine(d.Content.ToString());
signedCms.Decode()以字节数组,这可能是DER格式的消息,你在响应收到的PEM格式的消息,而不是为了得到一个字节数组,你得把页眉和页脚(开始/结束)线和通剩下的这个方法:
signedCms.Decode() takes a byte array, and that is probably the DER formatted message instead of the PEM formatted message that you received in the response. To get that in a byte array, you'll have to strip the header and footer (Begin/End) lines and pass the rest to this method:
Convert.FromBase64String()
另外,你可以使用OpenSSL为DER格式,然后直接从文件中读取字节转换文件。
Alternatively, you could use openssl to convert the file to DER format and then read in the bytes directly from the file.
OpenSSL的PKCS7 -in resultString.txt -outform DER退房手续result.der
openssl pkcs7 -in resultString.txt -outform DER -out result.der
这篇关于API由PKCS#7加密信息安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
