bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard
verified publisher icon bcgit

Failed to decrypt and verify with BouncyCastel using openssl signature and encryption

Open lihongbing0801 opened this issue 3 years ago • 1 comments

  1. Openssl 3.0

openssl smime -md sha1 -sign -inkey test_smime2.pem -signer test_smime2.cer -outform SMIME -in test.txt -out test.txt.sign

signature body part

MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----BC340B1A870F41887515A0BD973CD216"

This is an S/MIME signed message

------BC340B1A870F41887515A0BD973CD216
3232131313123
------BC340B1A870F41887515A0BD973CD216
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIIFdAYJKoZIhvcNAQcCoIIFZTCCBWECAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggMDMIIC/zCCAeegAwIBAgIJANQa1yivHU3cMA0GCSqGSIb3DQEB
CwUAMBYxFDASBgNVBAMMCyoqKi53ZWJzaXRlMB4XDTIyMTEyMzAyNDEwNFoXDTMy
MTEyMDAyNDEwNFowFjEUMBIGA1UEAwwLKioqLndlYnNpdGUwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDxbGduOPXFokDzvGYg1nx3HFqTNTtNL29i7ZV5
iB5sxrtTk9nqg3RwaTqkxqOhiybN0c5D8PJgow/bn4E5rfTJTCVmrKXnW0Pdzu2y
fWdr3x29j7FLSFs0bkyLJPvHoEO3BdvX+tyUVJ28wjrduHfMOXwyuSsF9un3CpCc
ENwRsj6Rf2oKXOkWQZob/b+syR4WiaHlevsXbx7J74/9ygwwddCFh51upPG3aaZV
rp9zehGFDVfBHtbq6dJdArFj5GnTRN4IRBhwYa80hEN5+qRRl9AWCkjNW+Dzy6Q0
QYHq7Nr3fMZSgokDoz4kP3FQ8K+2zK1qGAmvPMaJLbXXEDFfAgMBAAGjUDBOMB0G
A1UdDgQWBBRHHSrgb3544RiGh35DIjkkBWldLTAfBgNVHSMEGDAWgBRHHSrgb354
4RiGh35DIjkkBWldLTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB5
9sEcO4Bg1pKzb9qcwcTPtQvYdz9n9ZqgVNjb54oquqMI2tZCp2r7tQ/DP4kOUkn3
RuQb+tflILHDZuvvmytfH6nCZpLK0h4wrhMwZBzrRFSUGxOOAWk+nNv//+WAKT1u
DFugHnlMcdDSwVHVbhTN/ozpprAiSoqRNk4MNrXh85rNYVNWQUKEqaiLAOXlkjYP
q9kEai1alAS6k74KLvTZ+l9ec2tHEFBwmHB7zZhqgdUTFIYsINkHTNLIdrA0C71H
mB1bM3XhVB9m5lLEmY5/rILbwKz1xOQYdVs7QpAPenRlcGYWdIHM0sLKbFmnZXQL
qEGm4fACvAMgGxE5CqBmMYICNTCCAjECAQEwIzAWMRQwEgYDVQQDDAsqKioud2Vi
c2l0ZQIJANQa1yivHU3cMA0GCWCGSAFlAwQCAQUAoIHkMBgGCSqGSIb3DQEJAzEL
BgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIyMTIyODExMDAyOFowLwYJKoZI
hvcNAQkEMSIEINTHdDYM+9de9p+GawLs5LXnSZg9Ab+R5FAGYIkiIjIKMHkGCSqG
SIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgBZQME
AQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcG
BSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAOcyN59yPm5I
eSEisyWSrV6gE6R871+3pIVVboJQtKCeG1f0OzWrZ8N+T56gAdgEuzQqkaTcd+/8
3yd16VJ3Q3EMho1Ykx1zXETYLs+ytWAYu0n7kINDNkqKgrE5OKa/ZsJ7Ni9v5TPk
KpxJrLu6vy1LEsoX6LAczw/tZpbD60f8sUNXIkWhHvHQFjT+yaxaf89w2H2rVpq9
wd9dR6WlkrpjF41uReN8EHnwxlg4v1fOmax6tHWztl1U/Nnfo6+QuKZKMGQdY1lD
dXoac7aLLMZAMvm82N8Z9KUdYBguWV87b/+MDc7TjP6klca6BEWzsQPf94jo+qxc
2CeTeOJD5bU=

------BC340B1A870F41887515A0BD973CD216--

2. BC  decrypt code

```
SMIMEEnveloped m = new SMIMEEnveloped(bodyPart);
            RecipientId  recId = new JceKeyTransRecipientId(cert);
//            RecipientId  recId = new JceKeyTransRecipientId(cert);
            RecipientInformationStore  recipientsInfo = m.getRecipientInfos();
            RecipientInformation recipientInfo = recipientsInfo.get(recId);
            if (recipientInfo == null) {
                throw new SMIMEException("Invalid encrypted content");
            }
            JceKeyTransEnvelopedRecipient recipient = new JceKeyTransEnvelopedRecipient(privateKey);
            recipient.setProvider(EcmtConstant.BC_PROVIDER);
            ByteArrayInputStream ins = new ByteArrayInputStream(recipientInfo.getContent(recipient));
```

3.BC  verify code

```
      bodyPart = new MimeBodyPart(new ByteArrayInputStream(getDecryptedMessage().getBytes()));
//            MimeMultipart mimeMultipart = new MimeMultipart();
            SMIMESigned signed = new SMIMESigned((MimeMultipart)bodyPart.getContent());
            SignerInformationStore signers = signed.getSignerInfos();
            Iterator signerInfos = signers.getSigners().iterator();

            while (signerInfos.hasNext()) {
                SignerInformation signerInfo = (SignerInformation)signerInfos.next();
                // if (!signerInfo.verify(cert, "BC")) {  // Deprecated
                // TODO: revise the choice of components
                SignerInformationVerifier verifier =
                        new BcRSASignerInfoVerifierBuilder(new DefaultCMSSignatureAlgorithmNameGenerator(),
                                new DefaultSignatureAlgorithmIdentifierFinder(),
                                new DefaultDigestAlgorithmIdentifierFinder(),
                                new BcDigestCalculatorProvider())
                                .build(new JcaX509CertificateHolder(cert));
                if (!signerInfo.verify(verifier)) {
                    throw new SMIMEException("Verification failed");
                }

```

lihongbing0801 avatar Dec 29 '22 08:12 lihongbing0801

I'm not sure exactly what OpenSSL is up to, but this one will actually verify if the data "3232131313123" is fed into the signature validator as the detached data. It would require removing the trailing new-line from the data though, which doesn't really make sense for multi-part data. I think the only way to get this to work is to use encapsulated data in the signature.

dghgit avatar Mar 27 '25 00:03 dghgit