openssl smime
by Rajind Ruparathna
通过拉金德·鲁帕拉特纳(Rajind Ruparathna)
如何使用OpenSSL解密AS2消息(SMIME) (How to decrypt an AS2 message (SMIME) with OpenSSL)
I have been involved in the AdroitLogic AS2Gateway, a SaaS B2B AS2 messaging platform for almost two years now. One of the common issues we see in the users who are getting started with AS2 is decryption failure. In this blog post, we will look at what encryption and decryption are in AS2 protocol. We will cover how to decrypt an AS2 message and some tips on figuring out the cause for certain decryption failures.
我参与了AdroitLogic AS2Gateway (一个SaaS B2B AS2消息传递平台)已有近两年了。 我们在开始使用AS2的用户中看到的常见问题之一是解密失败。 在此博客文章中,我们将研究AS2协议中的加密和解密。 我们将介绍如何解密AS2消息,以及一些有关找出某些解密失败原因的提示。
AS2协议中的加密 (Encryption in AS2 Protocol)
AS2 protocol basically uses Public-key cryptography or asymmetric cryptography for encryption. There, the receiver’s public key is used for encryption and receiver’s private key is used for decryption as shown below.
AS2协议基本上使用公钥加密或非对称加密进行加密。 接收者的公共密钥用于加密,接收者的私有密钥用于解密,如下所示。
Assuming the receiver’s private key has not been compromised, encrypting data and messages offers the following security benefits.
假设接收者的私钥没有受到破坏,则加密数据和消息具有以下安全优势。
Confidentiality — Ensures that only the intended recipient can decrypt and view the contents, that is the content is encrypted with the recipient’s public key. Hence it can only be decrypted with the receiver’s private key.
机密性 -确保只有目标收件人才能解密和查看内容,即使用收件人的公共密钥对内容进行加密。 因此,只能使用接收者的私钥对其进行解密。
Data Integrity — Determine whether the file or data the receiver got was altered along the way. Part of the decryption process involves verifying that the contents of the original encrypted message and the new decrypted contents match. The slightest change to the original content would cause the decryption process to fail.
数据完整性 —确定接收方收到的文件或数据在此过程中是否被更改。 解密过程的一部分涉及验证原始加密消息的内容和新解密内容的匹配。 对原始内容的最细微更改将导致解密过程失败。
让我们开始工作吧! (Let’s get to work!)
For demonstration purposes, we will be using an incoming AS2 message to the AS2Gateway. Since we are only focusing on decryption in this blog post, the incoming AS2 message is not signed or compressed.
出于演示目的,我们将使用传入的AS2消息到AS2Gateway。 由于我们在此博客文章中仅关注解密,因此未对传入的AS2消息进行签名或压缩。
下载原始消息和传输标题 (Downloading Raw Message and Transport Headers)
Once we have received an AS2 message, we can see the received message in the inbox view in AS2Gateway as shown below.
收到AS2消息后,我们可以在AS2Gateway的收件箱视图中看到收到的消息,如下所示。
Then we can click on the message subject (in this case it is “Sample Encrypted Message”) to go to the detailed view of the received message as shown below.
然后,我们可以单击邮件主题(在本例中为“示例加密邮件”)转到接收到的邮件的详细视图 ,如下所示。
Now you can click on the “Raw Message” button and “Download Transport Headers” button to download the unprocessed AS2 message payload and transport headers we received from the partner, respectively. The raw message will be download to a file with name message.raw. The transport headers will be downloaded to a file with name headers.raw.
现在,您可以单击“原始邮件”按钮和“下载传输头”按钮,分别下载我们从合作伙伴那里收到的未处理的AS2消息有效负载和传输头。 原始消息将下载到名称为message.raw的文件中。 传输头将下载到名称为headers.raw的文件中。
获取接收者的公钥和私钥 (Getting the Receiver’s Public and Private Key)
Now that we have the raw message and transport headers, we need the receiver’s public and private keys. As for the public key, you can directly download it by clicking the PEM (purple) button from the certificates view (shown below) in the AS2Gateway. For the private key, you will have to first download the JKS (identity.jks). You do this by clicking on the JKS (red) button from the certificates view and extract the private key from the JKS. Check out my step by step guide on extracting private key from JKS for more details.
现在我们有了原始消息和传输头,我们需要接收者的公钥和私钥。 至于公钥,您可以通过从AS2Gateway中的证书视图(如下所示)中单击PEM (紫色)按钮直接下载它。 对于私钥,您必须首先下载JKS(identity.jks)。 您可以通过在证书视图中单击JKS (红色)按钮并从JKS中提取私钥来做到这一点。 查看我有关从JKS提取私钥的逐步指南 ,以获取更多详细信息。
Note that you’ll need the key password and key store password when extracting the private key. If you do not remember them you can view more details on the certificate by clicking on the common name (in this case the common name on the relevant AS2 Station for this demonstration is “RJ_LOCAL”). From there you should be able to find the relevant passwords.
