Anatomy of CMS/pkcs#7 signed messages
CMS (Cryptographic Message Syntax) and PKCS #7 are standards that define a syntax based on ASN.1 for encapsulation of cryptographic messages, digital signatures, enveloped data, with associated content, attributes and certificates. A CMS signed message always contains the digital signature (encrypted hash), information about the signer(s) which is usually the SubjectName of the issuer of the signing certificate, and the Serial Number field of the signer(s) certificate. Optionally, the signed message can contain the actual data signed, certificates and extra authenticated attributes.
A binary hex display for a typical CMS/PKCS #7 signed message is shown below with included content, the signer's certificate, but with no authenticated attributes. The actual "digital signature" is formed by encrypting a formatted standard Type 1 signature block, which contains a hash of the data covered by the signature and the hash algorithm specifier. The signature block is encrypted with the private RSA key associated with the signer's certificate. In this simple case, the signature represents the encrypted hash of the embedded content, a simple string in this case. If authenticated attributes are included (e.g. signing time etc.) then the hash value covers the content as well as the specified authenticated attributes. The display uses color-coding to highlight specific data sections. Sections not highlighted (black) are ASN.1 specifiers and other attributes, algorithms etc.
- embedded content (including CR/LF)
- light-blue: signer certificate
- dark-blue: signer public key blob within certificate (RSAPublicKey format)
- dark-red: PKCS #1 signature (encrypted hash): 128 bytes for 1024 bit RSA key
0000 30 82 03 AA 06 09 2A 86 48 86 F7 0D 01 07 02 A0 0.....*.H....... 0010 82 03 9B 30 82 03 97 02 01 01 31 0B 30 09 06 05 ...0......1.0... 0020 2B 0E 03 02 1A 05 00 30 1E 06 09 2A 86 48 86 F7 +......0...*.H.. 0030 0D 01 07 01 A0 11 04 0F 4D 69 74 63 68 20 47 61 ........Mitch Ga 0040 6C 6C 61 6E 74 0D 0A A0 82 02 48 30 82 02 44 30 llant.....H0..D0 0050 82 01 AD 02 04 3B 49 FD BD 30 0D 06 09 2A 86 48 .....;I..0...*.H 0060 86 F7 0D 01 01 04 05 00 30 69 31 0B 30 09 06 03 ........0i1.0... 0070 55 04 06 13 02 43 41 31 0B 30 09 06 03 55 04 08 U....CA1.0...U.. 0080 13 02 4F 4E 31 0F 30 0D 06 03 55 04 07 13 06 4F ..ON1.0...U....O 0090 74 74 61 77 61 31 14 30 12 06 03 55 04 0A 13 0B ttawa1.0...U.... 00a0 4A 61 76 61 53 63 69 65 6E 63 65 31 0D 30 0B 06 JavaScience1.0.. 00b0 03 55 04 0B 13 04 48 6F 6D 65 31 17 30 15 06 03 .U....Home1.0... 