Menu

What does CMSSigner sign?

Help
Konstantin Shemyak
2014-07-03
2014-07-07

  • Konstantin Shemyak

    Konstantin Shemyak - 2014-07-03

    I installed SignServer and configured CMSSigner, using the default configuration from doc/sample-configs/qs_cmssigner_configuration.properties. But I cannot verify that the signatures actually match - it looks like the signserver is signing something different from my data(?) This is how I'm trying to verify the signature:

    • Create a test data file:
    $ echo -n 'Hello' > data.txt
    • Upload data.txt to the web interface of the signserver; the latter replies with data.txt.p7s.
    • extract the signing certificate from the response:
    $ openssl pkcs7 -in data.txt.p7s -inform DER -text -print_certs

    The response contains a root CA certificate and an intermediate certificate.

    • Copy-paste the latter into intermediate-cert.pem and extract the public key:
    $ openssl x509 -inform pem -in intermediate-cert.pem -noout -pubkey > intermediate-pubkey.pem
    • Look what the response contains:
    $ openssl asn1parse -inform der -in data.txt.p7s

    We see lines: 

    2841:d=8  hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:F7FF9E8B7BB2E09B70935A5D785E0CC5D9D0ABF0

    this is sha1sum('Hello'). I expect this to be the data which is signed... but I do not see that. The RSA signature is here:

     2865:d=6  hl=2 l=   9 prim: OBJECT            :rsaEncryption
 2876:d=6  hl=2 l=   0 prim: NULL              
 2878:d=5  hl=4 l= 256 prim: OCTET STRING      [HEX DUMP]:42C146C9B5B78<....>
    • Extract the signature part from the response:
    $ dd if=data.txt.p7s of=signed-sha1.bin bs=1 skip=$[2878+4] count=256
    • Verify it: 
    $ openssl rsautl -verify -in signed-sha1.bin -pubin -inkey intermediate-pubkey.pem -out verified-data.bin

    Now, looking at what we got:

    $ openssl asn1parse -inform der -in verified-data.bin
    0:d=0  hl=2 l=  33 cons: SEQUENCE          
    2:d=1  hl=2 l=   9 cons: SEQUENCE          
    4:d=2  hl=2 l=   5 prim: OBJECT            :sha1
   11:d=2  hl=2 l=   0 prim: NULL              
   13:d=1  hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:72AE5514F5CBF6F44BF795CFFDACF35E9A55F343

    The hash is not equal to sha1sum('Hello').

    Looks like the signserver has signed something else - correct?

     

    Last edit: Konstantin Shemyak 2014-07-03

  • Markus Kilås

    Markus Kilås - 2014-07-03

    Why not just use the OpenSSL command to verify the signature and output the signed content like this:
    $ openssl cms -verify -inform der -CAfile root.pem -in data.txt.p7s -out content.txt
    Verification successful
    $ cat content.txt
    Hello

    Cheers,
    Markus

     

  • Konstantin Shemyak

    Konstantin Shemyak - 2014-07-07

    I have figured out the source of my signature mismatch. Really, in the file returned by signserver, it is not just the provided data what is signed. Instead, signserver signs the data together with "attributes", which include contentType and signingTime.

    Those who wish to manually extract the signature and verify it can do the following:

    • see what attributes have been signed:
    $ openssl cms -in data.p7s -inform der -noout -cmsout -print

    Look for signedAttrs. They contain three objects: contentType, signingTime and messageDigest.

    • in asn1parse output, find the corresponding block and note its size (including header, i.e. 93 + 2 = 95 bytes in this example) and offset (2768): 
    $ openssl asn1parse -inform der -in data2.txt.p7s -i

...
 2768:d=5  hl=2 l=  93 cons:      cont [ 0 ]        
 2770:d=6  hl=2 l=  24 cons:       SEQUENCE          
 2772:d=7  hl=2 l=   9 prim:        OBJECT            :contentType
 2783:d=7  hl=2 l=  11 cons:        SET               
 2785:d=8  hl=2 l=   9 prim:         OBJECT            :pkcs7-data
 2796:d=6  hl=2 l=  28 cons:       SEQUENCE          
 2798:d=7  hl=2 l=   9 prim:        OBJECT            :signingTime
 2809:d=7  hl=2 l=  15 cons:        SET               
 2811:d=8  hl=2 l=  13 prim:         UTCTIME           :140703120405Z
 2826:d=6  hl=2 l=  35 cons:       SEQUENCE          
 2828:d=7  hl=2 l=   9 prim:        OBJECT            :messageDigest
 2839:d=7  hl=2 l=  22 cons:        SET               
 2841:d=8  hl=2 l=  20 prim:         OCTET STRING      [HEX DUMP]:F7FF9E8B7BB2E09B70935A5D785E0CC5D9D0ABF0
...
    • Extract that container:
    $ dd if=data.txt.p7s of=actually-signed-data.bin bs=1 skip=2768 count=95

    SHA1 sum of the resulting file matches the OCTET STRING from 

    $ openssl asn1parse -inform der -in verified-data.bin
     

Log in to post a comment.