CMS验签, 将单独签名和联合签名出来的签名文件都试试.
验签成功后, 将签名数据明文写入了文件供查看.
也就是说, 只有验签成功后, 才能看到签名数据的明文.
验签时, 使用的是上一级的证书(这里是CA证书)
签名时, 使用的是低级证书(接收者证书, 或者说是签名者证书, 这些证书都是CA证书发出来的)
不管是单独签名, 还是联合签名, 验签都是一个API搞定.
/*!
\file cms_ver.c
\note openssl3.2 - 官方demo学习 - cms - cms_ver.c
CMS验签, 将单独签名和联合签名出来的签名文件都试试.
验签成功后, 将签名数据明文写入了文件供查看.
也就是说, 只有验签成功后, 才能看到签名数据的明文.
验签时, 使用的是上一级的证书(这里是CA证书)
签名时, 使用的是低级证书(接收者证书)
*/
/*
* Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
/* Simple S/MIME verification example */
#include <openssl/pem.h>
#include <openssl/cms.h>
#include <openssl/err.h>
#include "my_openSSL_lib.h"
/*
* print any signingTime attributes.
* signingTime is when each party purportedly signed the message.
*/
static void print_signingTime(CMS_ContentInfo *cms)
{
STACK_OF(CMS_SignerInfo) *sis;
CMS_SignerInfo *si;
X509_ATTRIBUTE *attr;
ASN1_TYPE *t;
ASN1_UTCTIME *utctime;
ASN1_GENERALIZEDTIME *gtime;
BIO *b;
int i, loc;
int iSignCnt = 0;
b = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT);
sis = CMS_get0_SignerInfos(cms);
iSignCnt = sk_CMS_SignerInfo_num(sis);
for (i = 0; i < iSignCnt; i++) {
si = sk_CMS_SignerInfo_value(sis, i);
loc = CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1);
attr = CMS_signed_get_attr(si, loc);
t = X509_ATTRIBUTE_get0_type(attr, 0);
if (t == NULL)
continue;
switch (t->type) {
case V_ASN1_UTCTIME:
utctime = t->value.utctime;
ASN1_UTCTIME_print(b, utctime);
break;
case V_ASN1_GENERALIZEDTIME:
gtime = t->value.generalizedtime;
ASN1_GENERALIZEDTIME_print(b, gtime);
break;
default:
fprintf(stderr, "unrecognized signingTime type\n");
break;
}
BIO_printf(b, ": signingTime from SignerInfo %i\n", i);
}
BIO_free(b);
return;
}
int verify_sign()
{
BIO* in = NULL, * out = NULL, * tbio = NULL, * cont = NULL;
X509_STORE* st = NULL;
X509* cacert = NULL;
CMS_ContentInfo* cms = NULL;
int ret = EXIT_FAILURE;
//OpenSSL_add_all_algorithms();
//ERR_load_crypto_strings();
/* Set up trusted CA certificate store */
st = X509_STORE_new();
if (st == NULL)
goto err;
/* Read in CA certificate */
tbio = BIO_new_file("cacert.pem", "r");
if (tbio == NULL)
goto err;
cacert = PEM_read_bio_X509(tbio, NULL, 0, NULL);
if (cacert == NULL)
goto err;
if (!X509_STORE_add_cert(st, cacert))
goto err;
/* Open message being verified */
in = BIO_new_file("smout.txt", "r");
if (in == NULL)
goto err;
/* parse message */
cms = SMIME_read_CMS(in, &cont);
if (cms == NULL)
goto err;
print_signingTime(cms);
/* File to output verified content to */
out = BIO_new_file("smver.txt", "w");
if (out == NULL)
goto err;
if (!CMS_verify(cms, NULL, st, cont, out, 0)) {
fprintf(stderr, "Verification Failure\n");
goto err;
}
printf("Verification Successful\n");
ret = EXIT_SUCCESS;
err:
if (ret != EXIT_SUCCESS) {
fprintf(stderr, "Error Verifying Data\n");
ERR_print_errors_fp(stderr);
}
X509_STORE_free(st);
CMS_ContentInfo_free(cms);
X509_free(cacert);
BIO_free(in);
BIO_free(out);
BIO_free(tbio);
return ret;
}
int verify_sign2()
{
BIO* in = NULL, * out = NULL, * tbio = NULL, * cont = NULL;
X509_STORE* st = NULL;
X509* cacert = NULL;
CMS_ContentInfo* cms = NULL;
int ret = EXIT_FAILURE;
//OpenSSL_add_all_algorithms();
//ERR_load_crypto_strings();
/* Set up trusted CA certificate store */
st = X509_STORE_new();
if (st == NULL)
goto err;
/* Read in CA certificate */
tbio = BIO_new_file("cacert.pem", "r");
if (tbio == NULL)
goto err;
cacert = PEM_read_bio_X509(tbio, NULL, 0, NULL);
if (cacert == NULL)
goto err;
if (!X509_STORE_add_cert(st, cacert))
goto err;
/* Open message being verified */
in = BIO_new_file("smout2.txt", "r");
if (in == NULL)
goto err;
/* parse message */
cms = SMIME_read_CMS(in, &cont);
if (cms == NULL)
goto err;
print_signingTime(cms);
/* File to output verified content to */
out = BIO_new_file("smver2.txt", "w");
if (out == NULL)
goto err;
if (!CMS_verify(cms, NULL, st, cont, out, 0)) {
fprintf(stderr, "Verification Failure\n");
goto err;
}
printf("Verification Successful\n");
ret = EXIT_SUCCESS;
err:
if (ret != EXIT_SUCCESS) {
fprintf(stderr, "Error Verifying Data\n");
ERR_print_errors_fp(stderr);
}
X509_STORE_free(st);
CMS_ContentInfo_free(cms);
X509_free(cacert);
BIO_free(in);
BIO_free(out);
BIO_free(tbio);
return ret;
}
#define LINE10 "----------"
#define LINE60 LINE10 LINE10 LINE10 LINE10 LINE10 LINE10
int main(int argc, char **argv)
{
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
printf("%s\n", LINE60);
printf(">> veirfy sign\n");
if (EXIT_SUCCESS != verify_sign())
{
return -1;
}
printf("%s\n", LINE60);
printf(">> veirfy sign2\n");
if (EXIT_SUCCESS != verify_sign2())
{
return -1;
}
printf("END\n");
return 0;
}