请注意,提取私钥时需要密钥密码和密钥存储密码。 如果您不记得它们,则可以通过单击公用名来查看证书的更多详细信息(在本例中,此演示的相关AS2站上的公用名是“ RJ_LOCAL”)。 从那里您应该能够找到相关的密码。
Before we proceed with the next steps, let’s make sure we have everything we need in place.
在继续进行下一步之前,请确保已准备就绪。
- Raw message (message.raw) 原始消息(message.raw)
- Transport headers (headers.raw) 传输头(headers.raw)
- Receiver’s private key (private_key.pem) 接收者的私钥(private_key.pem)
- Receiver’s public key (cert.pem) 接收者的公钥(cert.pem)
分析HTTP传输头 (Analyzing the HTTP Transport Headers)
Let’s first take a look at the transport headers before we proceed.
在继续之前,让我们先看一下传输头。
As you can see, there are a bunch of headers and thus let us only focus on a couple of important ones in the context of decrypting the AS2 message.
如您所见,这里有一堆标题,因此在解密AS2消息的上下文中,我们只关注几个重要的标题。
The content-type header suggests that we have an encrypted payload in the outer most layer.
内容类型标头表明我们在最外层具有加密的有效负载。
The content-disposition header gives away the file name of the payload to be test_message.txt.
content-disposition标头将有效负载的文件名提供为test_message.txt。
We also have the mime-version to be 1.0
我们的mime版本也为1.0
If you are interested in knowing more in-depth details the best place to start would be the AS2 RFC 4130.
如果您想了解更深入的细节,最好的起点是AS2 RFC 4130 。
So now, we know that the payload is encrypted (which should be the case since that is the type we selected for this demo). We know that the file name is test_message.txt. Great. Now we have almost everything we need to perform the decryption. Few more steps to go.
因此,现在我们知道有效负载已加密(应该是这种情况,因为这是我们为此演示选择的类型)。 我们知道文件名为test_message.txt。 大。 现在,我们几乎拥有执行解密所需的一切。 再走几步。
在Base64中编码原始消息 (Encoding Raw Message in Base64)
Since we are working with an encrypted raw message here, it is always better to convert it to base64 so that we can safely play with it using text editors. Of course one can and should be able to proceed without converting it to base64 as well. I prefer to convert the raw message to base64 for convenience in the next steps. Let’s run the below command (here we use the ‘base64’ command line tool ) to covert the raw message to base64. Note that it is very important to have the parameter ‘–break=64’ which breaks the base64 output to lines with 64 characters or else you might run into an error during decryption.
由于我们在这里使用加密的原始消息,因此将其转换为base64总是更好,这样我们就可以使用文本编辑器安全地使用它。 当然,可以而且应该能够继续进行而无需将其转换为base64。 为了方便后续步骤,我倾向于将原始消息转换为base64。 让我们运行以下命令(此处使用“ base64”命令行工具 )将原始消息隐蔽到base64。 请注意,使用参数“ –break = 64”非常重要,该参数会将base64输出中断为具有64个字符的行,否则在解密过程中可能会遇到错误。
base64 message.raw --break=64 > base64_message.rawFrom now on, we will be working on following the base64_message.raw file.
从现在开始,我们将继续关注base64_message.raw文件。
添加必需的标题 (Adding Required Headers)
Do you remember that we talked about a few important transport headers when we looking at the transport headers? Now is the time to use them. We need to add those headers to our base64_message.raw file so that the final output would be as follows. (Let’s take the new file as base64_message_with_headers.raw). Note that the white space between the headers and the base64 encoded payload is intentional. You might notice that in addition to the headers we talked about earlier, we have added ‘content-transfer-encoding: base64’ to denote that content is in base64.
您还记得我们在查看传输头时讨论过一些重要的传输头吗? 现在是时候使用它们了。 我们需要将这些标头添加到base64_message.raw文件中,以便最终输出如下。 (让我们将新文件作为base64_message_with_headers.raw )。 请注意,标头和base64编码的有效负载之间的空白是有意的。 您可能会注意到,除了我们之前讨论的标头之外,我们还添加了“ content-transfer-encoding:base64”以表示内容位于base64中。
解密中... (Decrypting…)
It’s time to run the decryption command. Here we use the ‘smime’ tool by OpenSSL.
现在该运行解密命令了。 在这里,我们使用OpenSSL的“ smime”工具。
openssl smime -decrypt -in base64_message_with_headers.raw -recip cert.pem -inkey private_key.pem >> test_message.txtOnce you run the command you should have the output in the test_message.txt file. Note that in this case, we will get the plain text output since we used a payload without compression and signing.