00c0 55 04 03 13 0E 4D 69 63 68 65 6C 20 47 61 6C 6C U....Michel Gall 00d0 61 6E 74 30 1E 17 0D 30 31 30 37 30 39 31 38 35 ant0...010709185 00e0 33 34 39 5A 17 0D 30 33 30 36 30 39 31 38 35 33 349Z..0306091853 00f0 34 39 5A 30 69 31 0B 30 09 06 03 55 04 06 13 02 49Z0i1.0...U.... 0100 43 41 31 0B 30 09 06 03 55 04 08 13 02 4F 4E 31 CA1.0...U....ON1 0110 0F 30 0D 06 03 55 04 07 13 06 4F 74 74 61 77 61 .0...U....Ottawa 0120 31 14 30 12 06 03 55 04 0A 13 0B 4A 61 76 61 53 1.0...U....JavaS 0130 63 69 65 6E 63 65 31 0D 30 0B 06 03 55 04 0B 13 cience1.0...U... 0140 04 48 6F 6D 65 31 17 30 15 06 03 55 04 03 13 0E .Home1.0...U.... 0150 4D 69 63 68 65 6C 20 47 61 6C 6C 61 6E 74 30 81 Michel Gallant0. 0160 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 .0...*.H........ 0170 03 81 8D 00 30 81 89 02 81 81 00 B9 12 F5 CE D7 ....0........... 0180 BA 74 C4 62 4E 9F 41 E6 85 90 2B 47 36 AF 86 B5 .t.bN.A...+G6... 0190 5C 74 31 F4 45 A5 9A BA 52 D7 FE EC 1C 94 C7 5D \t1.E...R......] 01a0 85 8A E6 4B 9D 81 1C 80 61 C6 D1 5B 53 86 B3 5C ...K....a..[S..\ 01b0 E0 41 D1 E1 E5 73 F0 75 52 C0 A7 73 05 6B AC E6 .A...s.uR..s.k.. 01c0 39 8A 41 55 14 D9 CA ED 86 1F EE 4D 0C 46 91 2F 9.AU.......M.F./ 01d0 BF 7D 50 75 11 8D 02 B3 C7 D8 BD 57 CB 42 49 92 .}Pu.......W.BI. 01e0 B3 26 9A 07 A3 5A B2 63 26 BA D8 E6 2C 83 91 B0 .&...Z.c&...,... 01f0 3D 11 81 10 33 7A A8 C0 6A 0B 8D 02 03 01 00 01 =...3z..j....... 0200 30 0D 06 09 2A 86 48 86 F7 0D 01 01 04 05 00 03 0...*.H......... 0210 81 81 00 2D 7B 1E 63 8A 86 4E 24 E9 F3 B3 49 77 ...-{.c..N$...Iw 0220 A5 82 6D 31 25 1A 03 E9 B9 AC 30 86 FC F9 43 9B ..m1%.....0...C. 0230 C6 92 33 69 19 9D 51 71 A9 8F E4 B5 03 AA B6 5A ..3i..Qq.......Z 0240 F2 B5 15 C0 56 D9 6F 70 94 C6 C0 4E 66 5A E3 94 ....V.op...NfZ.. 0250 F5 39 5B ED 5E A5 FC 09 D9 16 3C 06 AD 97 25 08 .9[.^.....<...%. 0260 A5 4B 63 77 78 68 54 54 FB EE 55 D9 C9 4D 29 F9 .KcwxhTT..U..M). 0270 60 68 9B 85 D0 44 52 6F 65 F7 82 28 F4 2F 2F 1D `h...DRoe..(.//. 0280 41 92 50 11 88 32 13 06 2A 2F 2F BD DC 49 54 3E A.P..2..*//..IT> 0290 CA D2 7A 31 82 01 17 30 82 01 13 02 01 01 30 71 ..z1...0......0q 02a0 30 69 31 0B 30 09 06 03 55 04 06 13 02 43 41 31 0i1.0...U....CA1 02b0 0B 30 09 06 03 55 04 08 13 02 4F 4E 31 0F 30 0D .0...U....ON1.0. 02c0 06 03 55 04 07 13 06 4F 74 74 61 77 61 31 14 30 ..U....Ottawa1.0 02d0 12 06 03 55 04 0A 13 0B 4A 61 76 61 53 63 69 65 ...U....JavaScie 02e0 6E 63 65 31 0D 30 0B 06 03 55 04 0B 13 04 48 6F nce1.0...U....Ho 02f0 6D 65 31 17 30 15 06 03 55 04 03 13 0E 4D 69 63 me1.0...U....Mic 0300 68 65 6C 20 47 61 6C 6C 61 6E 74 02 04 3B 49 FD hel Gallant..;I. 0310 BD 30 09 06 05 2B 0E 03 02 1A 05 00 30 0D 06 09 .0...