Manual/OpenSSL

[OpenSSL] CMS ( Cryptographic Message Syntax ) ๋ช…๋ น์–ด ์‚ฌ์šฉ๋ฒ•

JayKim๐Ÿ™‚ 2023. 4. 6. 18:19

CMS ๋Š” Cryptographic Message Syntax ์˜ ์•ฝ์ž๋กœ RFC5652 ์— ์ •์˜ ๋œ ํ‘œ์ค€์ด๋‹ค.

CMS ๋ช…๋ น์–ด๋Š” ๋ฐ์ดํƒ€ ์„œ๋ช…์ด๋‚˜ ๋ฐ์ดํƒ€ ์•”ํ˜ธํ™”๋ฅผ ์œ„ํ•œ ํ‘œ์ค€ ๋ฐ์ดํƒ€ ํ˜•์‹์ด๋‹ค.
์ด ๋ฐ์ดํƒ€๋Š” PKCS#7 ํ˜•์‹์˜ ๋ฐ์ดํƒ€ ์ด๋‹ค.

์ž์„ธํ•œ ๋ช…๋ น์–ด ์„ค๋ช… ์ฃผ์†Œ์ด๋‹ค.
https://www.openssl.org/docs/man3.0/man1/openssl-cms.html

CMS ๋ฉ”์„ธ์ง€ ASN.1 ํ˜•์‹

์•„๋ž˜ ASN.1 ํ˜•์‹์˜ CMS ๋ฉ”์„ธ์ง€์— ๋Œ€ํ•œ ์ผ ๋ถ€๋ถ„์˜ ํ˜•์‹ ๋‚ด์šฉ์„ ๋ณด์—ฌ ์ค€๋‹ค.

   ContentInfo ::= SEQUENCE {
     contentType ContentType,
     content [0] EXPLICIT ANY DEFINED BY contentType }

   ContentType ::= OBJECT IDENTIFIER

   SignedData ::= SEQUENCE {
     version CMSVersion,
     digestAlgorithms DigestAlgorithmIdentifiers,
     encapContentInfo EncapsulatedContentInfo,
     certificates [0] IMPLICIT CertificateSet OPTIONAL,
     crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
     signerInfos SignerInfos }

  EnvelopedData ::= SEQUENCE {
     version CMSVersion,
     originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
     recipientInfos RecipientInfos,
     encryptedContentInfo EncryptedContentInfo,
     unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL }

Signed Data ๋ฉ”์„ธ์ง€ ์ƒ์„ฑ

์ด ๋ฉ”์„ธ์ง€๋Š” ์›๋ฌธ์— ์ „์ž ์„œ๋ช…์„ ์ƒ์„ฑํ•˜๊ณ  ์›๋ฌธ์ž์ฒด๋Š” ๊ทธ๋Œ€๋กœ ๋ณด์—ฌ ์ค€๋‹ค.

openssl cms -sign -in test.txt -out out.msg -signer ecdsa_cert.pem -inkey ecdsa_private_key.pem

out.msg : ์ƒ์„ฑ ๋œ SignedData ๋ฉ”์„ธ์ง€ ์ด๋‹ค.
๊ฒฐ๊ณผ ํŒŒ์ผ์˜ ๋‚ด์šฉ์„ ๋ณด๋ฉด

MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----9200C78F9435257A83D6408C600DC4DF"

This is an S/MIME signed message

------9200C78F9435257A83D6408C600DC4DF
test message^M

------9200C78F9435257A83D6408C600DC4DF
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIIDmQYJKoZIhvcNAQcCoIIDijCCA4YCAQExDTALBglghkgBZQMEAgEwCwYJKoZI
hvcNAQcBoIIBwTCCAb0wggFjoAMCAQICCAvGymLEvWh7MAoGCCqGSM49BAMCMEAx
CzAJBgNVBAYTAktSMQ4wDAYDVQQKEwVSYW5peDEOMAwGA1UECxMFRGV2ZWwxETAP
BgNVBAMMCEVDRFNBX0NBMB4XDTIzMDQwNjA5MzYwMFoXDTI0MDQwNjA5MzYwMFow
QjELMAkGA1UEBhMCS1IxDjAMBgNVBAoTBVJhbml4MQ4wDAYDVQQLEwVEZXZlbDET
MBEGA1UEAwwKQ01TX1NpZ25lcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJUZ
Fpx8Uvbset2RED8HpgHZmPpnuHswjSaDl65sl2JMy43E8ME13LphsOr5B9dd86A4
swfRT9lJ3UPQA761NnqjRTBDMA4GA1UdDwEB/wQEAwID+DAxBgNVHSUEKjAoBggr
BgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBDAKBggqhkjOPQQD
AgNIADBFAiEA2mqmjaawFtRpEtklxaMjMxVaRySMxA3qsVMNOFO/5CQCICqcaUs+
x4MyBBgFuGqSvIYIRTZdznc1D2VlXBNWHwv9MYIBnjCCAZoCAQEwTDBAMQswCQYD
VQQGEwJLUjEOMAwGA1UEChMFUmFuaXgxDjAMBgNVBAsTBURldmVsMREwDwYDVQQD
DAhFQ0RTQV9DQQIIC8bKYsS9aHswCwYJYIZIAWUDBAIBoIHkMBgGCSqGSIb3DQEJ
AzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIzMDQwNjA5MzkyNFowLwYJ
KoZIhvcNAQkEMSIEID2+rP15X+LtXg5WMjtDQmjETKwoOsQzZCuW8s/EQ2NbMHkG
CSqGSIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgB
ZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA
MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAoGCCqGSM49BAMCBEcwRQIhALmYtZhM
r6rLZLUn23FoAOtBmKmB03D8n7NmTRmzXYeYAiAm4aOpdcbYHCy0r5JGYupLl/yX
6PW6lTGMQ14nUMH0og==

------9200C78F9435257A83D6408C600DC4DF--

์—ฌ๊ธฐ์„œ ํ•ด๋‹น ๋‚ด์šฉ์„ BerEditor ๋กœ ๋””์ฝ”๋”ฉ ํ•œ ๊ทธ๋ฆผ์€ ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค.

