Created
March 25, 2013 18:34
-
-
Save Jacob640/5239454 to your computer and use it in GitHub Desktop.
This script demonstrates a bug in the Ruby 2.0.0 and earlier pkcs7 implementation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# N.B. the keys used below were generated using OpenSSL for the | |
# purposes of this demostration. | |
def test_PKCS7_with_safe_keys | |
key = OpenSSL::PKey::EC.new('-----BEGIN EC PARAMETERS----- | |
BgUrgQQAIw== | |
-----END EC PARAMETERS----- | |
-----BEGIN EC PRIVATE KEY----- | |
MIHbAgEBBEFh83G8HDYW7TR9P0D0Op1NLIgyMPeQd1s3+XcBgYklLlbvy/SXVFHD | |
xKl1dZl4X0CdparHh/Z0pA7g7w+0MIJPpaAHBgUrgQQAI6GBiQOBhgAEATYioVwp | |
+IJNCuYPxm5h1QzY9vhoOH9XThwE65YR+G7mUhWz38eM8UGkUNweGEuFa05Wrms5 | |
sGgjrcDhQPYVvKOEAH6HtYUxs/IlPCrCfuwb7tqc0C1aU5Ucj+uxJbt3xkPvWqtT | |
mIJ9BBrFsiN7aPO4KkZlJaENtymC4aLim1dvo8wX | |
-----END EC PRIVATE KEY-----') | |
cert = OpenSSL::X509::Certificate.new('-----BEGIN CERTIFICATE----- | |
MIICvzCCAiECAQIwCQYHKoZIzj0EATCBojELMAkGA1UEBhMCQVUxGTAXBgNVBAgU | |
EEVDX1RFU1RfUFJPVklOQ0UxFTATBgNVBAcUDEVDX1RFU1RfQ0lUWTEUMBIGA1UE | |
ChQLRUNfVEVTVF9PUkcxFTATBgNVBAsUDEVDX1RFU1RfVU5JVDETMBEGA1UEAxQK | |
RUNfVEVTVF9DQTEfMB0GCSqGSIb3DQEJARYQRUNfVEVTVF9DQV9FTUFJTDAeFw0x | |
MzAzMjUxODAwMzVaFw0xNDAzMjUxODAwMzVaMIGtMQswCQYDVQQGEwJBVTEbMBkG | |
A1UECBQSVEVTVF9DRVJUX1BST1ZJTkNFMRcwFQYDVQQHFA5URVNUX0NFUlRfQ0lU | |
WTEWMBQGA1UEChQNVEVTVF9DRVJUX09SRzEXMBUGA1UECxQOVEVTVF9DRVJUX1VO | |
SVQxFzAVBgNVBAMUDlRFU1RfQ0VSVF9OQU1FMR4wHAYJKoZIhvcNAQkBFg9URVNU | |
X0NFUlRfRU1BSUwwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAE2IqFcKfiCTQrm | |
D8ZuYdUM2Pb4aDh/V04cBOuWEfhu5lIVs9/HjPFBpFDcHhhLhWtOVq5rObBoI63A | |
4UD2FbyjhAB+h7WFMbPyJTwqwn7sG+7anNAtWlOVHI/rsSW7d8ZD71qrU5iCfQQa | |
xbIje2jzuCpGZSWhDbcpguGi4ptXb6PMFzAJBgcqhkjOPQQBA4GMADCBiAJCAXTz | |
Iqc0wrA6URtnw2FAGZfPc4zEXPaMIQNJvoUHKc+4aJdCsyeGpqJ+83tykhRZQw5t | |
CtlfzPUXK6Iu0bYoU7bwAkIBm3jvz2SOP8PXnfrf7i3w3PW75iRX8lyNw9dM5N/i | |
D7/IIXSl0lptOV1+t4JteiT0jGfSgxd7UjLtGqL/3Jv31pA= | |
-----END CERTIFICATE----- | |
') | |
ca = OpenSSL::X509::Certificate.new('-----BEGIN CERTIFICATE----- | |
MIICszCCAhYCAQEwCQYHKoZIzj0EATCBojELMAkGA1UEBhMCQVUxGTAXBgNVBAgU | |
EEVDX1RFU1RfUFJPVklOQ0UxFTATBgNVBAcUDEVDX1RFU1RfQ0lUWTEUMBIGA1UE | |
ChQLRUNfVEVTVF9PUkcxFTATBgNVBAsUDEVDX1RFU1RfVU5JVDETMBEGA1UEAxQK | |
RUNfVEVTVF9DQTEfMB0GCSqGSIb3DQEJARYQRUNfVEVTVF9DQV9FTUFJTDAeFw0x | |
MzAzMjUxNzU0NTdaFw0xNDAzMjUxNzU0NTdaMIGiMQswCQYDVQQGEwJBVTEZMBcG | |
A1UECBQQRUNfVEVTVF9QUk9WSU5DRTEVMBMGA1UEBxQMRUNfVEVTVF9DSVRZMRQw | |
EgYDVQQKFAtFQ19URVNUX09SRzEVMBMGA1UECxQMRUNfVEVTVF9VTklUMRMwEQYD | |
VQQDFApFQ19URVNUX0NBMR8wHQYJKoZIhvcNAQkBFhBFQ19URVNUX0NBX0VNQUlM | |
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAYe43oO7r7/nP3c4RM97MOrRzW2Ms | |
n8ibh/gfR5Gd5cHMENBZoVNmsGzwoDLGEWP4XOYP2U3meqiRUhwT9g+X8mAAbmbi | |
CTRtg0va4pU0/RuvTfVntXX/7nJqdUjmB/YTazSoqCbdxawHzIiI0nT8Cpd+RVJ6 | |
ueVo3LEjdnOnHAL+rdQwCQYHKoZIzj0EAQOBiwAwgYcCQRnsKQc1TkMiRf60ECxm | |
6bHm0/ZVjgRDCPacsKjHtchaV/2yEw+9/2yLgSxLH1kDBfHEqgQyhgDUhiHs37gY | |
7TNtAkIBXyPBSQ9v3zlVUj8sAhnnRYhy6+JwEdKcs8DOwVCwgetyUobkVZ5/kVWF | |
2APFiOeTs4Lig9Iku5zAL4PaGFfgcsQ= | |
-----END CERTIFICATE----- | |
') | |
# Create certificate store for master CA | |
cert_store = OpenSSL::X509::Store.new() | |
cert_store.add_cert ca | |
# Sign with cert key | |
ca_certs = [ca] | |
data = 'Message to be protected' | |
tmp = OpenSSL::PKCS7.sign(cert, key, data, []) | |
p7 = OpenSSL::PKCS7.new(tmp.to_pem) | |
# Quick Verification of signature | |
if (p7.verify([], cert_store) == true) then puts 'Verified' end | |
puts 'Data mismatch' unless data == p7.data | |
end | |
# Monkey patch round bug | |
class OpenSSL::PKey::EC | |
def private? | |
return self.private_key? | |
end | |
end unless ARGV[0] != 'PATCH' | |
test_PKCS7_with_safe_keys |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment