我有一个PKCS 7 https://en.wikipedia.org/wiki/PKCS_7文件,其中包含签名数据。它成功验证:
openssl smime -verify -in data.p7s -CAfile root-certificate.pem
Output:
Verification successful
Signed data
但是当我提取签名部分时,我看不到它实际上与签名的内容相同。我的意思是以下步骤:
openssl asn1parse -in data.p7s
Output:
...
35:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
46:d=4 hl=2 l=inf cons: cont [ 0 ]
48:d=5 hl=2 l=inf cons: OCTET STRING
50:d=6 hl=2 l= 5 prim: OCTET STRING :(my data is here in plaintext)
...
(then the signed block starts:)
2861:d=6 hl=2 l= 9 prim: OBJECT :rsaEncryption
2872:d=6 hl=2 l= 0 prim: NULL
2874:d=5 hl=4 l= 256 prim: OCTET STRING [HEX DUMP]:<signed data is here>
我剪了[HEX DUMP]
与签名数据:
dd if=data.p7s of=signed-part.bin bs=1 skip=2878 count=256
用对应的公钥解密:
openssl rsautl -verify -in signed-part.bin -pubin -inkey root-public-key.pem -out verified-data.bin
看看结果:
openssl asn1parse -inform der -in verified-data.bin
Output:
0:d=0 hl=2 l= 33 cons: SEQUENCE
2:d=1 hl=2 l= 9 cons: SEQUENCE
4:d=2 hl=2 l= 5 prim: OBJECT :sha1
11:d=2 hl=2 l= 0 prim: NULL
13:d=1 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:<hash here>
This [HEX DUMP]
is not the SHA-1 https://en.wikipedia.org/wiki/SHA-1我的原始数据的总和。
我不明白为什么哈希值不同。显然,它是与我的原始数据不同的哈希值。哈希值是否还涵盖任何“经过身份验证的属性”?如果是,如何查看到底有哪些属性已被散列和签名?