Manual/OpenSSL

[OpenSSL] CMS ( Cryptographic Message Syntax ) λͺ…λ Ήμ–΄ μ‚¬μš©λ²•

JayKimπŸ™‚ 2023. 4. 6. 18:19

CMS λŠ” Cryptographic Message Syntax 의 μ•½μžλ‘œ RFC5652 에 μ •μ˜ 된 ν‘œμ€€μ΄λ‹€.

CMS λͺ…λ Ήμ–΄λŠ” 데이타 μ„œλͺ…μ΄λ‚˜ 데이타 μ•”ν˜Έν™”λ₯Ό μœ„ν•œ ν‘œμ€€ 데이타 ν˜•μ‹μ΄λ‹€.
이 λ°μ΄νƒ€λŠ” PKCS#7 ν˜•μ‹μ˜ 데이타 이닀.

μžμ„Έν•œ λͺ…λ Ήμ–΄ μ„€λͺ… μ£Όμ†Œμ΄λ‹€.
https://www.openssl.org/docs/man3.0/man1/openssl-cms.html

CMS 메세지 ASN.1 ν˜•μ‹

μ•„λž˜ ASN.1 ν˜•μ‹μ˜ CMS 메세지에 λŒ€ν•œ 일 λΆ€λΆ„μ˜ ν˜•μ‹ λ‚΄μš©μ„ 보여 μ€€λ‹€.

   ContentInfo ::= SEQUENCE {
     contentType ContentType,
     content [0] EXPLICIT ANY DEFINED BY contentType }

   ContentType ::= OBJECT IDENTIFIER

   SignedData ::= SEQUENCE {
     version CMSVersion,
     digestAlgorithms DigestAlgorithmIdentifiers,
     encapContentInfo EncapsulatedContentInfo,
     certificates [0] IMPLICIT CertificateSet OPTIONAL,
     crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
     signerInfos SignerInfos }

  EnvelopedData ::= SEQUENCE {
     version CMSVersion,
     originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
     recipientInfos RecipientInfos,
     encryptedContentInfo EncryptedContentInfo,
     unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL }

Signed Data 메세지 생성

이 λ©”μ„Έμ§€λŠ” 원문에 μ „μž μ„œλͺ…을 μƒμ„±ν•˜κ³  μ›λ¬Έμžμ²΄λŠ” κ·ΈλŒ€λ‘œ 보여 μ€€λ‹€.

openssl cms -sign -in test.txt -out out.msg -signer ecdsa_cert.pem -inkey ecdsa_private_key.pem

out.msg : 생성 된 SignedData 메세지 이닀.
κ²°κ³Ό 파일의 λ‚΄μš©μ„ 보면

MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----9200C78F9435257A83D6408C600DC4DF"

This is an S/MIME signed message

------9200C78F9435257A83D6408C600DC4DF
test message^M

------9200C78F9435257A83D6408C600DC4DF
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIIDmQYJKoZIhvcNAQcCoIIDijCCA4YCAQExDTALBglghkgBZQMEAgEwCwYJKoZI
hvcNAQcBoIIBwTCCAb0wggFjoAMCAQICCAvGymLEvWh7MAoGCCqGSM49BAMCMEAx
CzAJBgNVBAYTAktSMQ4wDAYDVQQKEwVSYW5peDEOMAwGA1UECxMFRGV2ZWwxETAP
BgNVBAMMCEVDRFNBX0NBMB4XDTIzMDQwNjA5MzYwMFoXDTI0MDQwNjA5MzYwMFow
QjELMAkGA1UEBhMCS1IxDjAMBgNVBAoTBVJhbml4MQ4wDAYDVQQLEwVEZXZlbDET
MBEGA1UEAwwKQ01TX1NpZ25lcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJUZ
Fpx8Uvbset2RED8HpgHZmPpnuHswjSaDl65sl2JMy43E8ME13LphsOr5B9dd86A4
swfRT9lJ3UPQA761NnqjRTBDMA4GA1UdDwEB/wQEAwID+DAxBgNVHSUEKjAoBggr
BgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBDAKBggqhkjOPQQD
AgNIADBFAiEA2mqmjaawFtRpEtklxaMjMxVaRySMxA3qsVMNOFO/5CQCICqcaUs+
x4MyBBgFuGqSvIYIRTZdznc1D2VlXBNWHwv9MYIBnjCCAZoCAQEwTDBAMQswCQYD
VQQGEwJLUjEOMAwGA1UEChMFUmFuaXgxDjAMBgNVBAsTBURldmVsMREwDwYDVQQD
DAhFQ0RTQV9DQQIIC8bKYsS9aHswCwYJYIZIAWUDBAIBoIHkMBgGCSqGSIb3DQEJ
AzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIzMDQwNjA5MzkyNFowLwYJ
KoZIhvcNAQkEMSIEID2+rP15X+LtXg5WMjtDQmjETKwoOsQzZCuW8s/EQ2NbMHkG
CSqGSIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgB
ZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA
MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAoGCCqGSM49BAMCBEcwRQIhALmYtZhM
r6rLZLUn23FoAOtBmKmB03D8n7NmTRmzXYeYAiAm4aOpdcbYHCy0r5JGYupLl/yX
6PW6lTGMQ14nUMH0og==

------9200C78F9435257A83D6408C600DC4DF--

μ—¬κΈ°μ„œ ν•΄λ‹Ή λ‚΄μš©μ„ BerEditor 둜 λ””μ½”λ”© ν•œ 그림은 λ‹€μŒκ³Ό κ°™λ‹€.

