Jacob640/ruby_pkcs7_ec_bug.rb

## ruby_pkcs7_ec_bug.rb
# N.B. the keys used below were generated using OpenSSL for the
# purposes of this demostration.


def test_PKCS7_with_safe_keys

  key = OpenSSL::PKey::EC.new('-----BEGIN EC PARAMETERS-----
BgUrgQQAIw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIHbAgEBBEFh83G8HDYW7TR9P0D0Op1NLIgyMPeQd1s3+XcBgYklLlbvy/SXVFHD
xKl1dZl4X0CdparHh/Z0pA7g7w+0MIJPpaAHBgUrgQQAI6GBiQOBhgAEATYioVwp
+IJNCuYPxm5h1QzY9vhoOH9XThwE65YR+G7mUhWz38eM8UGkUNweGEuFa05Wrms5
sGgjrcDhQPYVvKOEAH6HtYUxs/IlPCrCfuwb7tqc0C1aU5Ucj+uxJbt3xkPvWqtT
mIJ9BBrFsiN7aPO4KkZlJaENtymC4aLim1dvo8wX
-----END EC PRIVATE KEY-----')


  cert = OpenSSL::X509::Certificate.new('-----BEGIN CERTIFICATE-----
MIICvzCCAiECAQIwCQYHKoZIzj0EATCBojELMAkGA1UEBhMCQVUxGTAXBgNVBAgU
EEVDX1RFU1RfUFJPVklOQ0UxFTATBgNVBAcUDEVDX1RFU1RfQ0lUWTEUMBIGA1UE
ChQLRUNfVEVTVF9PUkcxFTATBgNVBAsUDEVDX1RFU1RfVU5JVDETMBEGA1UEAxQK
RUNfVEVTVF9DQTEfMB0GCSqGSIb3DQEJARYQRUNfVEVTVF9DQV9FTUFJTDAeFw0x
MzAzMjUxODAwMzVaFw0xNDAzMjUxODAwMzVaMIGtMQswCQYDVQQGEwJBVTEbMBkG
A1UECBQSVEVTVF9DRVJUX1BST1ZJTkNFMRcwFQYDVQQHFA5URVNUX0NFUlRfQ0lU
WTEWMBQGA1UEChQNVEVTVF9DRVJUX09SRzEXMBUGA1UECxQOVEVTVF9DRVJUX1VO
SVQxFzAVBgNVBAMUDlRFU1RfQ0VSVF9OQU1FMR4wHAYJKoZIhvcNAQkBFg9URVNU
X0NFUlRfRU1BSUwwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAE2IqFcKfiCTQrm
D8ZuYdUM2Pb4aDh/V04cBOuWEfhu5lIVs9/HjPFBpFDcHhhLhWtOVq5rObBoI63A
4UD2FbyjhAB+h7WFMbPyJTwqwn7sG+7anNAtWlOVHI/rsSW7d8ZD71qrU5iCfQQa
xbIje2jzuCpGZSWhDbcpguGi4ptXb6PMFzAJBgcqhkjOPQQBA4GMADCBiAJCAXTz
Iqc0wrA6URtnw2FAGZfPc4zEXPaMIQNJvoUHKc+4aJdCsyeGpqJ+83tykhRZQw5t
CtlfzPUXK6Iu0bYoU7bwAkIBm3jvz2SOP8PXnfrf7i3w3PW75iRX8lyNw9dM5N/i
D7/IIXSl0lptOV1+t4JteiT0jGfSgxd7UjLtGqL/3Jv31pA=
-----END CERTIFICATE-----
')

