public
Created

This script demonstrates a bug in the Ruby 2.0.0 and earlier pkcs7 implementation

  • Download Gist
ruby_pkcs7_ec_bug.rb
Ruby
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85
# N.B. the keys used below were generated using OpenSSL for the
# purposes of this demostration.
def test_PKCS7_with_safe_keys
key = OpenSSL::PKey::EC.new('-----BEGIN EC PARAMETERS-----
BgUrgQQAIw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIHbAgEBBEFh83G8HDYW7TR9P0D0Op1NLIgyMPeQd1s3+XcBgYklLlbvy/SXVFHD
xKl1dZl4X0CdparHh/Z0pA7g7w+0MIJPpaAHBgUrgQQAI6GBiQOBhgAEATYioVwp
+IJNCuYPxm5h1QzY9vhoOH9XThwE65YR+G7mUhWz38eM8UGkUNweGEuFa05Wrms5
sGgjrcDhQPYVvKOEAH6HtYUxs/IlPCrCfuwb7tqc0C1aU5Ucj+uxJbt3xkPvWqtT
mIJ9BBrFsiN7aPO4KkZlJaENtymC4aLim1dvo8wX
-----END EC PRIVATE KEY-----')
cert = OpenSSL::X509::Certificate.new('-----BEGIN CERTIFICATE-----
MIICvzCCAiECAQIwCQYHKoZIzj0EATCBojELMAkGA1UEBhMCQVUxGTAXBgNVBAgU
EEVDX1RFU1RfUFJPVklOQ0UxFTATBgNVBAcUDEVDX1RFU1RfQ0lUWTEUMBIGA1UE
ChQLRUNfVEVTVF9PUkcxFTATBgNVBAsUDEVDX1RFU1RfVU5JVDETMBEGA1UEAxQK
RUNfVEVTVF9DQTEfMB0GCSqGSIb3DQEJARYQRUNfVEVTVF9DQV9FTUFJTDAeFw0x
MzAzMjUxODAwMzVaFw0xNDAzMjUxODAwMzVaMIGtMQswCQYDVQQGEwJBVTEbMBkG
A1UECBQSVEVTVF9DRVJUX1BST1ZJTkNFMRcwFQYDVQQHFA5URVNUX0NFUlRfQ0lU
WTEWMBQGA1UEChQNVEVTVF9DRVJUX09SRzEXMBUGA1UECxQOVEVTVF9DRVJUX1VO
SVQxFzAVBgNVBAMUDlRFU1RfQ0VSVF9OQU1FMR4wHAYJKoZIhvcNAQkBFg9URVNU
X0NFUlRfRU1BSUwwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAE2IqFcKfiCTQrm
D8ZuYdUM2Pb4aDh/V04cBOuWEfhu5lIVs9/HjPFBpFDcHhhLhWtOVq5rObBoI63A
4UD2FbyjhAB+h7WFMbPyJTwqwn7sG+7anNAtWlOVHI/rsSW7d8ZD71qrU5iCfQQa
xbIje2jzuCpGZSWhDbcpguGi4ptXb6PMFzAJBgcqhkjOPQQBA4GMADCBiAJCAXTz
Iqc0wrA6URtnw2FAGZfPc4zEXPaMIQNJvoUHKc+4aJdCsyeGpqJ+83tykhRZQw5t
CtlfzPUXK6Iu0bYoU7bwAkIBm3jvz2SOP8PXnfrf7i3w3PW75iRX8lyNw9dM5N/i
D7/IIXSl0lptOV1+t4JteiT0jGfSgxd7UjLtGqL/3Jv31pA=
-----END CERTIFICATE-----
')
ca = OpenSSL::X509::Certificate.new('-----BEGIN CERTIFICATE-----
MIICszCCAhYCAQEwCQYHKoZIzj0EATCBojELMAkGA1UEBhMCQVUxGTAXBgNVBAgU
EEVDX1RFU1RfUFJPVklOQ0UxFTATBgNVBAcUDEVDX1RFU1RfQ0lUWTEUMBIGA1UE
ChQLRUNfVEVTVF9PUkcxFTATBgNVBAsUDEVDX1RFU1RfVU5JVDETMBEGA1UEAxQK
RUNfVEVTVF9DQTEfMB0GCSqGSIb3DQEJARYQRUNfVEVTVF9DQV9FTUFJTDAeFw0x
MzAzMjUxNzU0NTdaFw0xNDAzMjUxNzU0NTdaMIGiMQswCQYDVQQGEwJBVTEZMBcG
A1UECBQQRUNfVEVTVF9QUk9WSU5DRTEVMBMGA1UEBxQMRUNfVEVTVF9DSVRZMRQw
EgYDVQQKFAtFQ19URVNUX09SRzEVMBMGA1UECxQMRUNfVEVTVF9VTklUMRMwEQYD
VQQDFApFQ19URVNUX0NBMR8wHQYJKoZIhvcNAQkBFhBFQ19URVNUX0NBX0VNQUlM
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAYe43oO7r7/nP3c4RM97MOrRzW2Ms
n8ibh/gfR5Gd5cHMENBZoVNmsGzwoDLGEWP4XOYP2U3meqiRUhwT9g+X8mAAbmbi
CTRtg0va4pU0/RuvTfVntXX/7nJqdUjmB/YTazSoqCbdxawHzIiI0nT8Cpd+RVJ6
ueVo3LEjdnOnHAL+rdQwCQYHKoZIzj0EAQOBiwAwgYcCQRnsKQc1TkMiRf60ECxm
6bHm0/ZVjgRDCPacsKjHtchaV/2yEw+9/2yLgSxLH1kDBfHEqgQyhgDUhiHs37gY
7TNtAkIBXyPBSQ9v3zlVUj8sAhnnRYhy6+JwEdKcs8DOwVCwgetyUobkVZ5/kVWF
2APFiOeTs4Lig9Iku5zAL4PaGFfgcsQ=
-----END CERTIFICATE-----
')
# Create certificate store for master CA
cert_store = OpenSSL::X509::Store.new()
cert_store.add_cert ca
# Sign with cert key
ca_certs = [ca]
data = 'Message to be protected'
tmp = OpenSSL::PKCS7.sign(cert, key, data, [])
p7 = OpenSSL::PKCS7.new(tmp.to_pem)
# Quick Verification of signature
if (p7.verify([], cert_store) == true) then puts 'Verified' end
puts 'Data mismatch' unless data == p7.data
end
# Monkey patch round bug
class OpenSSL::PKey::EC
def private?
return self.private_key?
end
end unless ARGV[0] != 'PATCH'
test_PKCS7_with_safe_keys

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.