On 8 July 2011 12:25, Amos Shapira <[email protected]> wrote: > On 7 July 2011 17:57, Dov Grobgeld <[email protected]> wrote: > >> There are three documents available on the page that Arie linked to. The >> whole idea of proving a signature through a closed source program is imho >> quite absurd. Why didn't they use GPG signatures or some other public >> format? Also, isn't the xml malformed in that it does not contain a pointer >> to its metaformat (forgot what it is called)? >> > > I agree about the stupidity of not using standard tools, or at least > documenting the format used. > I don't think that GPG is a good solution for this situation, though. > S/MIME and certificates which can be verified against known Certificate > Authorities are more suitable for this. > > I managed to extract the signed ZIP file and the signing certificate from > the XML file with an XML editor. > Fhe file, signing certificate and signature are contained inside the XML > encoded in base64. >
Actually I just noticed that the XML file contains reference to "xmldgst", which a quick google points to: http://www.w3.org/TR/xmldsig-core/ --Amos > > Here is what I got so far: > > $ openssl x509 -text -inform DER -in cert.x509 > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 6b:2f:96:bb:00:00:00:01:4a:c1 > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=IL, O=Government Of Israel, CN=TAMUZ - Employee CA > Validity > Not Before: Jul 7 11:17:24 2010 GMT > Not After : Jun 21 11:17:24 2013 GMT > Subject: C=IL, O=Gov, OU=moch, CN=Forshtat Adina ID_004471157 > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > 00:8f:4f:cd:63:f5:19:83:15:77:57:e3:fe:43:37: > c2:b9:02:28:93:b2:b6:8b:4a:b7:03:0f:dc:52:1e: > cf:90:67:cb:1c:73:ea:78:1d:99:0b:fe:7b:0b:54: > c8:fa:aa:3d:eb:9f:6a:a4:d7:24:0c:32:ac:cb:42: > 2a:4d:58:16:a6:59:a6:9c:3b:2a:43:ff:15:12:ae: > 76:49:1f:4d:9f:d2:e1:81:d1:86:5c:7d:72:58:24: > 5a:d3:07:0a:8a:c7:2d:2f:71:45:2c:34:a0:23:51: > 0c:a1:08:56:ee:46:b5:7c:62:6e:18:8d:77:87:9f: > d7:6e:d1:ba:04:79:71:9f:67 > Exponent: 1401475561 (0x5388d1e9) > X509v3 extensions: > X509v3 Key Usage: > Digital Signature, Key Encipherment > X509v3 Subject Key Identifier: > 62:32:FD:46:B2:6B:0A:1B:B8:F8:FC:E6:15:DF:D1:A9:B9:51:42:3E > X509v3 Authority Key Identifier: > > keyid:9C:97:AF:2B:AB:1C:13:51:00:2D:5D:DD:3B:FD:33:35:5B:EF:45:DC > > X509v3 CRL Distribution Points: > URI:http://crl.tamuz.gov.il/public/tamuzEmp.crl > URI:http://cdp.smartcard.gov.il/crl/tamuzemp.crl > > Authority Information Access: > CA Issuers - URI: > http://crl.tamuz.gov.il/public/tamuzemp.cer > CA Issuers - URI: > http://cdp.smartcard.gov.il/aia/tamuzemp.cer > OCSP - URI:http://ocsp.tamuz.gov.il/ocsp > > X509v3 Subject Alternative Name: > othername:<unsupported>, email:[email protected] > 1.3.6.1.4.1.311.21.7: > 0,.