Signed Data ๋ฉ”์„ธ์ง€ ๊ฒ€์ฆ

openssl cms -verify -in out.msg -signer ecdsa_cert.pem -CAfile chain.crt -out content.txt

chain.crt : ecdsa_cert.pem ์— ๋Œ€ํ•œ ์ฒด์ธ ์ธ์ฆ์„œ ์ •๋ณด๊ฐ€ PEM ํ˜•์‹์œผ๋กœ ์ง€์› ํ•ด์•ผ ํ•œ๋‹ค.
์ฒด์ธ ํŒŒ์ผ์€ ecdsa_cert.pem ์ธ์ฆ์„œ๋ฅผ ๋ฐœ๊ธ‰ํ•œ CA์ธ์ฆ์„œ ๋ถ€ํ„ฐ ์ตœ์ƒ์œ„ RootCA ์ธ์ฆ์„œ๋ฅผ  PEM ํ˜•์‹์˜ ์ธ์ฆ์„œ ์ •๋ณด๋ฅผ ๋‚˜์—ดํ•œ ํŒŒ์ผ์ด๋‹ค.

Enveloped Data ๋ฉ”์„ธ์ง€ ์ƒ์„ฑ

openssl cms -encrypt -in test.txt -recip ecdsa_cert.pem -out enc_data.txt

์ƒ์„ฑ๋œ enc_data.txt ํŒŒ์ผ์„ ์—ด์–ด ๋ณด๋ฉด ๋‹ค์Œ ์ฒ˜๋Ÿผ ๋‚˜์˜จ๋‹ค.

MIME-Version: 1.0
Content-Disposition: attachment; filename="smime.p7m"
Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"
Content-Transfer-Encoding: base64

MIIBQQYJKoZIhvcNAQcDoIIBMjCCAS4CAQIxgfOhgfACAQOgUaFPMAkGByqGSM49
AgEDQgAEKkl2wlB6iHgqLzzLab5MCcclfuKMQAJBEF9nWoMP0gezqI4SLSW/xSwU
yAbU3X/6wB6/H0d4t4L60anVBpi2OzAcBgkrgQUQhkg/AAIwDwYLKoZIhvcNAQkQ
AwYFADB6MHgwTDBAMQswCQYDVQQGEwJLUjEOMAwGA1UEChMFUmFuaXgxDjAMBgNV
BAsTBURldmVsMREwDwYDVQQDDAhFQ0RTQV9DQQIIC8bKYsS9aHsEKOQzy0VBgpF9
dr2TnmjgGFyHHd7e0wgCgkJm3z/AeaaszvmtYiZoB3YwMwYJKoZIhvcNAQcBMBQG
CCqGSIb3DQMHBAjwK4BkxX3LEIAQPKe81tqYB3KgN3Rdikh5hA==

๊ทธ๋ฆฌ๊ณ  ์ƒ์„ฑ ๋œ ๋‚ด์šฉ์„ BerEditor ๋กœ ๋””์ฝ”๋”ฉ ํ™”๋ฉด์ด๋‹ค.

Enveloped Data ๋ณตํ˜ธํ™”

openssl cms -decrypt -in enc_data.txt -inkey ecdsa_pri.pem -out plain_data.txt

์—ฌ๊ธฐ์„œ๋Š” ๊ฐ„๋‹จํžˆ SignedData ์™€ EnvelopedData ํ˜•์‹์˜ CMS ๋ฉ”์„ธ์ง€์— ๋งŒ๋“œ๋Š”๊ฒƒ์„ ํ•ด๋ณด์•˜๋‹ค.
์‚ฌ์‹ค CMS ๋ž‘ PKCS#7 ์€ ๊ฐ™์€ ํ˜•์‹์ด์ง€๋งŒ ๋ฒ„์ „์— ๋”ฐ๋ฅธ ์ž‘์€ ์ฐจ์ด๋Š” ์กด์žฌํ•œ๋‹ค.

๋ฐ˜์‘ํ˜•
์ €์ž‘์žํ‘œ์‹œ

'Manual > OpenSSL' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[OpenSSL] OCSP ์™€ TSP ๋ช…๋ น์–ด  (0) 2023.04.07
[OpenSSL] PKCS#12 (PFX) ํŒŒ์ผ ๋งŒ๋“ค๊ธฐ ๋ช…๋ น์–ด  (0) 2023.04.07
[OpenSSL] RSA ๊ฐœ์ธํ‚ค (PrivateKey) ์ƒ์„ฑ ๋ช…๋ น์–ด  (0) 2023.04.06
[OpenSSL] ECDSA ์šฉ Self-Sign ์ธ์ฆ์„œ ๋งŒ๋“ค๊ธฐ  (0) 2023.04.05
[OpenSSL] TLS ์„œ๋ฒ„ ํ…Œ์ŠคํŠธ  (0) 2023.04.05

'Manual/OpenSSL'์˜ ๋‹ค๋ฅธ๊ธ€

  • ํ˜„์žฌ๊ธ€[OpenSSL] CMS ( Cryptographic Message Syntax ) ๋ช…๋ น์–ด ์‚ฌ์šฉ๋ฒ•

๊ด€๋ จ๊ธ€

๋Œ“๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”