Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
OpenSSL::PKCS7#verify test
require 'openssl'
require 'base64'
require "test/unit"
BODY = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n<plist version=\"1.0\">\n<dict>\n\t<key>Status</key>\n\t<string>Idle</string>\n\t<key>UDID</key>\n\t<string>b7ebaaa53fda9be2f7787eff7c1f4aca4e36f79d</string>\n</dict>\n</plist>\n"
SIGNATURE_BASE64 = "MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIHTCCA20wggJVoAMCAQICEESzOh1IytmdQqbap8VUON0wDQYJKoZIhvcNAQEFBQAwSTETMBEGCgmSJomT8ixkARkWA25ldDEWMBQGCgmSJomT8ixkARkWBnByb21kbTEaMBgGA1UEAxMRUHJvbWRtTkVUUm9vdENBdjEwHhcNMTIwOTI1MDgyODI2WhcNMzIwOTI1MDgzODI1WjBJMRMwEQYKCZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGcHJvbWRtMRowGAYDVQQDExFQcm9tZG1ORVRSb290Q0F2MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN43J/4Pimp7CEO7mA7V9A+Dj9NX1Cz0x97SncGqkh+x1xz6Ofoiq9vV2UC5DYIvGf3VVWErPwSXVQJ1Jd/uksCkVktC9zUfInYTb8dSGZ3MdrIntT83XWCkzPAjPZHOicBvU0hRCoY6r/FoQbVAIH+FnuEaGmXM+SYVbed6OLf3RN3DJPFw7y0xiJr3DRgMsGSVoDcXGnvDNET1pZiRqTQ2l7m8FeshJbNNYbg7ZFgWgrShANvt99Q/ZgGLilPnmhmE7YurjvmskHBaN05whcGXJy5vuh6Z+2n843lpyC+0mPMxY33jJB5JpZYgrUvx9ztukIKhsJmDjJ7SN7fRFkECAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFDpAYSEYOkunKKGrI6m7pGjuDBK5MBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQDO7g6vw664glze88QfGmOwHkp9+ommyIO1QuAoiU1mzh94+SP7ZQkeH2hTL3eGTivUDdnBEkMF/JealyWdnEh3Zey9vKc6TuAlW2oXPlw0m98CGVghYxFsdlpxfRUZTLuzqYHPtDCo80OhNjN3jCBy4xqwa6iCM4Dht7FZB1XdtKAnwxY+cVksQKHWHVtGgZBlHcAGymY/dA1HH9V1UZzUdDNw7yy/u2yM1T1dNQbbMle+3nMzbXxakpAd0rf+p/c/8CNLGj1aNMw77S9nBD6xE/r76go8OiWDrVqsJldDK9+z9kc14ZnBUkPN8wzpAKj3q+DTAzqHLatCeR0/i9kKMIIEqDCCA5CgAwIBAgITUgAADqR7O8qy4ykADQAAAAAOpDANBgkqhkiG9w0BAQUFADBJMRMwEQYKCZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGcHJvbWRtMRowGAYDVQQDExFQcm9tZG1ORVRSb290Q0F2MTAeFw0xNTA1MjExMzI4MDFaFw0xNjA1MjAxMzI4MDFaMFMxEzARBgNVBAoTClByb01ETS5uZXQxPDA6BgNVBAMTM2I3ZWJhYWE1M2ZkYTliZTJmNzc4N2VmZjdjMWY0YWNhNGUzNmY3OWQucHJvbWRtLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANciqEFj3McFo2qKNKNIAWAcnV7GYkOMON1+2tPYv82g6RN2k2Cp+eqza5DolCErnFyA7/jFXcVsUvMVfNw8mwxs3FK8xbJn7x5Gxr/W7czjWBQ/HpLPOcIkUOG1U8/FJ+CMXcZivD+v6MN7cd+gwTsYL9R4LD9aAQq1NuhKALt6bi0lHx04SPsbVecpX7dHfrT/y7GW6nO5hOxIvjZhetMriV3HBTCJdfcwEH5gXqhONx7GaFHviATE0jUp4o+pwQjWy6jqFC44hOp56/5/Or9ioSxp/g9a/z4J9rv41/VS3ws8GsgT+jWHq92+92a6liyzTO4fmJXNay468uATCyUCAwEAAaOCAX0wggF5MAsGA1UdDwQEAwIEsDAdBgNVHQ4EFgQUhE5fSFCMRFo17BqA7AmT4Q+yq7AwHwYDVR0jBBgwFoAUOkBhIRg6S6cooasjqbukaO4MErkwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL2Nsb3VkcGtpLnByb21kbS5uZXQvQ2VydEVucm9sbC9Qcm9tZG1ORVRSb290Q0F2MS5jcmwwawYIKwYBBQUHAQEEXzBdMFsGCCsGAQUFBzAChk9odHRwOi8vY2xvdWRwa2kucHJvbWRtLm5ldC9DZXJ0RW5yb2xsL2Nsb3VkcGtpLnByb21kbS5uZXRfUHJvbWRtTkVUUm9vdENBdjEuY3J0MD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCIaUvg2Bi6h/hL2LJ4e21l+C9aIfCIGb0lCExb0NAgFkAgEwMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBALee6J3yR5LnebeDw391eKSckSzbTtXko7+w+uolh1vZjqZILzzjGi235AXNQ0++NRYJ51g1hnh8IbC+HDiGVJtnBhZ7z4xXsPaT9d0UUGl1VZ2Yx8VZVSDkMuSr+xF1anr3akgWtWE9qUPDQgUUq5+c2l2fkD9dl7hjVsgIDvflT9bwTAI63B3+vjIlK8DpY2O9t4fsftSwzd1BxRV26zBJ51HKhsMnsvXSiSVGYE1Gx19RqgbF3KEw8zR9HHY4t4DbRCJTWYBwMSij7VJ43VQrpfFlFMkBGxnnatpP38S2tcANSc5zympHQXz4pT1xcQwOPe6EIFtvWqRs1iGHPD4xggHmMIIB4gIBATBgMEkxEzARBgoJkiaJk/IsZAEZFgNuZXQxFjAUBgoJkiaJk/IsZAEZFgZwcm9tZG0xGjAYBgNVBAMTEVByb21kbU5FVFJvb3RDQXYxAhNSAAAOpHs7yrLjKQANAAAAAA6kMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNTA1MjExOTUxNTZaMCMGCSqGSIb3DQEJBDEWBBRvOScEM0cZccq3WkH+s5eVKbhoJDANBgkqhkiG9w0BAQEFAASCAQCDzZQhb1PcN/enhuPkyKdFpEuV3mDZm1SJm1kQfFs2n4YyMLf0keRvWFcJBLr/S8hJMnTqEb42nS72VOaVnrtLFVxrgmZmBq+T2iFhXGFNLh2Oo27SNuy7CauHdD9Nd1qD2lsQFjcTcGMwxuk5SSjsTOBL3g4KiwJNtQ+/atfiAw5RMlslES31LckVv7q1bZ9S35DQPm/yEZhQJVkSzLgVUQmtgIrPRicNrGK4qKsDadRr28g7CBmyLIBDstxBM3/h9k6J1dLMet3ofkWeFRa0bvqxYT4Svdw7DyRPrdTLMRELL34Wuh4XkXAeU2hoii7Vbx5CgeLDvwOuryN24EDIAAAAAAAA"
TRUSTED_CERT = OpenSSL::X509::Certificate.new <<-CERT
-----BEGIN CERTIFICATE-----
MIIEqDCCA5CgAwIBAgITUgAADqR7O8qy4ykADQAAAAAOpDANBgkqhkiG9w0BAQUF
ADBJMRMwEQYKCZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGcHJvbWRt
MRowGAYDVQQDExFQcm9tZG1ORVRSb290Q0F2MTAeFw0xNTA1MjExMzI4MDFaFw0x
NjA1MjAxMzI4MDFaMFMxEzARBgNVBAoTClByb01ETS5uZXQxPDA6BgNVBAMTM2I3