Signed Data 메세지 검증

openssl cms -verify -in out.msg -signer ecdsa_cert.pem -CAfile chain.crt -out content.txt

chain.crt : ecdsa_cert.pem 에 λŒ€ν•œ 체인 μΈμ¦μ„œ 정보가 PEM ν˜•μ‹μœΌλ‘œ 지원 ν•΄μ•Ό ν•œλ‹€.
체인 νŒŒμΌμ€ ecdsa_cert.pem μΈμ¦μ„œλ₯Ό λ°œκΈ‰ν•œ CAμΈμ¦μ„œ λΆ€ν„° μ΅œμƒμœ„ RootCA μΈμ¦μ„œλ₯Ό  PEM ν˜•μ‹μ˜ μΈμ¦μ„œ 정보λ₯Ό λ‚˜μ—΄ν•œ νŒŒμΌμ΄λ‹€.

Enveloped Data 메세지 생성

openssl cms -encrypt -in test.txt -recip ecdsa_cert.pem -out enc_data.txt

μƒμ„±λœ enc_data.txt νŒŒμΌμ„ μ—΄μ–΄ 보면 λ‹€μŒ 처럼 λ‚˜μ˜¨λ‹€.

MIME-Version: 1.0
Content-Disposition: attachment; filename="smime.p7m"
Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"
Content-Transfer-Encoding: base64

MIIBQQYJKoZIhvcNAQcDoIIBMjCCAS4CAQIxgfOhgfACAQOgUaFPMAkGByqGSM49
AgEDQgAEKkl2wlB6iHgqLzzLab5MCcclfuKMQAJBEF9nWoMP0gezqI4SLSW/xSwU
yAbU3X/6wB6/H0d4t4L60anVBpi2OzAcBgkrgQUQhkg/AAIwDwYLKoZIhvcNAQkQ
AwYFADB6MHgwTDBAMQswCQYDVQQGEwJLUjEOMAwGA1UEChMFUmFuaXgxDjAMBgNV
BAsTBURldmVsMREwDwYDVQQDDAhFQ0RTQV9DQQIIC8bKYsS9aHsEKOQzy0VBgpF9
dr2TnmjgGFyHHd7e0wgCgkJm3z/AeaaszvmtYiZoB3YwMwYJKoZIhvcNAQcBMBQG
CCqGSIb3DQMHBAjwK4BkxX3LEIAQPKe81tqYB3KgN3Rdikh5hA==

그리고 생성 된 λ‚΄μš©μ„ BerEditor 둜 λ””μ½”λ”© 화면이닀.

Enveloped Data λ³΅ν˜Έν™”

openssl cms -decrypt -in enc_data.txt -inkey ecdsa_pri.pem -out plain_data.txt

μ—¬κΈ°μ„œλŠ” κ°„λ‹¨νžˆ SignedData 와 EnvelopedData ν˜•μ‹μ˜ CMS 메세지에 λ§Œλ“œλŠ”κ²ƒμ„ ν•΄λ³΄μ•˜λ‹€.
사싀 CMS λž‘ PKCS#7 은 같은 ν˜•μ‹μ΄μ§€λ§Œ 버전에 λ”°λ₯Έ μž‘μ€ μ°¨μ΄λŠ” μ‘΄μž¬ν•œλ‹€.

μ €μž‘μžν‘œμ‹œ

'Manual > OpenSSL' μΉ΄ν…Œκ³ λ¦¬μ˜ λ‹€λ₯Έ κΈ€

[OpenSSL] OCSP 와 TSP λͺ…λ Ήμ–΄  (0) 2023.04.07
[OpenSSL] PKCS#12 (PFX) 파일 λ§Œλ“€κΈ° λͺ…λ Ήμ–΄  (0) 2023.04.07
[OpenSSL] RSA κ°œμΈν‚€ (PrivateKey) 생성 λͺ…λ Ήμ–΄  (0) 2023.04.06
[OpenSSL] ECDSA 용 Self-Sign μΈμ¦μ„œ λ§Œλ“€κΈ°  (0) 2023.04.05
[OpenSSL] TLS μ„œλ²„ ν…ŒμŠ€νŠΈ  (0) 2023.04.05

'Manual/OpenSSL'의 λ‹€λ₯ΈκΈ€

  • ν˜„μž¬κΈ€[OpenSSL] CMS ( Cryptographic Message Syntax ) λͺ…λ Ήμ–΄ μ‚¬μš©λ²•

κ΄€λ ¨κΈ€

λŒ“κΈ€

ν‹°μŠ€ν† λ¦¬νˆ΄λ°”