+......0... 0320 2A 86 48 86 F7 0D 01 01 01 05 00 04 81 80 AB 8E *.H............. 0330 66 F8 71 F4 47 EC 96 2F 1D AA 48 7A 86 45 76 D5 f.q.G../..Hz.Ev. 0340 CB 3E 31 CC 34 56 38 9C 5C 60 B7 3E D9 A6 89 D9 .>1.4V8.\`.>.... 0350 E4 FC FF B2 E8 2B 41 C3 50 29 A2 F9 59 F1 19 00 .....+A.P)..Y... 0360 26 4D 30 FC AB 37 F1 62 BC F4 86 3E 55 3B 84 7E &M0..7.b...>U;.~ 0370 A6 11 27 01 A7 EB A8 46 A1 E8 08 1D C2 AF 95 0B ..'....F........ 0380 25 2B 46 52 A8 99 6B E3 D9 65 24 CA B8 39 5F 89 %+FR..k..e$..9_. 0390 6C 84 C1 AD 83 6F B5 9E 44 37 6F D5 3D 71 82 39 l....o..D7o.=q.9 03a0 22 EF 09 2F 92 8B 25 AE 9A BB 41 E7 1D EE "../..%...A...For comparison, a minimal CMS/PKCS #7 signed message (signed with a different certificate, and with different content) which does not include certificates is shown below:
0000 30 82 01 FE 06 09 2A 86 48 86 F7 0D 01 07 02 A0 0.....*.H....... 0010 82 01 EF 30 82 01 EB 02 01 01 31 0F 30 0D 06 09 ...0......1.0... 0020 2A 86 48 86 F7 0D 01 01 05 05 00 30 45 06 09 2A *.H........0E..* 0030 86 48 86 F7 0D 01 07 01 A0 38 04 36 54 68 65 20 .H.......8.6The 0040 56 65 6E 74 75 72 65 73 20 61 72 65 20 74 68 65 Ventures are the 0050 20 62 65 73 74 20 73 75 72 66 2D 69 6E 73 74 72 best surf-instr 0060 75 6D 65 6E 74 61 6C 20 62 61 6E 64 20 65 76 65 umental band eve 0070 72 21 31 82 01 8C 30 82 01 88 02 01 01 30 81 E1 r!1...0......0.. 0080 30 81 CC 31 17 30 15 06 03 55 04 0A 13 0E 56 65 0..1.0...U....Ve 0090 72 69 53 69 67 6E 2C 20 49 6E 63 2E 31 1F 30 1D riSign, Inc.1.0. 00a0 06 03 55 04 0B 13 16 56 65 72 69 53 69 67 6E 20 ..U....VeriSign 00b0 54 72 75 73 74 20 4E 65 74 77 6F 72 6B 31 46 30 Trust Network1F0 00c0 44 06 03 55 04 0B 13 3D 77 77 77 2E 76 65 72 69 D..U...=www.veri 00d0 73 69 67 6E 2E 63 6F 6D 2F 72 65 70 6F 73 69 74 sign.com/reposit 00e0 6F 72 79 2F 52 50 41 20 49 6E 63 6F 72 70 2E 20 ory/RPA Incorp. 00f0 42 79 20 52 65 66 2E 2C 4C 49 41 42 2E 4C 54 44 By Ref.,LIAB.LTD 0100 28 63 29 39 38 31 48 30 46 06 03 55 04 03 13 3F (c)981H0F..U...? 0110 56 65 72 69 53 69 67 6E 20 43 6C 61 73 73 20 31 VeriSign Class 1 0120 20 43 41 20 49 6E 64 69 76 69 64 75 61 6C 20 53 CA Individual S 0130 75 62 73 63 72 69 62 65 72 2D 50 65 72 73 6F 6E ubscriber-Person 0140 61 20 4E 6F 74 20 56 61 6C 69 64 61 74 65 64 02 a Not Validated. 0150 10 01 47 8A E1 E3 BF E9 99 FB C0 AA 9D 92 D9 ED ..G............. 0160 38 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 80...*.H........ 0170 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 04 0...*.H......... 0180 81 80 08 4F 8F C8 0E 15 62 91 4F F8 A7 38 95 88 ...O....b.O..8.. 