openssl3.2 - 官方demo学习 - cms - cms_ver.c

openssl3.2 - 官方demo学习 - cms - cms_ver.c

概述

CMS验签, 将单独签名和联合签名出来的签名文件都试试.
验签成功后, 将签名数据明文写入了文件供查看.
也就是说, 只有验签成功后, 才能看到签名数据的明文.
验签时, 使用的是上一级的证书(这里是CA证书)
签名时, 使用的是低级证书(接收者证书, 或者说是签名者证书, 这些证书都是CA证书发出来的)

运行结果

不管是单独签名, 还是联合签名, 验签都是一个API搞定.

笔记

/*!
\file cms_ver.c
\note openssl3.2 - 官方demo学习 - cms - cms_ver.c
CMS验签, 将单独签名和联合签名出来的签名文件都试试.
验签成功后, 将签名数据明文写入了文件供查看. 
也就是说, 只有验签成功后, 才能看到签名数据的明文.
验签时, 使用的是上一级的证书(这里是CA证书)
签名时, 使用的是低级证书(接收者证书)
*/

/*
 * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/* Simple S/MIME verification example */
#include <openssl/pem.h>
#include <openssl/cms.h>
#include <openssl/err.h>

#include "my_openSSL_lib.h"

/*
 * print any signingTime attributes.
 * signingTime is when each party purportedly signed the message.
 */
static void print_signingTime(CMS_ContentInfo *cms)
{
   
    STACK_OF(CMS_SignerInfo) *sis;
    CMS_SignerInfo *si;
    X509_ATTRIBUTE *attr;
    ASN1_TYPE *t;
    ASN1_UTCTIME *utctime;
    ASN1_GENERALIZEDTIME *gtime;
    BIO *b;
    int i, loc;
    int iSignCnt = 0;

    b = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT);
    sis = CMS_get0_SignerInfos(cms);
    iSignCnt = sk_CMS_SignerInfo_num(sis);
    for (i = 0; i < iSignCnt; i++) {
   
        si = sk_CMS_SignerInfo_value(sis, i);
        loc = CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1);
        attr = CMS_signed_get_attr(si, loc);
        t = X509_ATTRIBUTE_get0_type(attr, 0);
        if (t == NULL)
            continue;
        switch (t->type) {
   
        case V_ASN1_UTCTIME:
            utctime = t->value.utctime;
            ASN1_UTCTIME_print(b, utctime);
            break;
        case V_ASN1_GENERALIZEDTIME:
            gtime = t->value.generalizedtime;
            ASN1_GENERALIZEDTIME_print(b, gtime);
            break;
        default:
            fprintf(stderr, "unrecognized signingTime type\n");
            break;
        }
        BIO_printf(b, ": signingTime from SignerInfo %i\n", i);
    }
    BIO_free(b);
    return;
}

int verify_sign()
{
   
    BIO* in = NULL, * out = NULL, * tbio = NULL, * cont = NULL;
    X509_STORE* st = NULL;
    X509* cacert = NULL;
    CMS_ContentInfo* cms = NULL;
    int ret = EXIT_FAILURE;

    //OpenSSL_add_all_algorithms();
    //ERR_load_crypto_strings();

    /* Set up trusted CA certificate store */

    st = X509_STORE_new();
    if (st == NULL)
        goto err;

    /* Read in CA certificate */
    tbio = BIO_new_file("cacert.pem", "r");

    if (tbio == NULL)
        goto err;

    cacert = PEM_read_bio_X509(tbio, NULL, 0, NULL);

    if (cacert == NULL)
        goto err;

    if (!X509_STORE_add_cert(st, cacert))
        goto err;

    /* Open message being verified */

    in = BIO_new_file("smout.txt", "r");

    if (in == NULL)
        goto err;

    /* parse message */
    cms = SMIME_read_CMS(in, &cont);

    if (cms == NULL)
        goto err;

    print_signingTime(cms);

    /* File to output verified content to */
    out = BIO_new_file("smver.txt", "w");
    if (out == NULL)
        goto err;

    if (!CMS_verify(cms, NULL, st, cont, out, 0)) {
   
        fprintf(stderr, "Verification Failure\n");
        goto err;
    }

    printf("Verification Successful\n");

    ret = EXIT_SUCCESS;

err:
    if (ret != EXIT_SUCCESS) {
   
        fprintf(stderr, "Error Verifying Data\n");
        ERR_print_errors_fp(stderr);
    }

    X509_STORE_free(st);
    CMS_ContentInfo_free(cms);
    X509_free(cacert);
    BIO_free(in);
    BIO_free(out);
    BIO_free(tbio);
    return ret;

}

int verify_sign2()
{
   
    BIO* in = NULL, * out = NULL, * tbio = NULL, * cont = NULL;
    X509_STORE* st = NULL;
    X509* cacert = NULL;
    CMS_ContentInfo* cms = NULL;
    int ret = EXIT_FAILURE;

    //OpenSSL_add_all_algorithms();
    //ERR_load_crypto_strings();

    /* Set up trusted CA certificate store */

    st = X509_STORE_new();
    if (st == NULL)
        goto err;

    /* Read in CA certificate */
    tbio = BIO_new_file("cacert.pem", "r");

    if (tbio == NULL)
        goto err;

    cacert = PEM_read_bio_X509(tbio, NULL, 0, NULL);

    if (cacert == NULL)
        goto err;

    if (!X509_STORE_add_cert(st, cacert))
        goto err;

    /* Open message being verified */

    in = BIO_new_file("smout2.txt", "r");

    if (in == NULL)
        goto err;

    /* parse message */
    cms = SMIME_read_CMS(in, &cont);

    if (cms == NULL)
        goto err;

    print_signingTime(cms);

    /* File to output verified content to */
    out = BIO_new_file("smver2.txt", "w");
    if (out == NULL)
        goto err;

    if (!CMS_verify(cms, NULL, st, cont, out, 0)) {
   
        fprintf(stderr, "Verification Failure\n");
        goto err;
    }

    printf("Verification Successful\n");

    ret = EXIT_SUCCESS;

err:
    if (ret != EXIT_SUCCESS) {
   
        fprintf(stderr, "Error Verifying Data\n");
        ERR_print_errors_fp(stderr);
    }

    X509_STORE_free(st);
    CMS_ContentInfo_free(cms);
    X509_free(cacert);
    BIO_free(in);
    BIO_free(out);
    BIO_free(tbio);
    return ret;

}

#define LINE10 "----------"
#define LINE60 LINE10 LINE10 LINE10 LINE10 LINE10 LINE10

int main(int argc, char **argv)
{
   
    OpenSSL_add_all_algorithms();
    ERR_load_crypto_strings();

    printf("%s\n", LINE60);
    printf(">> veirfy sign\n");
    if (EXIT_SUCCESS != verify_sign())
    {
   
        return -1;
    }

    printf("%s\n", LINE60);
    printf(">> veirfy sign2\n");
    if (EXIT_SUCCESS != verify_sign2())
    {
   
        return -1;
    }

    printf("END\n");
    return 0;
}

END