$+.....7....C..."......9...%a...4...B..d... > X509v3 Extended Key Usage: > Microsoft Smartcardlogin, E-mail Protection, TLS Web Client > Authentication > 1.3.6.1.4.1.311.21.10: > 0&0.. > +.....7...0 > ..+.......0 > ..+....... > Signature Algorithm: sha1WithRSAEncryption > 83:fb:b7:5b:39:fe:d1:05:ae:76:da:f4:59:c2:3d:db:9c:33: > c5:b0:cb:a6:81:43:ce:3f:c2:41:d6:26:3d:f9:f4:9b:44:bf: > a3:e5:e2:55:9c:6f:68:d9:31:71:8e:ed:54:80:c2:6d:72:8d: > 0b:b8:b3:0a:82:af:b1:67:4b:00:01:00:a3:02:0b:db:cf:a8: > 3a:a3:a1:61:03:f3:a5:bf:67:1a:d4:e7:99:cd:f5:5d:87:bc: > 42:b7:ef:3c:a4:50:12:a8:89:78:cd:1e:4b:a3:04:6e:99:9e: > 01:59:a4:3f:e9:44:90:48:8a:4f:07:a1:83:63:74:64:03:0a: > c1:d4:a0:00:40:2b:e0:a1:f2:a3:d9:2c:0e:1e:1c:c5:f8:a1: > 3f:3b:2c:b2:87:11:14:1e:6c:be:f8:7a:17:69:9a:08:64:d0: > 11:c8:92:0d:13:3b:1a:2a:27:5b:04:00:dc:ab:36:4b:dd:9a: > 9a:97:95:98:81:68:20:bd:82:d5:37:6a:03:c8:ab:10:f2:b0: > b6:dc:06:9f:56:79:ca:37:56:a4:d5:89:1f:04:ae:6e:9e:89: > e5:23:78:41:d9:b7:4d:ab:ee:29:e8:27:88:b5:24:bc:9b:e3: > 5b:2d:8c:69:cd:ef:75:a8:bb:f9:8b:9f:8e:a1:6e:e2:0f:25: > 8b:2e:37:f0 > -----BEGIN CERTIFICATE----- > MIIE6zCCA9OgAwIBAgIKay+WuwAAAAFKwTANBgkqhkiG9w0BAQUFADBKMQswCQYD > VQQGEwJJTDEdMBsGA1UEChMUR292ZXJubWVudCBPZiBJc3JhZWwxHDAaBgNVBAMT > E1RBTVVaIC0gRW1wbG95ZWUgQ0EwHhcNMTAwNzA3MTExNzI0WhcNMTMwNjIxMTEx > NzI0WjBQMQswCQYDVQQGEwJJTDEMMAoGA1UEChMDR292MQ0wCwYDVQQLEwRtb2No > MSQwIgYDVQQDDBtGb3JzaHRhdCBBZGluYSBJRF8wMDQ0NzExNTcwgaAwDQYJKoZI > hvcNAQEBBQADgY4AMIGKAoGBAI9PzWP1GYMVd1fj/kM3wrkCKJOytotKtwMP3FIe > z5Bnyxxz6ngdmQv+ewtUyPqqPeufaqTXJAwyrMtCKk1YFqZZppw7KkP/FRKudkkf > TZ/S4YHRhlx9clgkWtMHCorHLS9xRSw0oCNRDKEIVu5GtXxibhiNd4ef127RugR5 > cZ9nAgRTiNHpo4ICTjCCAkowCwYDVR0PBAQDAgWgMB0GA1UdDgQWBBRiMv1GsmsK > G7j4/OYV39GpuVFCPjAfBgNVHSMEGDAWgBScl68rqxwTUQAtXd07/TM1W+9F3DBq > BgNVHR8EYzBhMF+gXaBbhitodHRwOi8vY3JsLnRhbXV6Lmdvdi5pbC9wdWJsaWMv > dGFtdXpFbXAuY3JshixodHRwOi8vY2RwLnNtYXJ0Y2FyZC5nb3YuaWwvY3JsL3Rh > bXV6ZW1wLmNybDCBrgYIKwYBBQUHAQEEgaEwgZ4wNwYIKwYBBQUHMAKGK2h0dHA6 > Ly9jcmwudGFtdXouZ292LmlsL3B1YmxpYy90YW11emVtcC5jZXIwOAYIKwYBBQUH > MAKGLGh0dHA6Ly9jZHAuc21hcnRjYXJkLmdvdi5pbC9haWEvdGFtdXplbXAuY2Vy > MCkGCCsGAQUFBzABhh1odHRwOi8vb2NzcC50YW11ei5nb3YuaWwvb2NzcDA/BgNV > HREEODA2oCAGCisGAQQBgjcUAgOgEgwQMDA0NDcxMTU3QGdvdi5pbIESQWRpbmFm > QG1vY2guZ292LmlsMDsGCSsGAQQBgjcVBwQuMCwGJCsGAQQBgjcVCN2NQ4GGmSKC > 4YUT1845hMfSJWGHpI40gY63QgIBZAIBBDApBgNVHSUEIjAgBgorBgEEAYI3FAIC > BggrBgEFBQcDBAYIKwYBBQUHAwIwNQYJKwYBBAGCNxUKBCgwJjAMBgorBgEEAYI3 > FAICMAoGCCsGAQUFBwMEMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQCD > +7dbOf7RBa522vRZwj3bnDPFsMumgUPOP8JB1iY9+fSbRL+j5eJVnG9o2TFxju1U > gMJtco0LuLMKgq+xZ0sAAQCjAgvbz6g6o6FhA/Olv2ca1OeZzfVdh7xCt+88pFAS > qIl4zR5LowRumZ4BWaQ/6USQSIpPB6GDY3RkAwrB1KAAQCvgofKj2SwOHhzF+KE/ > OyyyhxEUHmy++HoXaZoIZNARyJINEzsaKidbBADcqzZL3Zqal5WYgWggvYLVN2oD > yKsQ8rC23AafVnnKN1ak1YkfBK5unonlI3hB2bdNq+4p6CeItSS8m+NbLYxpze91 > qLv5i5+OoW7iDyWLLjfw > -----END CERTIFICATE----- > > I can also read the zip file using unzip: > > $ unzip -l zip-file.zip > Archive: zip-file.zip > Length Date Time Name > --------- ---------- ----- ---- > 0 2011-07-04 08:35 ???? ?????????? 10512-11/ > 38346 2011-07-04 08:32 ???? ?????????? 10512-11/???????? > ???????????? 10512-11.pdf > --------- ------- > 38346 2 files > > I didn't manage to get unzip to output the file names in different > encoding. > > I also extracted the signature. > > So far I failed to find the right incantation to verify the zip file with > the signature using openssl command line. > > I think they are loosely following S/MIME in their own peculiar way. > > It should be possible to script something to verify the signature using > openssl and unzip, IMHO. > > If anyone wants the files I got so far to work on then drop me a line. > > --Amos > > >> Regards, >> Dov >> >> >> 2011/7/7 Amos Shapira <[email protected]> >> >>> Can you provide a link or attach a sample of such a document? >>> >>> 2011/7/7 Arie Skliarouk <[email protected]> >>> >>>> Hi, >>>> >>>> The government tenders publishing site http://www.mr.gov.il signs >>>> documents on the site. They provide an windows program to verify the >>>> signature of the documents: >>>> >>>> http://www.mr.gov.il/Purchasing/Templates/Purchasing/TendersSearch/Display_SingleTenderY.aspx?idmichraz=523481&sourceid=1 >>>> >>>> Do anyone knows whether it is some standards-based format of homegrown >>>> one? >>>> >>>> If it is the latter, what is the best strategy to complain on the fact? >>>> >>>> -- >>>> Arie >>>> >>>> >>>> _______________________________________________ >>>> Linux-il mailing list >>>> [email protected] >>>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >>>> >>>> >>> >>> _______________________________________________ >>> Linux-il mailing list >>> [email protected] >>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >>> >>> >> >
_______________________________________________ Linux-il mailing list [email protected] http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