ZWJhYWE1M2ZkYTliZTJmNzc4N2VmZjdjMWY0YWNhNGUzNmY3OWQucHJvbWRtLm5l
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANciqEFj3McFo2qKNKNI
AWAcnV7GYkOMON1+2tPYv82g6RN2k2Cp+eqza5DolCErnFyA7/jFXcVsUvMVfNw8
mwxs3FK8xbJn7x5Gxr/W7czjWBQ/HpLPOcIkUOG1U8/FJ+CMXcZivD+v6MN7cd+g
wTsYL9R4LD9aAQq1NuhKALt6bi0lHx04SPsbVecpX7dHfrT/y7GW6nO5hOxIvjZh
etMriV3HBTCJdfcwEH5gXqhONx7GaFHviATE0jUp4o+pwQjWy6jqFC44hOp56/5/
Or9ioSxp/g9a/z4J9rv41/VS3ws8GsgT+jWHq92+92a6liyzTO4fmJXNay468uAT
CyUCAwEAAaOCAX0wggF5MAsGA1UdDwQEAwIEsDAdBgNVHQ4EFgQUhE5fSFCMRFo1
7BqA7AmT4Q+yq7AwHwYDVR0jBBgwFoAUOkBhIRg6S6cooasjqbukaO4MErkwTAYD
VR0fBEUwQzBBoD+gPYY7aHR0cDovL2Nsb3VkcGtpLnByb21kbS5uZXQvQ2VydEVu
cm9sbC9Qcm9tZG1ORVRSb290Q0F2MS5jcmwwawYIKwYBBQUHAQEEXzBdMFsGCCsG
AQUFBzAChk9odHRwOi8vY2xvdWRwa2kucHJvbWRtLm5ldC9DZXJ0RW5yb2xsL2Ns
b3VkcGtpLnByb21kbS5uZXRfUHJvbWRtTkVUUm9vdENBdjEuY3J0MD0GCSsGAQQB
gjcVBwQwMC4GJisGAQQBgjcVCIaUvg2Bi6h/hL2LJ4e21l+C9aIfCIGb0lCExb0N
AgFkAgEwMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBsGCSsGAQQBgjcVCgQOMAwwCgYI
KwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBALee6J3yR5LnebeDw391eKSckSzb
TtXko7+w+uolh1vZjqZILzzjGi235AXNQ0++NRYJ51g1hnh8IbC+HDiGVJtnBhZ7
z4xXsPaT9d0UUGl1VZ2Yx8VZVSDkMuSr+xF1anr3akgWtWE9qUPDQgUUq5+c2l2f
kD9dl7hjVsgIDvflT9bwTAI63B3+vjIlK8DpY2O9t4fsftSwzd1BxRV26zBJ51HK
hsMnsvXSiSVGYE1Gx19RqgbF3KEw8zR9HHY4t4DbRCJTWYBwMSij7VJ43VQrpfFl
FMkBGxnnatpP38S2tcANSc5zympHQXz4pT1xcQwOPe6EIFtvWqRs1iGHPD4=
-----END CERTIFICATE-----
CERT
ANOTHER_CERT = OpenSSL::X509::Certificate.new <<-ANOTHER_CERT
-----BEGIN CERTIFICATE-----
MIIFbzCCBFegAwIBAgITUgAADi3Zs2e69eiOewAAAAAOLTANBgkqhkiG9w0BAQUF
ADBJMRMwEQYKCZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGcHJvbWRt
MRowGAYDVQQDExFQcm9tZG1ORVRSb290Q0F2MTAeFw0xNTA1MTEyMDE2NTRaFw0x
NjA1MTAyMDE2NTRaMBoxGDAWBgNVBAMMD2x1a2FAcHJvbWRtLm5ldDCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAL6ivK4EWpPQnfKzZ4MmGVZD3Um3TAT8
0Bh9NsJhhGcuYDxEDkMC6At9WrBXJ5nMMlMsVxcuOVUnafVNeCEs5OZt/iBIuPMT
5NhROnMyrLQ44FKTBkfzcUOEoV6mhlLec9f9siOo84sh4xDkx4CxoK0ARQP6MUKC
XKiwTRrkhIcqVMpRu9l3zOY8DAqCiCNdx4TvRQazc7Dy4slCg/0rK7bNVj6pUpws