一旦运行命令,您的输出应该在test_message.txt文件中。 请注意,在这种情况下,由于我们使用了没有压缩和签名的有效负载,因此将获得纯文本输出。
This is a test message for the demonstration of AS2 decryption by OpenSSL.As I stated before, if the base64 output is not split into lines with 64 characters, you may get an error similar to the following. I thought of adding that for completeness so that whoever else faces that issue may find the solution here.
如前所述,如果未将base64输出分成64个字符的行,则可能会出现类似于以下的错误。 我考虑将其添加为完整起见,以便任何其他面对该问题的人都可以在这里找到解决方案。
That concludes the steps on decrypting the payload. Even though we’ve looked at doing the decryption entirely using command line tools in this article, this can be done using a few lines of Java code as well. I hope to cover it in a future article.
到此结束了解密有效负载的步骤。 即使我们已经在本文中介绍了完全使用命令行工具进行解密的情况,也可以使用几行Java代码来完成解密。 我希望在以后的文章中进行介绍。
奖励包 (Bonus Pack)
Before signing off, I would like to share some bonus details will would help you identify the cause for certain decryption failure scenarios. The first one is on how to find out the encryption algorithm used.
在签字之前,我想分享一些额外的细节,这些细节将帮助您确定某些解密失败方案的原因。 第一个是如何找出所使用的加密算法。
找出使用的加密算法 (Finding out the Encryption Algorithm Used)
In order to find the encryption algorithm used, we can use the asn1parse tool by OpenSSL. Let us run the following command to get the asn1parse output. (Note that if you run the command without the ‘-inform der’ parameter you might get an error as ‘Error: offset too large’)
为了找到使用的加密算法,我们可以使用OpenSSL的asn1parse工具。 让我们运行以下命令以获取asn1parse输出。 (请注意,如果您在不使用'-inform der'参数的情况下运行该命令,则可能会收到“错误:偏移量太大”的错误提示。)
openssl asn1parse -inform der -in message.rawThe output would be as follows. If you can see below, there are roughly two main parts shown here in ASN.1 notation as pkcs7-envelopedData part and pkcs7-data part. In pkcs7-data part, we have ‘des-ede3-cbc’ which is the encryption algorithm used.
输出如下。 如果您可以在下面看到,则在ASN.1表示法中大约显示了两个主要部分,分别为pkcs7-envelopedData部分和pkcs7-data部分。 在pkcs7-data部分中,我们使用了“ des-ede3-cbc”加密算法。
找出用于加密的公钥 (Finding out the Public Key Used for Encryption)
The bonus package is not done yet ;-). Sometimes it is important to figure out the certificate used in encryption to make sure if the sender has used the correct public key of the recipient. If you look at the asn1parse output above, you should see that we have commonName, organizationName etc in pkcs7-envelopedData section. These are the details on the certificate used to encrypt the AS2 payload.
奖励包尚未完成;-)。 有时重要的是弄清楚加密中使用的证书,以确保发件人是否使用了收件人的正确公钥。 如果查看上面的asn1parse输出 ,则应该看到pkcs7-envelopedData部分中具有commonName , organizationName等。 这些是用于加密AS2有效负载的证书的详细信息。
Now after the countryName entry, you might see a line as follows.
现在,在countryName条目之后,您可能会看到一行,如下所示。
122:d=9 hl=2 l= 4 prim: PRINTABLESTRING :None128:d=6 hl=2 l= 6 prim: INTEGER :01627AE13D2D
122:d = 9 hl = 2 l = 4素数:可打印的:无 128:d = 6 hl = 2 l = 6素数:整数:01627AE13D2D
This is the certificate serial in hex and with this, you can verify if the correct public has been used during the encryption.
这是十六进制的证书序列,您可以以此验证在加密过程中是否使用了正确的公共证书。
That concludes the bonus pack. May all your AS2 decryption failures go away. ?
奖金包到此结束。 可能您所有的AS2解密失败都会消失。 ?
呼吁采取行动 (Call To Action)
Clap. Appreciate and let others find this article.
拍。 感谢并让其他人找到这篇文章。
Comment. Share your views on this article.
评论。 分享您对本文的看法。
Follow me. Rajind Ruparathna to receive updates on articles like this.
跟着我。 Rajind Ruparathna将收到有关此类文章的更新。
Originally published at notebookbft.wordpress.com on March 17, 2019.
最初于2019年3月17日发布在notebookbft.wordpress.com上。
翻译自: https://www.freecodecamp.org/news/how-to-decrypt-an-as2-message-smime-with-openssl-d47fda5fd7db/
openssl smime
1158
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
