Imagine, I have multiple detached signatures of some binary file and they stored in different .sig files. When somebody modifies file, all signatures will become invalid.
For xml an enveloped signature is widely used. Cheking it is more difficult - one have to extract last ds:Signature element, check signature, remove the last element and check current last ds:Signature element and so on. But XML modification anyway will break the last signature, why I have to check others?
The only explanation - each ds:Signature or PKCS7-signature contains public key certificate with information about signer, key validity period, information for revoke-checking. Usually, verification process is not only checking hashes, but providing information about signer and this is the only reason for iterate over all signarures, am I right?
So, when I want to verify multiple signed file and provide info about signers can I make small optimization - exract info for all signatures but perform hash checking only in one randomly chosen signature?
One more question - how store multiple PKCS7 signatures in one file? I'm using bouncycastle Java library. Does it have some method to concatenate signatures and extract them from one file? I don't want to manually store all signatures in one .sig file, care about signature delimiter, is is available in bouncy castle out of the box?
Aucun commentaire:
Enregistrer un commentaire