	ca = OpenSSL::X509::Certificate.new('-----BEGIN CERTIFICATE-----
MIICszCCAhYCAQEwCQYHKoZIzj0EATCBojELMAkGA1UEBhMCQVUxGTAXBgNVBAgU
EEVDX1RFU1RfUFJPVklOQ0UxFTATBgNVBAcUDEVDX1RFU1RfQ0lUWTEUMBIGA1UE
ChQLRUNfVEVTVF9PUkcxFTATBgNVBAsUDEVDX1RFU1RfVU5JVDETMBEGA1UEAxQK
RUNfVEVTVF9DQTEfMB0GCSqGSIb3DQEJARYQRUNfVEVTVF9DQV9FTUFJTDAeFw0x
MzAzMjUxNzU0NTdaFw0xNDAzMjUxNzU0NTdaMIGiMQswCQYDVQQGEwJBVTEZMBcG
A1UECBQQRUNfVEVTVF9QUk9WSU5DRTEVMBMGA1UEBxQMRUNfVEVTVF9DSVRZMRQw
EgYDVQQKFAtFQ19URVNUX09SRzEVMBMGA1UECxQMRUNfVEVTVF9VTklUMRMwEQYD
VQQDFApFQ19URVNUX0NBMR8wHQYJKoZIhvcNAQkBFhBFQ19URVNUX0NBX0VNQUlM
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAYe43oO7r7/nP3c4RM97MOrRzW2Ms
n8ibh/gfR5Gd5cHMENBZoVNmsGzwoDLGEWP4XOYP2U3meqiRUhwT9g+X8mAAbmbi
CTRtg0va4pU0/RuvTfVntXX/7nJqdUjmB/YTazSoqCbdxawHzIiI0nT8Cpd+RVJ6
ueVo3LEjdnOnHAL+rdQwCQYHKoZIzj0EAQOBiwAwgYcCQRnsKQc1TkMiRf60ECxm
6bHm0/ZVjgRDCPacsKjHtchaV/2yEw+9/2yLgSxLH1kDBfHEqgQyhgDUhiHs37gY
7TNtAkIBXyPBSQ9v3zlVUj8sAhnnRYhy6+JwEdKcs8DOwVCwgetyUobkVZ5/kVWF
2APFiOeTs4Lig9Iku5zAL4PaGFfgcsQ=
-----END CERTIFICATE-----
')


	# Create certificate store for master CA
	cert_store = OpenSSL::X509::Store.new()
	cert_store.add_cert ca


	# Sign with cert key
	ca_certs = [ca]
	data = 'Message to be protected'
	tmp = OpenSSL::PKCS7.sign(cert, key, data, [])
	p7 = OpenSSL::PKCS7.new(tmp.to_pem)

	# Quick Verification of signature
	if (p7.verify([], cert_store) == true) then puts 'Verified' end
	puts 'Data mismatch' unless data == p7.data

end


# Monkey patch round bug
class OpenSSL::PKey::EC
	def private?
		return self.private_key?
	end
end unless ARGV[0] != 'PATCH'


test_PKCS7_with_safe_keys
	# N.B. the keys used below were generated using OpenSSL for the
	# purposes of this demostration.


	def test_PKCS7_with_safe_keys

	key = OpenSSL::PKey::EC.new('-----BEGIN EC PARAMETERS-----
	BgUrgQQAIw==
	-----END EC PARAMETERS-----
	-----BEGIN EC PRIVATE KEY-----
	MIHbAgEBBEFh83G8HDYW7TR9P0D0Op1NLIgyMPeQd1s3+XcBgYklLlbvy/SXVFHD
	xKl1dZl4X0CdparHh/Z0pA7g7w+0MIJPpaAHBgUrgQQAI6GBiQOBhgAEATYioVwp
	+IJNCuYPxm5h1QzY9vhoOH9XThwE65YR+G7mUhWz38eM8UGkUNweGEuFa05Wrms5
	sGgjrcDhQPYVvKOEAH6HtYUxs/IlPCrCfuwb7tqc0C1aU5Ucj+uxJbt3xkPvWqtT
	mIJ9BBrFsiN7aPO4KkZlJaENtymC4aLim1dvo8wX
	-----END EC PRIVATE KEY-----')