0190 C3 83 90 09 D5 AE B3 3D BD 22 2D FC AE 18 91 CF .......=."-..... 01a0 DC CC F6 B8 7B 18 8B 90 B6 FC D3 A5 2A 00 12 7F ....{.......*... 01b0 30 CC B1 2E 1F 32 77 1C 10 F2 FF C8 E5 16 D2 16 0....2w......... 01c0 E2 D4 DD F2 32 B9 87 46 B2 F1 08 EC 26 31 85 21 ....2..F....&1.! 01d0 56 75 71 EA 91 4D 60 F1 82 B6 9D 3F 21 4D E1 59 Vuq..M`....?!M.Y 01e0 3C 1D D1 B2 10 E6 90 EE B2 09 F6 11 8C 21 5B 38 <............![8 01f0 F2 96 21 DD FF 46 F6 8C D7 61 44 00 5B 2E 21 7E ..!..F...aD.[.!~ 0200 8E 3B .;
An ASN.1 dump for the second minimal signed message above is shown below:
0 30 510: SEQUENCE {
4 06 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15 A0 495: [0] {
19 30 491: SEQUENCE {
23 02 1: INTEGER 1
26 31 15: SET {
28 30 13: SEQUENCE {
30 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5)
41 05 0: NULL
: }
: }
43 30 69: SEQUENCE {
45 06 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
56 A0 56: [0] {
58 04 54: OCTET STRING
: 'The Ventures are the best surf-instrumental band'
: ' ever!'
: }
: }
114 31 396: SET {
118 30 392: SEQUENCE {
122 02 1: INTEGER 1
125 30 225: SEQUENCE {
128 30 204: SEQUENCE {
131 31 23: SET {
133 30 21: SEQUENCE {
135 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
140 13 14: PrintableString 'VeriSign, Inc.'
: }
: }
156 31 31: SET {
158 30 29: SEQUENCE {
160 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11)
165 13 22: PrintableString 'VeriSign Trust Network'
: }
: }
189 31 70: SET {
191 30 68: SEQUENCE {
193 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11)
198 13 61: PrintableString
: 'www.verisign.com/repository/RPA Incorp. By Ref.,'
: 'LIAB.LTD(c)98'
: }
: }
261 31 72: SET {
263 30 70: SEQUENCE {
265 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
270 13 63: PrintableString
: 'VeriSign Class 1 CA Individual Subscriber-Person'
: 'a Not Validated'
: }
: }
: }
335 02 16: INTEGER
: 01 47 8A E1 E3 BF E9 99 FB C0 AA 9D 92 D9 ED 38
: }
353 30 13: SEQUENCE {
355 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5)
366 05 0: NULL
: }
368 30 13: SEQUENCE {
370 06 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1)
381 05 0: NULL
: }
383 04 128: OCTET STRING
: 08 4F 8F C8 0E 15 62 91 4F F8 A7 38 95 88 C3 83
: 90 09 D5 AE B3 3D BD 22 2D FC AE 18 91 CF DC CC
: F6 B8 7B 18 8B 90 B6 FC D3 A5 2A 00 12 7F 30 CC
: B1 2E 1F 32 77 1C 10 F2 FF C8 E5 16 D2 16 E2 D4
: DD F2 32 B9 87 46 B2 F1 08 EC 26 31 85 21 56 75
: 71 EA 91 4D 60 F1 82 B6 9D 3F 21 4D E1 59 3C 1D
: D1 B2 10 E6 90 EE B2 09 F6 11 8C 21 5B 38 F2 96
: 21 DD FF 46 F6 8C D7 61 44 00 5B 2E 21 7E 8E 3B
: }
: }
: }
: }
: }
扫一扫
7189
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
