我正在尝试验证数字签名电子邮件的签名。它知道签名是正确的,因为 Outlook 会验证它。我正在使用 SignedCms 来执行验证
我有以下消息:
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="boundary1"
--boundary1
Content-Type: multipart/mixed;
boundary="boundary2"
--boundary2
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
some text in the body
of the message
--boundary2
Content-Type: application/something;
name="somefile.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="somefile.txt"
FkrMjIwOjE1OCdRVFkrMjIwOjE3NidRVFkrMjIwOjE5MydRVFkrMjIwOjIwNydR
VFkrMjIwOjIyMidRVFkrMjIwOjIzNCdRVFkrMjIwOjI0NSdRVFkrMjIwOjI1OCdRVFkrMjIwOjI2
NidRVFkrMjIwOjI3NydRVFkrMjIwOjI4NSdRVFkrMjIwOjI5MSdRVFkrMjIwOjI5OCdRVFkrMjIw
OjMwMidRVFkrMjIwOjMwNidRVFkrMjIwO
--boundary2--
--boundary1
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIIEAYJKoZIhvcNAQcCoIIIATCCB/0CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3
DQEHAaCCBW4wggVqMIIEUqADAgECAg4YHgABAAIO2xMJhvDULzANBgkqhkiG9w0B
AQUFADB8MQswCQYDVQQGEwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21i
--boundary1--
我在验证它的签名时遇到了很大的麻烦。
这就是我尝试这样做的方式: EmailMessage 消息 = results.ElementAt(13) as EmailMessage; 消息.Load();
var attachments = message.Attachments;
foreach (var attachment in attachments)
{
var fAttachment = attachment as FileAttachment;
fAttachment.Load();
string fullMailData = Encoding.UTF8.GetString(fAttachment.Content);
FileToolbox.WriteStringToFile(@"C:\BeforeDecoding.txt", fullMailData);
var lines = fullMailData.Split('\n');
string signature = "";
string dataPlain = "";
//These line numbers do not correspond to the example,
//because it is altered to hide the real email
for (int i = 12 - 1; i <= 13 - 1; i++)
{
dataPlain += lines[i];
}
//These line numbers do not correspond to the example
//because it is altered to hide the real email
for (int i = 56 - 1; i <= 99 - 1; i++)
{
signature += lines[i];
}
var signedCms = new SignedCms(new ContentInfo(Encoding.ASCII.GetBytes(dataPlain)));
signedCms.Decode(base64_decode(signature));
signedCms.CheckHash();
signedCms.CheckSignature(true);
因此,在上面的示例中,我仅使用带有 text/plain 的正文来检查签名。我还尝试了以下部分:
- 从 --boundary1 到 --boundary1 的所有内容都会再次出现。
- 仅使用 Base64 加密的正文部分(然后进行 Base64 解码)
- 两个实体的合并
- 我尝试保留\r 和\n 值
- 我尝试仅保留\r 值
每个都返回无效的哈希值。
我做错了什么?我应该将消息的哪一部分传递给 new SignedCms()?
对解决方案的额外评论 由于来自 Web 方法的 PKCS#7/CMS 消息始终是分离的,因此应根据此 somewhat acceptable source 使用 detached = true 实例化signedcms
public SignedCms(
ContentInfo contentInfo,
bool detached
)
对于我的 MWE,我将完整的文件内容保存到一个文件中,然后手动删除了一些行。我没有将字符串分开(还......)。所以我的 MWE 最终是这样的:
var fullMessageBytes = File.ReadAllBytes(@"C:\fAttachment_content.txt");
var isoEncoding = Encoding.GetEncoding("iso-8859-1");
var fullMessageString = isoEncoding.GetString(fullMessageBytes);
var messageBytes = File.ReadAllBytes(@"C:\message_body.txt");
var messageBytesString = isoEncoding.GetString(messageBytes);
var signatureStringReadIn = File.ReadAllText(@"C:\certToReadIn.txt");
var signatureStringReadInBytes = Convert.FromBase64String(signatureStringReadIn);
var signedCms = new SignedCms(new ContentInfo(messageBytes), true);
signedCms.Decode(signatureStringReadInBytes);
signedCms.CheckSignature(false);
最佳答案
这是从 --boundary1 到 --boundary1 再次出现的所有内容,但不要忘记前导 --boundary1 之后的 crlf 和尾随 --boundary1 之前的 crlf 分别是边界,因此不得进行散列。
有关示例,请查看规范 RFC 5751第 3.4.3.3 节。 示例多部分/签名消息。
如果我是你,我会尝试不将内容从字节转换为字符串,然后再转换回字节。相反,我会在字节数组中工作。您的转变总是伴随着更改内容的风险。
关于c# - 验证带有附件 "the hash value is not correct"的数字签名电子邮件,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/17814748/