	cert = OpenSSL::X509::Certificate.new('-----BEGIN CERTIFICATE-----
	MIICvzCCAiECAQIwCQYHKoZIzj0EATCBojELMAkGA1UEBhMCQVUxGTAXBgNVBAgU
	EEVDX1RFU1RfUFJPVklOQ0UxFTATBgNVBAcUDEVDX1RFU1RfQ0lUWTEUMBIGA1UE
	ChQLRUNfVEVTVF9PUkcxFTATBgNVBAsUDEVDX1RFU1RfVU5JVDETMBEGA1UEAxQK
	RUNfVEVTVF9DQTEfMB0GCSqGSIb3DQEJARYQRUNfVEVTVF9DQV9FTUFJTDAeFw0x
	MzAzMjUxODAwMzVaFw0xNDAzMjUxODAwMzVaMIGtMQswCQYDVQQGEwJBVTEbMBkG
	A1UECBQSVEVTVF9DRVJUX1BST1ZJTkNFMRcwFQYDVQQHFA5URVNUX0NFUlRfQ0lU
	WTEWMBQGA1UEChQNVEVTVF9DRVJUX09SRzEXMBUGA1UECxQOVEVTVF9DRVJUX1VO
	SVQxFzAVBgNVBAMUDlRFU1RfQ0VSVF9OQU1FMR4wHAYJKoZIhvcNAQkBFg9URVNU
	X0NFUlRfRU1BSUwwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAE2IqFcKfiCTQrm
	D8ZuYdUM2Pb4aDh/V04cBOuWEfhu5lIVs9/HjPFBpFDcHhhLhWtOVq5rObBoI63A
	4UD2FbyjhAB+h7WFMbPyJTwqwn7sG+7anNAtWlOVHI/rsSW7d8ZD71qrU5iCfQQa
	xbIje2jzuCpGZSWhDbcpguGi4ptXb6PMFzAJBgcqhkjOPQQBA4GMADCBiAJCAXTz
	Iqc0wrA6URtnw2FAGZfPc4zEXPaMIQNJvoUHKc+4aJdCsyeGpqJ+83tykhRZQw5t
	CtlfzPUXK6Iu0bYoU7bwAkIBm3jvz2SOP8PXnfrf7i3w3PW75iRX8lyNw9dM5N/i
	D7/IIXSl0lptOV1+t4JteiT0jGfSgxd7UjLtGqL/3Jv31pA=
	-----END CERTIFICATE-----
	')

	ca = OpenSSL::X509::Certificate.new('-----BEGIN CERTIFICATE-----
	MIICszCCAhYCAQEwCQYHKoZIzj0EATCBojELMAkGA1UEBhMCQVUxGTAXBgNVBAgU
	EEVDX1RFU1RfUFJPVklOQ0UxFTATBgNVBAcUDEVDX1RFU1RfQ0lUWTEUMBIGA1UE
	ChQLRUNfVEVTVF9PUkcxFTATBgNVBAsUDEVDX1RFU1RfVU5JVDETMBEGA1UEAxQK
	RUNfVEVTVF9DQTEfMB0GCSqGSIb3DQEJARYQRUNfVEVTVF9DQV9FTUFJTDAeFw0x
	MzAzMjUxNzU0NTdaFw0xNDAzMjUxNzU0NTdaMIGiMQswCQYDVQQGEwJBVTEZMBcG
	A1UECBQQRUNfVEVTVF9QUk9WSU5DRTEVMBMGA1UEBxQMRUNfVEVTVF9DSVRZMRQw
	EgYDVQQKFAtFQ19URVNUX09SRzEVMBMGA1UECxQMRUNfVEVTVF9VTklUMRMwEQYD
	VQQDFApFQ19URVNUX0NBMR8wHQYJKoZIhvcNAQkBFhBFQ19URVNUX0NBX0VNQUlM
	MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAYe43oO7r7/nP3c4RM97MOrRzW2Ms
	n8ibh/gfR5Gd5cHMENBZoVNmsGzwoDLGEWP4XOYP2U3meqiRUhwT9g+X8mAAbmbi
	CTRtg0va4pU0/RuvTfVntXX/7nJqdUjmB/YTazSoqCbdxawHzIiI0nT8Cpd+RVJ6
	ueVo3LEjdnOnHAL+rdQwCQYHKoZIzj0EAQOBiwAwgYcCQRnsKQc1TkMiRf60ECxm
	6bHm0/ZVjgRDCPacsKjHtchaV/2yEw+9/2yLgSxLH1kDBfHEqgQyhgDUhiHs37gY
	7TNtAkIBXyPBSQ9v3zlVUj8sAhnnRYhy6+JwEdKcs8DOwVCwgetyUobkVZ5/kVWF
	2APFiOeTs4Lig9Iku5zAL4PaGFfgcsQ=
	-----END CERTIFICATE-----
	')


	# Create certificate store for master CA
	cert_store = OpenSSL::X509::Store.new()
	cert_store.add_cert ca


	# Sign with cert key
	ca_certs = [ca]
	data = 'Message to be protected'
	tmp = OpenSSL::PKCS7.sign(cert, key, data, [])
	p7 = OpenSSL::PKCS7.new(tmp.to_pem)

	# Quick Verification of signature
	if (p7.verify([], cert_store) == true) then puts 'Verified' end
	puts 'Data mismatch' unless data == p7.data

	end


	# Monkey patch round bug
	class OpenSSL::PKey::EC
	def private?
	return self.private_key?
	end
	end unless ARGV[0] != 'PATCH'



	test_PKCS7_with_safe_keys