|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Dotnet 2.0 PCKS CheckSignature ErrorI am extracting a pkcs7-signature part from a s/mime message. When I verifiy the signature I get a CryptographicException "The hash value is not correct" . I am using CheckSignature(true), therefore it should verify signature only and not worry about the certificates. This message was generated from webmethods by our customer. Any idea where the problem could be. I have checked the following. The decoded object has 3 certificates in the chain. It has 1 signerinfo object However the SignedCms.ContetInfo has a content of zero bytes. I am leaning to this as the issue. But what could cause the content to be zero. The sender of this message has successfully sent this type of messages to others. I am assuming the input s/mime data to be correct. Could there be any issues decoding WebMethods generated PCKS #7 object in dot net 2.0? Any inputs will be greatly appreciated. - Vijay Any chance you could post an example message that doesn't work? The ASCII
s/mime body part would be the easiest to put on the newsgroup. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- <vij***@entcomm.com> wrote in message news:1153784668.338580.133400@i42g2000cwa.googlegroups.com... > Hello, > > I am extracting a pkcs7-signature part from a s/mime message. When I > verifiy the signature I get a CryptographicException "The hash value is > not correct" . > > I am using CheckSignature(true), therefore it should verify signature > only and not worry about the certificates. > > This message was generated from webmethods by our customer. > Any idea where the problem could be. > > I have checked the following. > The decoded object has 3 certificates in the chain. > It has 1 signerinfo object > However the SignedCms.ContetInfo has a content of zero bytes. > > I am leaning to this as the issue. But what could cause the content to > be zero. The sender of this message has successfully sent this type of > messages to others. I am assuming the input s/mime data to be correct. > > Could there be any issues decoding WebMethods generated PCKS #7 object > in dot net 2.0? > > Any inputs will be greatly appreciated. > > - Vijay > I am not able to post the mime data in this group. I am getting the
error We were unable to post your message Binary posts not allowed in non-binary groups. If you believe this is an error, please mail groups-supp***@google.com. I will try to post from outtook express news reader. - Vijay Joe Kaplan (MVP - ADSI) wrote: Show quoteHide quote > Any chance you could post an example message that doesn't work? The ASCII > s/mime body part would be the easiest to put on the newsgroup. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > <vij***@entcomm.com> wrote in message > news:1153784668.338580.133400@i42g2000cwa.googlegroups.com... > > Hello, > > > > I am extracting a pkcs7-signature part from a s/mime message. When I > > verifiy the signature I get a CryptographicException "The hash value is > > not correct" . > > > > I am using CheckSignature(true), therefore it should verify signature > > only and not worry about the certificates. > > > > This message was generated from webmethods by our customer. > > Any idea where the problem could be. > > > > I have checked the following. > > The decoded object has 3 certificates in the chain. > > It has 1 signerinfo object > > However the SignedCms.ContetInfo has a content of zero bytes. > > > > I am leaning to this as the issue. But what could cause the content to > > be zero. The sender of this message has successfully sent this type of > > messages to others. I am assuming the input s/mime data to be correct. > > > > Could there be any issues decoding WebMethods generated PCKS #7 object > > in dot net 2.0? > > > > Any inputs will be greatly appreciated. > > > > - Vijay > > I have tried several methods to post, but failed. Here is the link to