UnI/hFNpSCjcndeFuKM2CR7LkuFHzkfWxW5zJ/RwmZoMo0G9pTLvww6v7Fhj1w3k
wWWm72bKS5ABYj3u13dzvpO1iwSmBOh9ve/bykckzXJ8g/ZDYChv+qdJ904KyGju
J5DtN0lWCCY5Ik9R9JeGSIThcjX507HQWRVlJtpraHjwGhOYxiZboXhENxewsIZa
wC7Q0LwTmLOmkzdPaxraBqjciUoeLI4CS2f3L5spSAM/KmEZV7B4QSs7nGveaQzC
mjmccyLW8A5aQVdLUpxvTOCQxoJWfpzZn738QS8ahQmSzpdO4Xl0P2dL+BNyxgyn
Vvs/liBAUcZmEmxQ3pgDA3bUXI+Fdj2oP9/YPADVZuItg20RlnpZjeSJDEYHkarS
4lNR+Zd0kVxYkHw5HKu4fcnSU18mBpvX5MxcxR5otg2xC19y0+n+gAmLZ1UvBVAV
LtpEWPucALy7AgMBAAGjggF9MIIBeTAdBgNVHQ4EFgQUQsFZECEUWtjpMV/eJmuN
eR0t4XUwHwYDVR0jBBgwFoAUOkBhIRg6S6cooasjqbukaO4MErkwTAYDVR0fBEUw
QzBBoD+gPYY7aHR0cDovL2Nsb3VkcGtpLnByb21kbS5uZXQvQ2VydEVucm9sbC9Q
cm9tZG1ORVRSb290Q0F2MS5jcmwwawYIKwYBBQUHAQEEXzBdMFsGCCsGAQUFBzAC
hk9odHRwOi8vY2xvdWRwa2kucHJvbWRtLm5ldC9DZXJ0RW5yb2xsL2Nsb3VkcGtp
LnByb21kbS5uZXRfUHJvbWRtTkVUUm9vdENBdjEuY3J0MAsGA1UdDwQEAwIEsDA9
BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiGlL4NgYuof4S9iyeHttZfgvWiHwiB
m9JQhMW9DQIBZAIBLjATBgNVHSUEDDAKBggrBgEFBQcDAjAbBgkrBgEEAYI3FQoE
DjAMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQCzJKWE76aPURvjgm8a
leCfJtis9a9264YprF6dMGHA38QfGdCMX/pCNG0j2cCYE28UmcOMK9s5vUZk4pUH
WBji2eEYy4hYmlyUes3yK83OU2cpr9L+2oi/UntLJYZSpM4y5v/RgM3jiG1MswWY
ve3ihcguSD1K4Tkp5O/PoFICpYoYmLV2l+fT7lK05A87z4y7cajUXMoT4od/crIh
JC+a0ok4pE1fXoK7OiaxyiSuh5nvoVpah/DUPz3R+BnvXtMW4fAZdISTbsOzkOET
4Ig64Gv4iovq7NcJN3lEjR7mckdO95jYOH5QWxbWBIGOWWpL3vFu0cGmYyEt9nO2
PXwq
-----END CERTIFICATE-----
ANOTHER_CERT
ROOT_CA = OpenSSL::X509::Certificate.new <<-ROOT_CA
-----BEGIN CERTIFICATE-----
MIIDbTCCAlWgAwIBAgIQRLM6HUjK2Z1CptqnxVQ43TANBgkqhkiG9w0BAQUFADBJ
MRMwEQYKCZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGcHJvbWRtMRow
GAYDVQQDExFQcm9tZG1ORVRSb290Q0F2MTAeFw0xMjA5MjUwODI4MjZaFw0zMjA5
MjUwODM4MjVaMEkxEzARBgoJkiaJk/IsZAEZFgNuZXQxFjAUBgoJkiaJk/IsZAEZ
FgZwcm9tZG0xGjAYBgNVBAMTEVByb21kbU5FVFJvb3RDQXYxMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3jcn/g+KansIQ7uYDtX0D4OP01fULPTH3tKd
waqSH7HXHPo5+iKr29XZQLkNgi8Z/dVVYSs/BJdVAnUl3+6SwKRWS0L3NR8idhNv
x1IZncx2sie1PzddYKTM8CM9kc6JwG9TSFEKhjqv8WhBtUAgf4We4RoaZcz5JhVt
53o4t/dE3cMk8XDvLTGImvcNGAywZJWgNxcae8M0RPWlmJGpNDaXubwV6yEls01h
