我对 Rust 非常陌生,正在尝试签署 PNG 文件以获得 CMS 签名。
我正在使用货物openssl版本
"0.10.62"use openssl::cms::{CmsContentInfo, CMSOptions};
use openssl::pkey::PKey;
use openssl::x509::X509;
use std::fs::{self};
fn main() {
let certificate_contents = fs::read("files/certificate.pem").unwrap();
let private_key_contents = fs::read("files/private_key.pem").unwrap();
let image_contents = fs::read("files/image.png").unwrap();
let signcert = X509::from_pem(&certificate_contents).unwrap();
let pkey = PKey::private_key_from_pem(&private_key_contents).unwrap();
let flags = CMSOptions::DETACHED;
let cms = CmsContentInfo::sign(
Some(&signcert),
Some(&pkey),
None,
Some(&image_contents),
flags
).unwrap();
fs::write("files/signature.pem", cms.to_pem().unwrap()).unwrap();
}
但是,我遇到了一个问题。生成了signature.pem文件,但是使用以下命令终端验证没有通过:
openssl cms -verify -in signature.pem -inform PEM -content image.png -CAfile certificate.pem -out verified_content -noverify
在我使用的终端中生成signature.pem:
openssl cms -sign -in image.png -signer certificate.pem -inkey private_key.pem -outform PEM -out signature.pem -nodetach
终端 openssl 版本:
OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)标志和检查方式错误
正确代码:
let flags = CMSOptions::BINARY | CMSOptions::DETACHED;
终端验证pem的方法
openssl cms -verify -in signature.pem -inform PEM -content image.png -CAfile certificate.pem -out verified_image.png -noverify -binary