download the file http://www.entcomm.com/internal/~vijay/pkcs7.txt I have continued my debugging and have found the following info: Since SignedCms.contentInfo has a length of zero bytes, the sender of the message has not included the digtest into this message. We have to compute it from the mime message and pass to the SignedCms object instance. Something like: Oid dataOid = new Oid("1.2.840.113549.1.7.1"); ContentInfo contentInfo = new ContentInfo(dataOid, testHashData); SignedCms verifyCms = new SignedCms(contentInfo, true); However this failed with the same error. But the computed digest is in the right place in SignedCms object and its contentInfo shows the correct length. Secondly, Just to test, I navigated into the SignedCms.SignerInfos, Got the message digest ("1.2.840.113549.1.9.4" Pkcs9MessageDigestData) from signedattribtues collection and tried passing the digestdata toSignedCms object instance. byte[] testHashData = {112, 47, 42, 138, 253, 109, 28, 29, 6, 67, 203, 126, 126, 11, 165, 35, 191, 180, 127, 69 }; Oid dataOid = new Oid("1.2.840.113549.1.7.1"); ContentInfo contentInfo = new ContentInfo(dataOid, testHashData); SignedCms verifyCms = new SignedCms(contentInfo, true); This also failed with the same error "The hash value is not correct". I'm getting the same results as you are. There is no content data in the
message and the signature validation fails with the same message you are getting. Interestingly, the CheckHash method succeeds, but I'm not sure what that implies. I was under the impression that if you have a signed CMS message and the signature isn't detached, the data was supposed to be in the content. Signed messages with 0 length content data are sometimes used for providing a certificate with chain and crypto capabilities to a remote party. The signature on the message is usually valid though. I'm not sure what to tell you. It would be nice if there was a way to see the computed hash value that is being generated. The signed attributes seem to contain the expected value. Maybe someone else knows what's going on. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- <vij***@entcomm.com> wrote in message news:1153794781.971542.70490@m79g2000cwm.googlegroups.com... >I have tried several methods to post, but failed. Here is the link to > download the file > http://www.entcomm.com/internal/~vijay/pkcs7.txt > > I have continued my debugging and have found the following info: > Since SignedCms.contentInfo has a length of zero bytes, the sender of > the message has not included the digtest into this message. We have to > compute it from the mime message and pass to the SignedCms object > instance. > > Something like: > Oid dataOid = new Oid("1.2.840.113549.1.7.1"); > ContentInfo contentInfo = new ContentInfo(dataOid, > testHashData); > SignedCms verifyCms = new SignedCms(contentInfo, > true); > > However this failed with the same error. But the computed digest is in > the right place in SignedCms object and its contentInfo shows the > correct length. > > Secondly, Just to test, I navigated into the SignedCms.SignerInfos, Got > the message digest ("1.2.840.113549.1.9.4" Pkcs9MessageDigestData) from > signedattribtues collection and tried passing the digestdata > toSignedCms object instance. > > byte[] testHashData = {112, 47, 42, 138, 253, 109, > 28, 29, 6, 67, 203, 126, 126, 11, 165, 35, 191, 180, 127, 69 }; > Oid dataOid = new Oid("1.2.840.113549.1.7.1"); > ContentInfo contentInfo = new ContentInfo(dataOid, > testHashData); > SignedCms verifyCms = new SignedCms(contentInfo, > true); > > This also failed with the same error "The hash value is not correct". > I have solved the problem with microsoft support.
Since PKCS#7/CMS messages from web methods are always detached. Upon receipt of the smime mesage, we have to create a ContentInfo with the data part of the message. Pass the signature part of the message (after base64 decoding; to get ASN.1 encoded PKCS#7 object) to Decode function as shown below: ContentInfo contentInfo = new ContentInfo(<data part of messate>); SignedCms verifyCms = new SignedCms(contentInfo, true); verifyCms.Decode(<base64 decoded signature part of message>); try { verifyCms.CheckSignature(true); } catch(CryptographicException cex) { // signatue check failed. message has to be discarded } The mistake i was doing was not selecting the carriage-return and linefeed (CRLF) characters after the mime boundary. Apparently those bytes were used to compute digital signature by WebMethods. Here are the answers for some of my questions from microsoft developer support person who was helping me ------------- The signed message contains the original hash value. When you verify the signature it will check the hash of the content that you supplied against the original. If that fails it will return "Hash value is not correct". If the hash values match, the signature is then checked. If the verification fails then "Invalid Signature" is returned. This step will most likely succeed unless the signature has been corrupted. "Has value is not correct" is what you will see most of the time when dealing with PKCS#7/CMS signed messages. --------------- Thanks for all Who helped me with this issue. Very interesting. Thanks for following up. I'm glad MS support was able to