uDtkWBaCtKEA2+331D9mAYuKU+eaGYTti6uO+ayQcFo3TnCFwZcnLm+6Hpn7afzj
eWnIL7SY8zFjfeMkHkmlliCtS/H3O26QgqGwmYOMntI3t9EWQQIDAQABo1EwTzAL
BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUOkBhIRg6S6co
oasjqbukaO4MErkwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEB
AM7uDq/DrriCXN7zxB8aY7AeSn36iabIg7VC4CiJTWbOH3j5I/tlCR4faFMvd4ZO
K9QN2cESQwX8l5qXJZ2cSHdl7L28pzpO4CVbahc+XDSb3wIZWCFjEWx2WnF9FRlM
u7Opgc+0MKjzQ6E2M3eMIHLjGrBrqIIzgOG3sVkHVd20oCfDFj5xWSxAodYdW0aB
kGUdwAbKZj90DUcf1XVRnNR0M3DvLL+7bIzVPV01BtsyV77eczNtfFqSkB3St/6n
9z/wI0saPVo0zDvtL2cEPrET+vvqCjw6JYOtWqwmV0Mr37P2RzXhmcFSQ83zDOkA
qPer4NMDOoctq0J5HT+L2Qo=
-----END CERTIFICATE-----
ROOT_CA
class OpenSSL::TestPKCS7 < Test::Unit::TestCase
# TODO
# add test_pkcs7_verify to https://github.com/ruby/ruby/blob/ruby_2_2/test/openssl/test_pkcs7.rb
def test_pkcs7_verify
# create 4 PKCS7 instances from the same signature for verifications
p7a = OpenSSL::PKCS7.new(Base64.decode64(SIGNATURE_BASE64))
p7b = OpenSSL::PKCS7.new(Base64.decode64(SIGNATURE_BASE64))
p7c = OpenSSL::PKCS7.new(Base64.decode64(SIGNATURE_BASE64))
p7d = OpenSSL::PKCS7.new(Base64.decode64(SIGNATURE_BASE64))
# trusted cert store with Root CA cert
store = OpenSSL::X509::Store.new
store.add_cert ROOT_CA
flags = OpenSSL::PKCS7::NOINTERN | OpenSSL::PKCS7::NOCHAIN
# NOINTERN: certificates in the message itself are not searched when locating the signer's certificate;
# all the signers certificates must be in the certs parameter
# NOCHAIN: certificates contained in the message are not used as untrusted CAs;
# This means that the whole verify chain (apart from the signer's certificate) must
# be contained in the trusted store
# more info: https://www.openssl.org/docs/crypto/PKCS7_verify.html
# verify is true if signature was created using trusted cert
assert p7a.verify([TRUSTED_CERT], store, BODY, flags)
# verify is false if some other cert is used for verifiy, or tampered content (BODY)
assert !p7b.verify([ANOTHER_CERT], store, BODY, flags)
assert !p7c.verify([ANOTHER_CERT], store, "foo", flags)
assert !p7d.verify([TRUSTED_CERT], store, "bar", flags)
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment