我需要你的支持。我想使用我的证书和第三方证书进行 pkcs 加密。
我有以下组件并想要 pkcs7 加密的输出文件。
源文件:PayFile_143_2300000004_20170508_161457.txt 我的登录证书:
mycertificate.cer 及其私钥是 keyfile.key 第三方银行证书(public) : public_2017-2018_base64enc.cer
所以,如果我使用下面的命令
openssl smime -sign -signer mycertificate.cer -inkey keyfile.key -in PayFile_143_2300000004_20170508_161457.txt | openssl smime -encrypt -out PayFile_143_2300000004_20170508_161457.txt.smime public_2017-2018_base64enc.cer mycertificate.cer
我会得到正确的输出PKCS7加密的输出文件吗?请告诉我。
但是当银行在终端解密时,他们面临着标头问题
以下是银行提供的解密日志
starting ReceiveMsg...
logging in...
login successful
getting decryption key and verification certificate...
decryption key and verification certificate extracted
creating mime session
session created
opening mime envelope
message Content-Type [application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"]
message Content-Description [null]
message Content-Disposition [attachment]
message Content-Transfer-Encoding [base64]
getting mime message content
content handler [oracle.security.crypto.smime.SmimeEnveloped]
---------------------------------------
processing encrypted content
content decrypted
decrypted Content-Type [multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="----DA713A069014AEA715F4E38046E2CA0F"]
content handler [oracle.security.crypto.smime.SmimeMultipartSigned]
-Multipart 1-
Multipart Content-Type [multipart/signed; protocol="application/pkcs7-signature";
boundary="SMS:gW4H/s2Z6GzgMG1DTTNnUi3TmH8="]
Multipart contains [2] body parts
Part 0 Content-Type [text/plain]
Part 0 Content-Description [null]
Part 0 Content-Disposition [null]
Part 0 Content-Transfer-Encoding [null]
Part 0 Content-ID [null]
Part 0 Content-Language [null]
Part 0 Content-MD5 [null]
Part 0 File-Name [null]
Part 0 Header name [], value [20:61]
Part 0 Header name [], value [23B:CRED]
Part 0 Header name [], value [32A:170508RUB100,00]
Part 0 Header name [], value [50K:/40702810200101102376]
Part 0 Header name [???7743170710.???774301001], value [???7743170710.???774301001]
Part 0 Header name [], value [57D://RU044525460.40702840401735933455]
Part 0 Header name [??? ?????????], value [??? ?????????]
Part 0 Header name [115054, ?????????? ???????, ??? 2, ?????], value [115054, ?????????? ???????, ??? 2, ?????]
Part 0 Header name [??????,,RU,], value [??????,,RU,]
Part 0 Header name [], value [59:/40702840401735933455]
Part 0 Header name [???7704662571.???770901001], value [???7704662571.???770901001]
Part 0 Header name [??? "????? ?????? ????? ???????"], value [??? "????? ?????? ????? ???????"]
Part 0 Header name [,??.???????? ???,9], value [,??.???????? ???,9]
Part 0 Header name [??????,,RU,105064], value [??????,,RU,105064]
Part 0 Header name [], value [70:??????????, ???????? ???? ????????? ? ????????????]
Part 0 Header name [], value [71A:SHA]
Part 0 Header name [], value [72:/RPP/61.170508.3.ELEK.170508]
content handler [java.lang.String]
-Multipart 1-
Content-Type=Cp1251
charset=null
writing text mime data to file
data length=0
data =
done...
您能检查一下并让我知道问题出在哪里吗
感谢你的帮助 !!谢谢尼基尔
答案1
看起来银行正在解密,但无法解析代表签名文件的 SMIME。这是通过电子邮件发送的吗?您是否尝试过使用“-outform PEM”更改签名文件的格式?
openssl smime -sign -signer mycertificate.cer -inkey keyfile.key -in PayFile_143_2300000004_20170508_161457.txt -outform PEM | openssl smime -encrypt -out PayFile_143_2300000004_20170508_161457.txt.smime public_2017-2018_base64enc.cer mycertificate.cer
这是一个发送签名和加密消息的简短脚本。将环境变量替换为您和您的银行的值。另请注意,我使用 cert.pem 和 key.pem。这只是我的偏好,以便我可以轻松识别证书和密钥文件是 PEM 还是 DER 格式。这是在 CentOS 7 上编写并测试的,使用 OpenSSL 1.0.1e-fips 2013 年 2 月 11 日。Postfix 是 MTA,因此“sendmail”命令是“Postfix 到 Sendmail 兼容性接口”。
#!/bin/bash
FROM="Your Name <[email protected]>"
FROMCERT=cert.pem
FROMKEY=key.pem
[email protected]
TOCERTS="bankcert.pem cert.pem"
SUBJECT="Signed and Encrypted Email Test - $(date)"
(echo -e "Content-Type: text/plain; charset=windows-1251\n"; cat file.txt) \
| openssl smime -sign \
-signer ${FROMCERT} \
-inkey ${FROMKEY} \
| openssl smime -encrypt \
-from "${FROM}" \
-to "${TO}" \
-subject "${SUBJECT}" \
-des3 \
${TOCERTS} \
| sendmail -t -f "${FROM}" -F "${FROM}"