Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"unknown signature algorithm" when trying to verify a certificate based on ECC key #557

Open
rgisiger opened this issue Oct 21, 2022 · 2 comments

Comments

@rgisiger
Copy link

Hi everyone, I don't know much about SSL understanding and I have a question because I try to verify a certifcate.
I hope someone can help me and/or maybe guide me to a solution.

Context occurs on a process of strong user authentication where I can receive either an old certificate or a new one. My code has to work with both of them.
I think I have to verify the signature of a certificate to provide this strong integrity.

I don't have any issue with the old certificate which is based on RSA Keys, but I got one with the new certificate where it is an ECC key.
At the moment I have no choice but to bypass the check on the new certificate.

The old certificate has the following lines in it (I have omitted some lines) :

Certificate:
    Data:
        Version: 3 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    -----
                Exponent: 65537 (0x10001)

The new certificate has the following lines in it :

Certificate:
    Data:
        Version: 3 (0x2)
        Signature Algorithm: rsassaPss         
         Hash Algorithm: sha256
         Mask Algorithm: mgf1 with sha256
          Salt Length: 0x20
         Trailer Field: 0xBC (default)
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    --------
                ASN1 OID: prime256v1
                NIST CURVE: P-256

I usually execute the following command to verify the certificate : signer_certificate.verify(certificate.public_key)

I get unknown signature algorithm when I try to use this command on the new certificate.

@rhenium
Copy link
Member

rhenium commented Nov 23, 2022

Can you provide an example code to reproduce the error?

@rgisiger
Copy link
Author

Sure.

Following is the extract.
The base64_signature content is a base 64 encoded CMS (which is an extension of PKCS#7) signature object.

