====== OpenSSL 對電子檔簽章與驗簽方式 ======
* OpenSSL 版本 : openssl-0.9.8b-10.el5_2.1
* 假設簽章者憑證為 jonathan.crt 密鑰檔為 jonathan.key
* jonathan.crt 的發行者憑證為 RootCA.crt
===== - 對電子檔簽章作法:=====
* 被簽章的電子檔為 test.txt
* 預計簽完檔案為 test.txt.sig
openssl smime -sign -inkey jonathan.key -signer jonathan.crt -in test.txt -out test.txt.sig
++++看產生結果|
[casrv@G2B2C-reg dev_caserver]$ openssl smime -sign -inkey jonathan.key -signer jonathan.crt -in test.txt -out test.txt.sig
Enter pass phrase for jonathan.key:
[casrv@G2B2C-reg dev_caserver]$ cat test.txt.sig
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="----15B215678DE5CF4A4D8C9CD60B81A4EC"
This is an S/MIME signed message
------15B215678DE5CF4A4D8C9CD60B81A4EC
總計 156
-rw-rw-r-- 1 casrv casrv 0 5月 13 10:37 tst.txt
:
:
:
-rw-rw-r-- 1 casrv casrv 1050 5月 12 18:25 RootCA.req
-rw------- 1 casrv casrv 1751 5月 12 18:23 RootCA.key
------15B215678DE5CF4A4D8C9CD60B81A4EC
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGOAYJKoZIhvcNAQcCoIIGKTCCBiUCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3
DQEHAaCCA48wggOLMIICcwIJALh6V0W0o+9+MA0GCSqGSIb3DQEBBQUAMIGHMQsw
CQYDVQQGEwJUVzEPMA0GA1UECBMGVGFpd2FuMQ8wDQYDVQQHEwZUYWlwZWkxDDAK
:
:
pnt3+FtyjJ0H/BY9DWPCQJ+Ms6l/iqtmPKqdwrKsqf2jrsopJ9hj6UmDNR+gr5RR
b0++L9I8Qc0HtZNYwwYtEl9o3OCpNHwpe/5HuFNu1N20WjtIUH/fYn4DXQORUBuO
DvOBanH4+uAX9xYU+4rXL9+dJ8f1rc6ZtEcE5XpfKX+KWN7m9usmik7jTDVCLfwi
+kvhv+kapp7nDSN+
------15B215678DE5CF4A4D8C9CD60B81A4EC--
[casrv@G2B2C-reg dev_caserver]$
++++
如果想將簽章檔包成 pkcs#7 格式可以直接下 -pk7out 的語法
[casrv@G2B2C-reg dev_caserver]$ openssl smime -pk7out -in test.txt.sig -out test.txt.p7b
[casrv@G2B2C-reg dev_caserver]$ ls -lt
總計 176
-rw-rw-r-- 1 casrv casrv 2204 5月 13 11:38 test.txt.p7b
-rw-rw-r-- 1 casrv casrv 3794 5月 13 11:37 test.txt.sig
:
:
[casrv@G2B2C-reg dev_caserver]$ cat test.txt.p7b
-----BEGIN PKCS7-----
MIIGOAYJKoZIhvcNAQcCoIIGKTCCBiUCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3
DQEHAaCCA48wggOLMIICcwIJALh6V0W0o+9+MA0GCSqGSIb3DQEBBQUAMIGHMQsw
CQYDVQQGEwJUVzEPMA0GA1UECBMGVGFpd2FuMQ8wDQYDVQQHEwZUYWlwZWkxDDAK
:
:
ZH2c77SSfrzfkz+HztNtweNWbbcskVkihHrhjlXAQR4xLnRlg8xR+kxUvuxl8Z5a
kxB+wggrFifZpRiUfiX8bAzHlvIWtOrufLAe2hiKT+bhrowqErqJo8XXR5u3eHsL
vtiUmxJWh5vtQLf5
-----END PKCS7-----
===== - 對電子檔驗簽作法:=====
* 只要由 RootCA.crt 發行的憑證所簽章的檔案都可被信任
* 有含簽章的電子檔案為 test.txt.sig
* 驗簽成功就取出被簽章的電子檔 test.txt 簽署者憑證檔 test.txt.crt
openssl smime -verify -in test.txt.sig -signer test.txt.crt -out test.txt -CAfile RootCA.crt
++++看產生結果|
[casrv@G2B2C-reg tmp]$ openssl smime -verify -in test.txt.sig -signer test.txt.crt -out test.txt -CAfile RootCA.crt
Verification successful
[casrv@G2B2C-reg tmp]$ ls -lt
總計 192
-rw-rw-r-- 1 casrv casrv 1289 5月 13 11:05 test.txt.crt
-rw-rw-r-- 1 casrv casrv 1171 5月 13 11:05 test.txt
++++
當驗證失敗時, 會產生 0 byte 的 test.txt 檔案
[casrv@G2B2C-reg tmp]$ openssl smime -verify -in test.txt.sig -signer test.txt.crt -out test.txt -CAfile /var/www/html/dev_ca/jonathan.crt
Verification failure
17047:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:231:Verify error:unable to get local issuer certificate
[casrv@G2B2C-reg tmp]$ ls -lt
總計 188
-rw-rw-r-- 1 casrv casrv 0 5月 13 11:32 test.txt
:
===== 參考網址 =====
* http://linux.chinaunix.net/bbs/archiver/?tid-1008796.html
{{tag>openssl ca pki}}