我正在尝试验证使用开放 ssl 创建的 CMS 签名,如下所示:
$ openssl cms -sign -signer domain.pem -inkey domain.key -binary -in README.md -outform der -out signature这是我使用
pkijsimport * as pkijs from "../src/shared/vendor/pkijs/index.es.js";
import * as pvtsutils from "../src/shared/vendor/pvtsutils/index.es.js";
function decodePEM(pem: string, tag = "[A-Z0-9 ]+"): ArrayBuffer[] {
const pattern = new RegExp(
`-{5}BEGIN ${tag}-{5}([a-zA-Z0-9=+\\/\\n\\r]+)-{5}END ${tag}-{5}`,
"g",
);
const res: ArrayBuffer[] = [];
let matches: RegExpExecArray | null = null;
// eslint-disable-next-line no-cond-assign
while ((matches = pattern.exec(pem))) {
const base64 = matches[1]
.replace(/\r/g, "")
.replace(/\n/g, "");
res.push(pvtsutils.Convert.FromBase64(base64));
}
return res;
}
const buffer = pvtsutils.BufferSourceConverter.toArrayBuffer(await Deno.readFile("./domain.pem"));
const pem = pvtsutils.Convert.ToBinary(buffer);
const certificate = pkijs.Certificate.fromBER(decodePEM(pem, "CERTIFICATE")[0]) as pkijs.Certificate;
//const publicKey = await certificate.getPublicKey();
//console.log(publicKey);
//console.log(certificate.signatureAlgorithm);
const cms = pkijs.ContentInfo.fromBER(await Deno.readFile("./signature"));
if (cms.contentType !== pkijs.ContentInfo.SIGNED_DATA) {
throw new Error("CMS is not Signed Data");
}
const signedData = new pkijs.SignedData({ schema: cms.content });
// Verify Signed Data signature
const ok = await signedData.verify({
signer: 0,
checkChain: true,
trustedCerts: [certificate],
});
console.log(ok);
证书被正确读取和解析以及
SignedDatasignedData.verifyerror: Uncaught (in promise) SignedDataVerifyError: Missed detached data input array
throw new SignedDataVerifyError({
我哪里做错了?
好吧,我的错...我只是忘记提供数据来验证签名...
// Verify Signed Data signature
const ok = await signedData.verify({
signer: 0,
checkChain: true,
trustedCerts: [certificate],
data: await Deno.readFile("./README.md")
});