signer_cert = nil

root4_cert = OpenSSL::X509::Certificate.new("-----BEGIN CERTIFICATE-----\nMIIKVTCCBgmgAwIBAgIQFJ46eF+C8WuK+yGq1a/3RzBBBgkqhkiG9w0BAQowNKAP\nMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMC\nASAwgYQxGzAZBgNVBAMMElN3aXNzY29tIFJvb3QgQ0EgNDElMCMGA1UECwwcRGln\naXRhbCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEeMBwGA1UEYQwVVkFUQ0gtQ0hFLTEw\nMS42NTQuNDIzMREwDwYDVQQKDAhTd2lzc2NvbTELMAkGA1UEBhMCQ0gwHhcNMTgx\nMTI5MTAyMTUzWhcNMzgxMTI0MTAyMTUzWjCBhDEbMBkGA1UEAwwSU3dpc3Njb20g\nUm9vdCBDQSA0MSUwIwYDVQQLDBxEaWdpdGFsIENlcnRpZmljYXRlIFNlcnZpY2Vz\nMR4wHAYDVQRhDBVWQVRDSC1DSEUtMTAxLjY1NC40MjMxETAPBgNVBAoMCFN3aXNz\nY29tMQswCQYDVQQGEwJDSDCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQB\nAMYSU5n0a3hxJTV2UbAl0yxQNCFbZbExdTno3VsASxxbjQKPF9Iz8HsPAdPyC7bb\nYmpVk7WuaKD5myJaVPpN4bEnFosFEfAGWDdN5D6Sb9ckn7EunQWznJ+FfMb6kUM+\njJL9nUxYBCJexxeTq4XmAKP3ziq+yP/i8JvxL5vQPi2kbfva5c20J9Q72xVVeX/p\nAmRn0JQZ2cuulzz+M/cwUv2p8YsOYj1H62wITiCsOThI4RlIQXheQOcaM4XBktb8\nb0SJOpHhbOfCWP9ghgpXbGfC/COKAegQvwzJqGuyrXXQe6k0TGELLzwLf65S5piH\nfrEwOJS32Ie81TCc7BkWr3+8xDBUBFPy7mWwOqI9tUutm6XiHrFlHk5yHppBiYAw\nHwFrtCt/e7UpP/w/8ugsfKxT8WbP5DHA9u18EpAFBCFh8h+5llXbFwPZ5+zLMV5q\nyg2RwqiSeAo4s8RTUF+/+urw+P2/mrw4dqfeWo+gwrRPuGFaj+I2H+lQaWHFRrw6\nXgqdjNp8BTo8qi5nwJCImTlTburerWCcj9gLduf/+6lRBiAq+Q/QIbG0ERdUq+LC\nAkRV/6VWezk9RFQmM+jU2VhVnMda9z++eNpjGgNWEeG6leYBVr0Jnu6Dk6QzxY2j\n3jHUiv46S2lf3Pf7mYryV6ldvGNddmZ8uRBUJ3tuxOBddgQgV+A8wJcqEudkWCWM\nc1u4ULtWXUN++DakB63+TMUPRXBMxW4w+ddA3esS7zlgdcAoVihwWU+NGuFwbcAU\nrizg77FH6mbtesUW2zPbxK7iUwles8/4MvjX94lq0/3owL1AiR7gW/vhWazIDbU0\n6gfMMxMKho6sAY6+0imrrWHEse2YFmQHdr2OqVzXhl8BL+jC/mNUduqNLcwP/Cdz\nhqa1555JlbExNUNgnQJ8FHFMzGPAKzFAoPmU0+Dj/bIHYMuCTMmW58GuXPhSJfur\n/CZeChDHKD529HEP472l/rGYasHazl6P8Si5lZi+7piU++Vwe3tg5YKuM2CQgNXX\nHYeNkjaRCIQ6DkZhoi7Qd6nEmLvblkt4f9d91Qj+1Xjy0cJvCx5aPEOsnRDW58BT\njpdgan9TSEkLZNsk7ld6MFNum4ifBBEPEZ98QRoXZG5n3676MDoaEp9aouWX2y24\nZ6NkgdH7OZvmgRzPSUEWXOxZPDxymePVE8Avkm/Ni6JkxsCoRVdNqMNOO8HYSm7d\ncn1KKtWNwW44jGZWx6PZoJ5e/E6ESHdL4RBdoKYvdnkmHvP9AUitpLxCRAGGEI5E\nhxOG9mILWjSEwp0LKchEyF16ndtoUe1suZT4Sw5yGwPjW159poroSoy/WDUmwcji\nExueOU5NAn7jolQLs5DIJkECAwEAAaNZMFcwDwYDVR0TAQH/BAUwAwEB/zAVBgNV\nHSAEDjAMMAoGCGCFdAFTHgQAMB0GA1UdDgQWBBRUWmcfazT5nllAol9Bej7BCMYV\nEzAOBgNVHQ8BAf8EBAMCAQYwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEF\nAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IEAQAIZlEtAqKq\nPdJGz4Zwb5hCBw3E9fkJFMGnNkZ7jb0akuwsoeMSlfnZ1JUbfHGSSHFruadJFqm5\nIqeUSPtvSDkIo3wpF2OLP5lvBA2USupFLbcGK+wxDFXcTzdmqgj1S3ssQEL6eTgb\nYqPeWDAN9m1kkzBgDIk7cOGJyOMr805ZIZ/GgRduw72IcWB57AuEYyPQoES7ulYb\nFE4MgkxNzod9J4281jDl6WJB2C67BEiDlnBhQzyBYx6uFKcfWmEjGxvtTlXIGqYL\ntu9YWICzNOUeB3o238QQFsmSNRJXMALMBGak4R7+0v9r+oZSjQexx2QEXUMlYUjy\nR/02DaPZC/cfzE5HTvQr601f6xOpTPMw1XNFxMyds1KkmIOielXDGtNr4ufKPX5C\nuuBWXO1W2ESzS/bl0NP+E1kugz6B5KsO9cD4L5XuYbTP9PJ/MO+frNEW5Ua4HHVK\nxpOvpU1h6DacykzVw95d/KZDudZku+D5PWI01i7DgBUoPppM2Pt0xtdmQx4hVNrI\nDeW5jhCvIc9ZSfzXwpIUFlT9Mqy4cRjuEGxa7gYTZ7Ktwy7C5UpZu+5ExAYkcWmW\nQ1fGLctPC4Wh5dhan+6UvjfYCw0IaLukXo8h3YucLpAr7XU3fFhc01SBNxrtAwWJ\n1iLZvJvAlT3ggZfdQBzeOmGqFWjLmMpirs5KUwqKMUawEZjHPM9LXsuQcNo6AbZH\n6S+4cJEQEbVuMrfbF2X/0Zu5B8fqq+PWyxJ3XgdR6w9TYtgg2LeUU+B/wbCH2lo1\n5d2IwxySAL/hASRo/sP7c/UuE8UvMiWl1GRRJPgbjtikkruBQXCRMBBLq2Ts6dXT\n+LizFdyAbnpOuiEK6hH9JDpJGV+DaZyQiwCOcNOcPR8/cR96eeBDU8mx870//ZJu\nnRoGBm24mYeV0TLQuKbEEpaNk5Tc0z3Ci9eHsTgroncuI10p671aQIBXYdT9/QzE\nsDTsdNFx4m3gDarYRCBjgF481Vj0o2qvYkdu+1GpG7cfKcPLJRFb+J/6g2SD9+yo\nSPnOuuTiU1l1tC22G1xV/ds8qymjR+BnY3wmFDaCMf0DdG1mkkUEzG+MHUHmaId0\n0bejnZ+GEdFX3sS/WrxRCCWI+f5h9SLYntobevUHKqY6Yk93+xa3CPYMRGF7QM9B\nfVxHYsgvr8isYcsPwjylZumzMW2yxGIK+Zy4K5qTz7G/lLk/oRAvf/3e2SYmY6Qp\nHeS86pc78jB0+6bRhnT8BWtZ9r2sAIORgLzEZ+U1o6YZOXrUeaIjK+eSmge4BTbk\n2mfQGPvQ9/XhHOIANN13S/gyURCPoKmjPH3IB54FSdFyIp8fT6JQx3L8l+6iX8On\ndMFLMgjr/DJO\n-----END CERTIFICATE-----\n")

base64_signature = "MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwGggARYTW9iaWxlIElEOiBSZXF1w6p0ZSBkZSBjb25uZXhpb24gbXlXaW5nbyBzw6ljdXJpc8OpZSBkZW1hbmTDqWUuIChNSURfRlIuMjMxMTIyNTgwM182ODY3KQAAAACggDCCBWwwggMgoAMCAQICEAzNIbUcTL8XLIewXqGz0qswQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMIGSMRwwGgYDVQQDDBNTd2lzc2NvbSBSdWJpbiBDQSA0MSUwIwYDVQQLDBxEaWdpdGFsIENlcnRpZmljYXRlIFNlcnZpY2VzMR4wHAYDVQRhDBVWQVRDSC1DSEUtMTAxLjY1NC40MjMxHjAcBgNVBAoMFVN3aXNzY29tIChTY2h3ZWl6KSBBRzELMAkGA1UEBhMCY2gwHhcNMjIxMDIxMDg0NzAzWhcNMjUxMDIwMDg0NzAyWjA5MRkwFwYDVQQFExBNSURDSEVaRDREVTdSOEUzMRwwGgYDVQQDDBNNSURDSEVaRDREVTdSOEUzOlBOMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMc3i/Br4FM+D7T04hmPlJ4Xv3FprKe/uvZBnF1gWrGO9YnXx2O6s6tpNY3TIZu2nUDYhl2yEOTDcNPJfBR8TMKOCAXcwggFzMB8GA1UdIwQYMBaAFAbpSvauxpqRLYlVoUbhbgX9sbkEMH0GCCsGAQUFBwEBBHEwbzA3BggrBgEFBQcwAoYraHR0cDovL2FpYS5zd2lzc2RpZ2ljZXJ0LmNoL3NkY3MtcnViaW40LmNydDA0BggrBgEFBQcwAYYoaHR0cDovL29jc3Auc3dpc3NkaWdpY2VydC5jaC9zZGNzLXJ1YmluNDBPBgNVHSAESDBGMAgGBgQAj3oBAzA6BghghXQBUx4EBDAuMCwGCCsGAQUFBwIBFiBodHRwOi8vd3d3LnN3aXNzZGlnaWNlcnQuY2gvY3BzLzATBgNVHSUEDDAKBggrBgEFBQcDAjA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN3aXNzZGlnaWNlcnQuY2gvc2Rjcy1ydWJpbjQuY3JsMB0GA1UdDgQWBBTPMfMlclb3DE5CQ2dBfkPEsWPNcTAOBgNVHQ8BAf8EBAMCB4AwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4ICAQAuzkhQTkuuhDbBl7ZEiQPE9sjNNXeDj/haieOyqLZ9CbZwVipYoCApcxrAScwHOMQORW0hefQxo5FE/sZtIBsAKEhKRyraMipz9IhiTUkGr08q71KGLCz3qAjWD3cS4OfVjoG6K3NoZmwq3SuoV5lBhd5j3+sUsAn5kaHyKFO+wHapAgGWHHBa1eJ1fY8MdddRVLqjMZtyx5tBd8McBJ2bCeGg16iAW5XGwDKSysw/9SOYXjC5IH82oSDr7n8R+cWoJOlB5sbO9uLGEvCqJvfP83i7iP5eHmJXz3DiO6B016WH/03aity2ADbxLtdRIzKSnnJYJRP56+R1+kfR98p/EabB3KUOWo6enpR688gqj8ZMoUxo0JidM/ZnP7ZpDgIUhd3rFoCG9jlyWH4y7qr0DklCEoZsybiZHaRwo6jZEqG+X9gVuNjXDd/Ut6YtXVNpjTql6rG6hRjHoBlKk9upLLbbQASzYPHgZwceHMVV6EtSwTIW0f+YvdpNuHbZCGSJjMttj3l/wQtNojiynwqqhQcaY1YxKMsQqb1nRWwmKdbpj7810MSMtLjKMzH3U115TNzdmPCeRZ4nzLkdsosvEH8A1cf3MRY0XsPRJ/+Td7DlArxCOl8QU4FQmR+yDNvBCz9hF4T46QYdsITpkljP9IR0PQOCY1Ivm2pFHOtPBDCCCVUwggUJoAMCAQICEBEPU7h29UMfA0K/1PcERnowQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMIGEMRswGQYDVQQDDBJTd2lzc2NvbSBSb290IENBIDQxJTAjBgNVBAsMHERpZ2l0YWwgQ2VydGlmaWNhdGUgU2VydmljZXMxHjAcBgNVBGEMFVZBVENILUNIRS0xMDEuNjU0LjQyMzERMA8GA1UECgwIU3dpc3Njb20xCzAJBgNVBAYTAkNIMB4XDTE5MDEzMTEyMjMzOFoXDTI5MDEyODEyMjMzOFowgZIxHDAaBgNVBAMME1N3aXNzY29tIFJ1YmluIENBIDQxJTAjBgNVBAsMHERpZ2l0YWwgQ2VydGlmaWNhdGUgU2VydmljZXMxHjAcBgNVBGEMFVZBVENILUNIRS0xMDEuNjU0LjQyMzEeMBwGA1UECgwVU3dpc3Njb20gKFNjaHdlaXopIEFHMQswCQYDVQQGEwJjaDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMiVKH8pnBmWg3KIebt6HWEBAvB+uVqNgZXs0OpzTOS0DI2S31yCRKHNkHgKDRqPryjgnm4UCnAayjOKcwRb5rHzVJxirfceASLvtqjE2MA5qiqynLGvKcQSXeqZC9pbPaNVF4N2pLZs/3/e4x1aE9nQu6CIsjIq9C3j9KJbFTbaAFg8lYIF+0vbZJfbkuo2tOibLeQi5OEvWKJqsHKC2Kiy7Mb3dIq92itgp05nJ/Oz2BuYvyUe2M+P6C6Lft1gpzZu/wymsoVggVXxhk5IyjYicUwVjWkRJVnjqLM8DTEobHAi+1wWMzJacg39f3zeMRQGPfOkOQ4dhieuamqf6fYdxFHeqwxZWu8qR+q1ULvwYdmUE/EOn8fVIHHz/aN4TPexTTP07qzlNlEBA5lfcbDSqKx9948/ei/izhlM1FHplC4HS7YXEJ7BaVzryTRfFrObZyzM5+xd07T6gJP1SaD4uRFuHEq9Nde0c7Jm004RYSCOQ+l6+clIjoNimcG4d/dQ0i5tpeZsUci/JTSoeRz7C48r3tJ+T1DUrs+D09zieTJhLCdg8xu+lOKNqZqdy+VEcvS+bwKS5xlvEj5oK2mD1fkkolMjY6O6zK5mtx3IP0bvNBoAysAcS9w9d5/Yg0v2bzEiDvG5HZsOgjQxL5y0oHLty+calsLc99iqJHo7AgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEAMB8GA1UdIwQYMBaAFFRaZx9rNPmeWUCiX0F6PsEIxhUTMEYGCCsGAQUFBwEBBDowODA2BggrBgEFBQcwAoYqaHR0cDovL2FpYS5zd2lzc2RpZ2ljZXJ0LmNoL3NkY3Mtcm9vdDQuY3J0MEUGA1UdIAQ+MDwwOgYIYIV0AVMeBAQwLjAsBggrBgEFBQcCARYgaHR0cDovL3d3dy5zd2lzc2RpZ2ljZXJ0LmNoL2Nwcy8wEwYDVR0lBAwwCgYIKwYBBQUHAwIwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zd2lzc2RpZ2ljZXJ0LmNoL3NkY3Mtcm9vdDQuY3JsMB0GA1UdDgQWBBQG6Ur2rsaakS2JVaFG4W4F/bG5BDAOBgNVHQ8BAf8EBAMCAQYwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IEAQB94lcrFcuN3DDpxj3NXoutnV4h6Zv0y5E/kM9xUkQDrrOsl41ZKRGx2GKE4rz9nAF99LFt8gPMeNjuQ8M/ZO5JKayx9h0iSH8+7kHharQm1xqWctcyQIXLExtpG80e7dc87NjVYsj929Iw+fWHQqcVOMR07Dyj7h8bIyue15WeDedUNibQOz2LRbB3NoOG36f7+JeYwGOhQflxQsNQl3vALJrYI04VvCvvgD8nRrI8NewgJcbdSEjTMY1vr5ZK6EzqI+4yVPXUiubCDM519UhXOVq5WhEzQQIwd71udpg7s0+nIKCGtI11D5gRjSFnBBJZD200AczPNO7gLeZwKcBjwMvEmYktszH3UyZDltqvR4vvjBQUtHbMYKnDpcVTZ+h7ScIVkmiOs2LgUQI709zQMH9LIyOg+zevR5QpPu12f+FKEji+7PxUtb9kY2jhxu/QxWlgIHf0Ap7FyqLxOxfokyNQk3aiwcihUujhFrBK/HklEbkS5PlcQKIGKccqU5TBL9ovRP00ZtLsMbN9nHzkcK4erqcwB4C1C9IFW96waD+n4EYwA+lUxBiHMJHLMLt1dLtqgKryscmp/RL+1Q2xNuJ3sHJMQPjgm9Ns4NcWur8sb5ZDbywo1wHmlI1gjIo+5fFprPMqk4z2IQAjRQc9LH02v75kuQ4+dKWfLbKFEZS+N8/cODsGyzOF+FaIEvFbfVFHTgm/B+xHKgSDIj6WpfnbhWX5FQ5uYkK0LhIbC5DR7gHa17RMIHkx65I5ScnL7+T0TNWFBJjhPYeK4T9REiHRyRp1xYnYdRHLTAxCIDHMVb3Qaj1oHRf1O2NDzTl4lU5ZoluQZh51k3UeTHHbuGmT+/AbHHUsWKaUF1UCA2tlFzVlI0JMjpWnmh5t3iRQcSaFeBLtq/eYM6wAQpG4FX2pLoLuBVVA27vQ9RKtI7H42Nc7tNVDQqnagkluCIy8AoacOFDRFHg5M+yKyik8fnt6kuv+Vh/j1RSXZo7t9su9/vw/yfyJ4SmJnq5OMaEVkThNwDY4dDZjInRHEAnMwAlJA1zUns3iNKB7XZ0yZETM/3VqwUjxLat9RNmPADa4diMW7HewHHcRIFVbxOF/CQl95sveHakyvD/x1cKFPfwbkAXJzdNpc6V5hZZ6j7yv2kiQebH4orHFnFPDTpFtW4Zwb1S9DkmNoq/AtAg9WJGjPkfxlwMGSVMhQQ048UjCadirVL9U7AZRIBcxlT1jjVGysWd3LMIuR6qN6HpWlO28LtQqraq8hJpMZAwQCT+WU4dAKq/EE4vIZD/RQKdD9E/qvqwvGvswSvIrXwh9iA0M1WyB2JUDmkehxjcQ2BEN290QNRQIa7xSlcfUciSEMIIKVTCCBgmgAwIBAgIQFJ46eF+C8WuK+yGq1a/3RzBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAwgYQxGzAZBgNVBAMMElN3aXNzY29tIFJvb3QgQ0EgNDElMCMGA1UECwwcRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEeMBwGA1UEYQwVVkFUQ0gtQ0hFLTEwMS42NTQuNDIzMREwDwYDVQQKDAhTd2lzc2NvbTELMAkGA1UEBhMCQ0gwHhcNMTgxMTI5MTAyMTUzWhcNMzgxMTI0MTAyMTUzWjCBhDEbMBkGA1UEAwwSU3dpc3Njb20gUm9vdCBDQSA0MSUwIwYDVQQLDBxEaWdpdGFsIENlcnRpZmljYXRlIFNlcnZpY2VzMR4wHAYDVQRhDBVWQVRDSC1DSEUtMTAxLjY1NC40MjMxETAPBgNVBAoMCFN3aXNzY29tMQswCQYDVQQGEwJDSDCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQBAMYSU5n0a3hxJTV2UbAl0yxQNCFbZbExdTno3VsASxxbjQKPF9Iz8HsPAdPyC7bbYmpVk7WuaKD5myJaVPpN4bEnFosFEfAGWDdN5D6Sb9ckn7EunQWznJ+FfMb6kUM+jJL9nUxYBCJexxeTq4XmAKP3ziq+yP/i8JvxL5vQPi2kbfva5c20J9Q72xVVeX/pAmRn0JQZ2cuulzz+M/cwUv2p8YsOYj1H62wITiCsOThI4RlIQXheQOcaM4XBktb8b0SJOpHhbOfCWP9ghgpXbGfC/COKAegQvwzJqGuyrXXQe6k0TGELLzwLf65S5piHfrEwOJS32Ie81TCc7BkWr3+8xDBUBFPy7mWwOqI9tUutm6XiHrFlHk5yHppBiYAwHwFrtCt/e7UpP/w/8ugsfKxT8WbP5DHA9u18EpAFBCFh8h+5llXbFwPZ5+zLMV5qyg2RwqiSeAo4s8RTUF+/+urw+P2/mrw4dqfeWo+gwrRPuGFaj+I2H+lQaWHFRrw6XgqdjNp8BTo8qi5nwJCImTlTburerWCcj9gLduf/+6lRBiAq+Q/QIbG0ERdUq+LCAkRV/6VWezk9RFQmM+jU2VhVnMda9z++eNpjGgNWEeG6leYBVr0Jnu6Dk6QzxY2j3jHUiv46S2lf3Pf7mYryV6ldvGNddmZ8uRBUJ3tuxOBddgQgV+A8wJcqEudkWCWMc1u4ULtWXUN++DakB63+TMUPRXBMxW4w+ddA3esS7zlgdcAoVihwWU+NGuFwbcAUrizg77FH6mbtesUW2zPbxK7iUwles8/4MvjX94lq0/3owL1AiR7gW/vhWazIDbU06gfMMxMKho6sAY6+0imrrWHEse2YFmQHdr2OqVzXhl8BL+jC/mNUduqNLcwP/Cdzhqa1555JlbExNUNgnQJ8FHFMzGPAKzFAoPmU0+Dj/bIHYMuCTMmW58GuXPhSJfur/CZeChDHKD529HEP472l/rGYasHazl6P8Si5lZi+7piU++Vwe3tg5YKuM2CQgNXXHYeNkjaRCIQ6DkZhoi7Qd6nEmLvblkt4f9d91Qj+1Xjy0cJvCx5aPEOsnRDW58BTjpdgan9TSEkLZNsk7ld6MFNum4ifBBEPEZ98QRoXZG5n3676MDoaEp9aouWX2y24Z6NkgdH7OZvmgRzPSUEWXOxZPDxymePVE8Avkm/Ni6JkxsCoRVdNqMNOO8HYSm7dcn1KKtWNwW44jGZWx6PZoJ5e/E6ESHdL4RBdoKYvdnkmHvP9AUitpLxCRAGGEI5EhxOG9mILWjSEwp0LKchEyF16ndtoUe1suZT4Sw5yGwPjW159poroSoy/WDUmwcjiExueOU5NAn7jolQLs5DIJkECAwEAAaNZMFcwDwYDVR0TAQH/BAUwAwEB/zAVBgNVHSAEDjAMMAoGCGCFdAFTHgQAMB0GA1UdDgQWBBRUWmcfazT5nllAol9Bej7BCMYVEzAOBgNVHQ8BAf8EBAMCAQYwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IEAQAIZlEtAqKqPdJGz4Zwb5hCBw3E9fkJFMGnNkZ7jb0akuwsoeMSlfnZ1JUbfHGSSHFruadJFqm5IqeUSPtvSDkIo3wpF2OLP5lvBA2USupFLbcGK+wxDFXcTzdmqgj1S3ssQEL6eTgbYqPeWDAN9m1kkzBgDIk7cOGJyOMr805ZIZ/GgRduw72IcWB57AuEYyPQoES7ulYbFE4MgkxNzod9J4281jDl6WJB2C67BEiDlnBhQzyBYx6uFKcfWmEjGxvtTlXIGqYLtu9YWICzNOUeB3o238QQFsmSNRJXMALMBGak4R7+0v9r+oZSjQexx2QEXUMlYUjyR/02DaPZC/cfzE5HTvQr601f6xOpTPMw1XNFxMyds1KkmIOielXDGtNr4ufKPX5CuuBWXO1W2ESzS/bl0NP+E1kugz6B5KsO9cD4L5XuYbTP9PJ/MO+frNEW5Ua4HHVKxpOvpU1h6DacykzVw95d/KZDudZku+D5PWI01i7DgBUoPppM2Pt0xtdmQx4hVNrIDeW5jhCvIc9ZSfzXwpIUFlT9Mqy4cRjuEGxa7gYTZ7Ktwy7C5UpZu+5ExAYkcWmWQ1fGLctPC4Wh5dhan+6UvjfYCw0IaLukXo8h3YucLpAr7XU3fFhc01SBNxrtAwWJ1iLZvJvAlT3ggZfdQBzeOmGqFWjLmMpirs5KUwqKMUawEZjHPM9LXsuQcNo6AbZH6S+4cJEQEbVuMrfbF2X/0Zu5B8fqq+PWyxJ3XgdR6w9TYtgg2LeUU+B/wbCH2lo15d2IwxySAL/hASRo/sP7c/UuE8UvMiWl1GRRJPgbjtikkruBQXCRMBBLq2Ts6dXT+LizFdyAbnpOuiEK6hH9JDpJGV+DaZyQiwCOcNOcPR8/cR96eeBDU8mx870//ZJunRoGBm24mYeV0TLQuKbEEpaNk5Tc0z3Ci9eHsTgroncuI10p671aQIBXYdT9/QzEsDTsdNFx4m3gDarYRCBjgF481Vj0o2qvYkdu+1GpG7cfKcPLJRFb+J/6g2SD9+yoSPnOuuTiU1l1tC22G1xV/ds8qymjR+BnY3wmFDaCMf0DdG1mkkUEzG+MHUHmaId00bejnZ+GEdFX3sS/WrxRCCWI+f5h9SLYntobevUHKqY6Yk93+xa3CPYMRGF7QM9BfVxHYsgvr8isYcsPwjylZumzMW2yxGIK+Zy4K5qTz7G/lLk/oRAvf/3e2SYmY6QpHeS86pc78jB0+6bRhnT8BWtZ9r2sAIORgLzEZ+U1o6YZOXrUeaIjK+eSmge4BTbk2mfQGPvQ9/XhHOIANN13S/gyURCPoKmjPH3IB54FSdFyIp8fT6JQx3L8l+6iX8OndMFLMgjr/DJOAAAxggF/MIIBewIBATCBpzCBkjEcMBoGA1UEAwwTU3dpc3Njb20gUnViaW4gQ0EgNDElMCMGA1UECwwcRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEeMBwGA1UEYQwVVkFUQ0gtQ0hFLTEwMS42NTQuNDIzMR4wHAYDVQQKDBVTd2lzc2NvbSAoU2Nod2VpeikgQUcxCzAJBgNVBAYTAmNoAhAMzSG1HEy/FyyHsF6hs9KrMA0GCWCGSAFlAwQCAQUAoGUwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAYBgoqhkiG9w0BCRkDMQoECGCdWBgjVQKFMC8GCSqGSIb3DQEJBDEiBCB/UcUDG0cFGw0KvQewtzQo6KfXoh5O+w9kAN1BOeYS/zAMBggqhkjOPQQDAgUABEgwRgIhAPxOjVLlU3QnrqJot4DHILXhV9GneKNCIfL6ia7DATybAiEA1GB/TLisxGDcjAycNCia559r4M0LLuh0Q9K7xyw9iPMAAAAAAAA="

cms_signed_data = OpenSSL::PKCS7.new(Base64.decode64(base64_signature))
signer_info = cms_signed_data.signers.first

signer_cert_chain = [].tap do |chain|
  cms_signed_data.certificates.each do |certificate|
    chain << certificate
    signer_cert = certificate if signer_info.serial == certificate.serial
  end
end

# checking certificate dates validity
today = DateTime.current
raise "Certificate will be valid on #{signer_cert.not_before.iso8601}" if today < signer_cert.not_before
raise "Certificate has expired on #{signer_cert.not_after.iso8601}" if today > signer_cert.not_after

# Using certificates store to check validity of path
cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths
cert_store.add_cert(root4_cert)
signer_certificate_path_valid = cert_store.verify(signer_cert, signer_cert_chain)

signer_cert_chain.each do |certificate|
  signature_valid = signer_cert.verify(certificate.public_key)       # raising OpenSSL::X509::CertificateError (unknown signature algorithm)
  break if signature_valid
end

cms_signed_data.verify(signer_cert_chain, cert_store)
cms_signed_data.error_string                                         # giving "certificate verify error"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants