我发现当我调用OpenSSL::PKCS7#verify
时,如果要验证的数据包含换行符,则verify
返回FALSE:
require 'openssl'
def test(data)
store = OpenSSL::X509::Store.new
signed = OpenSSL::PKCS7.sign(@cert, @key, data).to_der
pkcs7 = OpenSSL::PKCS7.new(signed)
valid = pkcs7.verify(pkcs7.certificates, store, data, OpenSSL::PKCS7::NOVERIFY)
end
@key = OpenSSL::PKey::RSA.new 2048
@cert = OpenSSL::X509::Certificate.new
@cert.serial = 0
@cert.public_key = @key.public_key
@cert.not_before = Time.now
@cert.not_after = Time.now + 2**12
@cert.sign @key, OpenSSL::Digest.new('SHA256')
test("foo") # => true
test("foo\n") # => false
(我甚至在函数调用中使用了NOVERIFY
标志!)
为什么换行符的存在会改变行为?无论我将换行符放在数据字符串中的什么位置,它都会产生这种效果.如果输入字符串包含换行符,我如何验证签名?
This is Ruby 2.6.8p205.个