resolve this. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- <vij***@entcomm.com> wrote in message news:1153950671.422677.287660@i3g2000cwc.googlegroups.com... >I have solved the problem with microsoft support. > > Since PKCS#7/CMS messages from web methods are always detached. Upon > receipt of the smime mesage, we have to create a ContentInfo with the > data part of the message. Pass the signature part of the message (after > base64 decoding; to get ASN.1 encoded PKCS#7 object) to Decode function > as shown below: > > ContentInfo contentInfo = new ContentInfo(<data part of > messate>); > SignedCms verifyCms = new SignedCms(contentInfo, true); > verifyCms.Decode(<base64 decoded signature part of > message>); > > try > { > verifyCms.CheckSignature(true); > } > catch(CryptographicException cex) > { > // signatue check failed. message has to be > discarded > } > > The mistake i was doing was not selecting the carriage-return and > linefeed (CRLF) characters after the mime boundary. Apparently those > bytes were used to compute digital signature by WebMethods. > > Here are the answers for some of my questions from microsoft developer > support person who was helping me > > ------------- > The signed message contains the original hash value. When you verify > the signature it will check the hash of the content that you supplied > against the original. If that fails it will return "Hash value is not > correct". > > If the hash values match, the signature is then checked. If the > verification fails then "Invalid Signature" is returned. This step > will > most likely succeed unless the signature has been corrupted. > > "Has value is not correct" is what you will see most of the time when > dealing with PKCS#7/CMS signed messages. > --------------- > > Thanks for all Who helped me with this issue. > Here is the base64 encoded smime data
- Vijay Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKbTCCBJ8w ggQIoAMCAQICECwMlwD/x+GuQkMkWw37DLAwDQYJKoZIhvcNAQEFBQAwgboxHzAdBgNVBAoTFlZl cmlTaWduIFRydXN0IE5ldHdvcmsxFzAVBgNVBAsTDlZlcmlTaWduLCBJbmMuMTMwMQYDVQQLEypW ZXJpU2lnbiBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIENsYXNzIDMxSTBHBgNVBAsTQHd3dy52 ZXJpc2lnbi5jb20vQ1BTIEluY29ycC5ieSBSZWYuIExJQUJJTElUWSBMVEQuKGMpOTcgVmVyaVNp Z24wHhcNMDYwNDA1MDAwMDAwWhcNMDkwNDI4MjM1OTU5WjCBsDELMAkGA1UEBhMCVVMxDjAMBgNV BAgTBVRleGFzMRAwDgYDVQQHFAdIb3VzdG9uMRUwEwYDVQQKFAxCYWtlciBIdWdoZXMxDjAMBgNV BAsUBUJIQlNTMTMwMQYDVQQLFCpUZXJtcyBvZiB1c2UgYXQgd3d3LnZlcmlzaWduLmNvbS9ycGEg KGMpMDUxIzAhBgNVBAMUGmJoaWIyYnRlc3QuYmFrZXJodWdoZXMuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCrEf5XtfteNeZq7TVsFcBW/PvgUJOLhX4fb2c8wEQSs/9zh1Zuj7iQqjF0 Hb32EbUuIDekfAwbxpcveaqXAOl/D8q3DQUF9IUz29hxDjR57KDxaUAZ3q5UZZ6VWI2e6I0DYiI8 C4+6RrXsYQdloO4QWmTDqkJjTB2cGvJAXQ4VOQIDAQABo4IBrDCCAagwCQYDVR0TBAIwADALBgNV HQ8EBAMCBaAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczov L3d3dy52ZXJpc2lnbi5jb20vcnBhMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9TVlJJbnRsLWNy bC52ZXJpc2lnbi5jb20vU1ZSSW50bC5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUFBwMC BglghkgBhvhCBAEwcQYIKwYBBQUHAQEEZTBjMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJp c2lnbi5jb20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9TVlJJbnRsLWFpYS52ZXJpc2lnbi5jb20vU1ZS SW50bC1haWEuY2VyMG0GCCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYF Kw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92 c2xvZ28uZ2lmMA0GCSqGSIb3DQEBBQUAA4GBAIB4t/Utrdb+TnCkxxIxaivaruYBDeuFFDNQdwmH yBm4tBT0IPjfzBafgtotZusUY7byZ1nih+8MNI6NVGLULuCfjttFnUZcZkbcEsF3DmCO9Efi6V69 0lrqIc87mRHUxW6lKrew0G3CuWiL5OAjtf+kPWAK1KYTmNB1W9wet4grMIIDhjCCAu+gAwIBAgIQ eO5I3hhbIHHJycO1HXvdwTANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMO VmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNh dGlvbiBBdXRob3JpdHkwHhcNOTcwNDE3MDAwMDAwWhcNMTExMDI0MjM1OTU5WjCBujEfMB0GA1UE ChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAxBgNV BAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNA d3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBW ZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXT vOY2O6rwTGxbtueqPHNFVbLxveqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo 5frxCTvzt01OOfdcSVq4wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOB 5jCB4zAPBgNVHRMECDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQEwKjAoBggrBgEF BQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzA0BgNVHR8ELTArMCmgJ6AlhiNodHRw Oi8vY3JsLnZlcmlzaWduLmNvbS9wY2EzLWcyLmNybDA0BgNVHSUELTArBggrBgEFBQcDAQYIKwYB BQUHAwIGCWCGSAGG+EIEAQYKYIZIAYb4RQEIATALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQD AgEGMA0GCSqGSIb3DQEBBQUAA4GBACNd7qYkBf1202oa1rpGBqpqDwOQZrKwpsKeyR6jVVOvPkX9 3Iwn3VM4Cbt8Syu6lUr+cE4badY8908HxfIXWkyij6wLigbbudRrxR1Y2hdS4yHx0tda1eWrWXsh eoZq1P4XETpTDZxgoErZXuQdDCmqEwdlhh+/tMmCU5wsAo8jMIICPDCCAaUCEHC65B0Q2Sk0tjjK ewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJ bmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y aXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRp ZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJXFme8huKARS0 EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhEBarsAx94f56TuZoAqiN91qyFomNFx3InzPRM xnVx0jnvT0Lwdd8KkMaOIG+YD/isI19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUu gWhFpwIDAQABMA0GCSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX6 3/Dolbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNycAA9WjQKZ 7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1kMYICKjCCAiYCAQEwgc8w gboxHzAdBgNVBAoTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxFzAVBgNVBAsTDlZlcmlTaWduLCBJ bmMuMTMwMQYDVQQLEypWZXJpU2lnbiBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIENsYXNzIDMx STBHBgNVBAsTQHd3dy52ZXJpc2lnbi5jb20vQ1BTIEluY29ycC5ieSBSZWYuIExJQUJJTElUWSBM VEQuKGMpOTcgVmVyaVNpZ24CECwMlwD/x+GuQkMkWw37DLAwCQYFKw4DAhoFAKCBsTAYBgkqhkiG 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNjA3MjQxOTM2NDNaMCMGCSqGSIb3 DQEJBDEWBBRwLyqK/W0cHQZDy35+C6Ujv7R/RTBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMH MA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDAHBgUrDgMCBzAN BgkqhkiG9w0BAQEFAASBgBrpUJw6RltOEWVYd8hHTlq5UZnBi1hhyWfz1aMcyjD1HNDOVEyups3P IUREmKgua5abjSgOZ1kcrQqsqmqc0NRpnCwhNmaoJdk38z0BEcu4eZpGQKMb3z9trvG0KZMPyOx/ 5rxcjDbTPaeJZ+aNAn1zwPmDy8cVCbNg4Y15hajDAAAAAAAA Show quoteHide quote "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> wrote in message news:OBGL9z3rGHA.4856@TK2MSFTNGP03.phx.gbl... > Any chance you could post an example message that doesn't work? The ASCII > s/mime body part would be the easiest to put on the newsgroup. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services > Programming" > http://www.directoryprogramming.net > -- > <vij***@entcomm.com> wrote in message > news:1153784668.338580.133400@i42g2000cwa.googlegroups.com... >> Hello, >> >> I am extracting a pkcs7-signature part from a s/mime message. When I >> verifiy the signature I get a CryptographicException "The hash value is >> not correct" . >> >> I am using CheckSignature(true), therefore it should verify signature >> only and not worry about the certificates. >> >> This message was generated from webmethods by our customer. >> Any idea where the problem could be. >> >> I have checked the following. >> The decoded object has 3 certificates in the chain. >> It has 1 signerinfo object >> However the SignedCms.ContetInfo has a content of zero bytes. >> >> I am leaning to this as the issue. But what could cause the content to >> be zero. The sender of this message has successfully sent this type of >> messages to others. I am assuming the input s/mime data to be correct. >> >> Could there be any issues decoding WebMethods generated PCKS #7 object >> in dot net 2.0? >> >> Any inputs will be greatly appreciated. >> >> - Vijay >> > > 
Other interesting topics
What permission do I need to add a user to a group? (C#)
Prevent others from using my class libraries Decryptionfailed to bring original text back.... Simple Keyed hash question What's wrong with my encryption function? Newbie Question - Thanks in Advance... random passwords Keyed hash vs Digital signature ???? Security Exception and Windows Vista Form authentication and files that shouldn'y be authenticated |
|||||||||||||||||||||||
