<div dir="ltr"><div class="gmail_quote">On 7 July 2011 17:57, Dov Grobgeld <span dir="ltr"><<a href="mailto:dov.grobgeld@gmail.com">dov.grobgeld@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div dir="ltr">There are three documents available on the page that Arie linked to. The whole idea of proving a signature through a closed source program is imho quite absurd. Why didn't they use GPG signatures or some other public format? Also, isn't the xml malformed in that it does not contain a pointer to its metaformat (forgot what it is called)?<br>
</div></blockquote><div><br>I agree about the stupidity of not using standard tools, or at least documenting the format used.<br>I don't think that GPG is a good solution for this situation, though. S/MIME and certificates which can be verified against known Certificate Authorities are more suitable for this.<br>
<br>I managed to extract the signed ZIP file and the signing certificate from the XML file with an XML editor.<br>Fhe file, signing certificate and signature are contained inside the XML encoded in base64.<br><br>Here is what I got so far:<br>
<br>$ openssl x509 -text -inform DER -in cert.x509<br>Certificate:<br> Data:<br> Version: 3 (0x2)<br> Serial Number:<br> 6b:2f:96:bb:00:00:00:01:4a:c1<br> Signature Algorithm: sha1WithRSAEncryption<br>
Issuer: C=IL, O=Government Of Israel, CN=TAMUZ - Employee CA<br> Validity<br> Not Before: Jul 7 11:17:24 2010 GMT<br> Not After : Jun 21 11:17:24 2013 GMT<br> Subject: C=IL, O=Gov, OU=moch, CN=Forshtat Adina ID_004471157<br>
Subject Public Key Info:<br> Public Key Algorithm: rsaEncryption<br> RSA Public Key: (1024 bit)<br> Modulus (1024 bit):<br> 00:8f:4f:cd:63:f5:19:83:15:77:57:e3:fe:43:37:<br>
c2:b9:02:28:93:b2:b6:8b:4a:b7:03:0f:dc:52:1e:<br> cf:90:67:cb:1c:73:ea:78:1d:99:0b:fe:7b:0b:54:<br> c8:fa:aa:3d:eb:9f:6a:a4:d7:24:0c:32:ac:cb:42:<br> 2a:4d:58:16:a6:59:a6:9c:3b:2a:43:ff:15:12:ae:<br>
76:49:1f:4d:9f:d2:e1:81:d1:86:5c:7d:72:58:24:<br> 5a:d3:07:0a:8a:c7:2d:2f:71:45:2c:34:a0:23:51:<br> 0c:a1:08:56:ee:46:b5:7c:62:6e:18:8d:77:87:9f:<br> d7:6e:d1:ba:04:79:71:9f:67<br>
Exponent: 1401475561 (0x5388d1e9)<br> X509v3 extensions:<br> X509v3 Key Usage: <br> Digital Signature, Key Encipherment<br> X509v3 Subject Key Identifier: <br> 62:32:FD:46:B2:6B:0A:1B:B8:F8:FC:E6:15:DF:D1:A9:B9:51:42:3E<br>
X509v3 Authority Key Identifier: <br> keyid:9C:97:AF:2B:AB:1C:13:51:00:2D:5D:DD:3B:FD:33:35:5B:EF:45:DC<br><br> X509v3 CRL Distribution Points: <br> URI:<a href="http://crl.tamuz.gov.il/public/tamuzEmp.crl">http://crl.tamuz.gov.il/public/tamuzEmp.crl</a><br>
URI:<a href="http://cdp.smartcard.gov.il/crl/tamuzemp.crl">http://cdp.smartcard.gov.il/crl/tamuzemp.crl</a><br><br> Authority Information Access: <br> CA Issuers - URI:<a href="http://crl.tamuz.gov.il/public/tamuzemp.cer">http://crl.tamuz.gov.il/public/tamuzemp.cer</a><br>
CA Issuers - URI:<a href="http://cdp.smartcard.gov.il/aia/tamuzemp.cer">http://cdp.smartcard.gov.il/aia/tamuzemp.cer</a><br> OCSP - URI:<a href="http://ocsp.tamuz.gov.il/ocsp">http://ocsp.tamuz.gov.il/ocsp</a><br>
<br> X509v3 Subject Alternative Name: <br> othername:<unsupported>, <a href="mailto:email%3AAdinaf@moch.gov.il">email:Adinaf@moch.gov.il</a><br> 1.3.6.1.4.1.311.21.7: <br> 0,.$+.....7....C..."......9...%a...4...B..d...<br>
X509v3 Extended Key Usage: <br> Microsoft Smartcardlogin, E-mail Protection, TLS Web Client Authentication<br> 1.3.6.1.4.1.311.21.10: <br> 0&0..<br>+.....7...0<br>
..+.......0<br>
..+.......<br> Signature Algorithm: sha1WithRSAEncryption<br> 83:fb:b7:5b:39:fe:d1:05:ae:76:da:f4:59:c2:3d:db:9c:33:<br> c5:b0:cb:a6:81:43:ce:3f:c2:41:d6:26:3d:f9:f4:9b:44:bf:<br> a3:e5:e2:55:9c:6f:68:d9:31:71:8e:ed:54:80:c2:6d:72:8d:<br>
0b:b8:b3:0a:82:af:b1:67:4b:00:01:00:a3:02:0b:db:cf:a8:<br> 3a:a3:a1:61:03:f3:a5:bf:67:1a:d4:e7:99:cd:f5:5d:87:bc:<br> 42:b7:ef:3c:a4:50:12:a8:89:78:cd:1e:4b:a3:04:6e:99:9e:<br> 01:59:a4:3f:e9:44:90:48:8a:4f:07:a1:83:63:74:64:03:0a:<br>
c1:d4:a0:00:40:2b:e0:a1:f2:a3:d9:2c:0e:1e:1c:c5:f8:a1:<br> 3f:3b:2c:b2:87:11:14:1e:6c:be:f8:7a:17:69:9a:08:64:d0:<br> 11:c8:92:0d:13:3b:1a:2a:27:5b:04:00:dc:ab:36:4b:dd:9a:<br> 9a:97:95:98:81:68:20:bd:82:d5:37:6a:03:c8:ab:10:f2:b0:<br>
b6:dc:06:9f:56:79:ca:37:56:a4:d5:89:1f:04:ae:6e:9e:89:<br> e5:23:78:41:d9:b7:4d:ab:ee:29:e8:27:88:b5:24:bc:9b:e3:<br> 5b:2d:8c:69:cd:ef:75:a8:bb:f9:8b:9f:8e:a1:6e:e2:0f:25:<br> 8b:2e:37:f0<br>
-----BEGIN CERTIFICATE-----<br>MIIE6zCCA9OgAwIBAgIKay+WuwAAAAFKwTANBgkqhkiG9w0BAQUFADBKMQswCQYD<br>VQQGEwJJTDEdMBsGA1UEChMUR292ZXJubWVudCBPZiBJc3JhZWwxHDAaBgNVBAMT<br>E1RBTVVaIC0gRW1wbG95ZWUgQ0EwHhcNMTAwNzA3MTExNzI0WhcNMTMwNjIxMTEx<br>
NzI0WjBQMQswCQYDVQQGEwJJTDEMMAoGA1UEChMDR292MQ0wCwYDVQQLEwRtb2No<br>MSQwIgYDVQQDDBtGb3JzaHRhdCBBZGluYSBJRF8wMDQ0NzExNTcwgaAwDQYJKoZI<br>hvcNAQEBBQADgY4AMIGKAoGBAI9PzWP1GYMVd1fj/kM3wrkCKJOytotKtwMP3FIe<br>z5Bnyxxz6ngdmQv+ewtUyPqqPeufaqTXJAwyrMtCKk1YFqZZppw7KkP/FRKudkkf<br>
TZ/S4YHRhlx9clgkWtMHCorHLS9xRSw0oCNRDKEIVu5GtXxibhiNd4ef127RugR5<br>cZ9nAgRTiNHpo4ICTjCCAkowCwYDVR0PBAQDAgWgMB0GA1UdDgQWBBRiMv1GsmsK<br>G7j4/OYV39GpuVFCPjAfBgNVHSMEGDAWgBScl68rqxwTUQAtXd07/TM1W+9F3DBq<br>BgNVHR8EYzBhMF+gXaBbhitodHRwOi8vY3JsLnRhbXV6Lmdvdi5pbC9wdWJsaWMv<br>
dGFtdXpFbXAuY3JshixodHRwOi8vY2RwLnNtYXJ0Y2FyZC5nb3YuaWwvY3JsL3Rh<br>bXV6ZW1wLmNybDCBrgYIKwYBBQUHAQEEgaEwgZ4wNwYIKwYBBQUHMAKGK2h0dHA6<br>Ly9jcmwudGFtdXouZ292LmlsL3B1YmxpYy90YW11emVtcC5jZXIwOAYIKwYBBQUH<br>MAKGLGh0dHA6Ly9jZHAuc21hcnRjYXJkLmdvdi5pbC9haWEvdGFtdXplbXAuY2Vy<br>
MCkGCCsGAQUFBzABhh1odHRwOi8vb2NzcC50YW11ei5nb3YuaWwvb2NzcDA/BgNV<br>HREEODA2oCAGCisGAQQBgjcUAgOgEgwQMDA0NDcxMTU3QGdvdi5pbIESQWRpbmFm<br>QG1vY2guZ292LmlsMDsGCSsGAQQBgjcVBwQuMCwGJCsGAQQBgjcVCN2NQ4GGmSKC<br>4YUT1845hMfSJWGHpI40gY63QgIBZAIBBDApBgNVHSUEIjAgBgorBgEEAYI3FAIC<br>
BggrBgEFBQcDBAYIKwYBBQUHAwIwNQYJKwYBBAGCNxUKBCgwJjAMBgorBgEEAYI3<br>FAICMAoGCCsGAQUFBwMEMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQCD<br>+7dbOf7RBa522vRZwj3bnDPFsMumgUPOP8JB1iY9+fSbRL+j5eJVnG9o2TFxju1U<br>gMJtco0LuLMKgq+xZ0sAAQCjAgvbz6g6o6FhA/Olv2ca1OeZzfVdh7xCt+88pFAS<br>
qIl4zR5LowRumZ4BWaQ/6USQSIpPB6GDY3RkAwrB1KAAQCvgofKj2SwOHhzF+KE/<br>OyyyhxEUHmy++HoXaZoIZNARyJINEzsaKidbBADcqzZL3Zqal5WYgWggvYLVN2oD<br>yKsQ8rC23AafVnnKN1ak1YkfBK5unonlI3hB2bdNq+4p6CeItSS8m+NbLYxpze91<br>qLv5i5+OoW7iDyWLLjfw<br>
-----END CERTIFICATE-----<br><br>I can also read the zip file using unzip:<br><br>$ unzip -l zip-file.zip <br>Archive: zip-file.zip<br> Length Date Time Name<br>--------- ---------- ----- ----<br> 0 2011-07-04 08:35 ???? ?????????? 10512-11/<br>
38346 2011-07-04 08:32 ???? ?????????? 10512-11/???????? ???????????? 10512-11.pdf<br>--------- -------<br> 38346 2 files<br><br>I didn't manage to get unzip to output the file names in different encoding.<br>
<br>I also extracted the signature.<br><br>So far I failed to find the right incantation to verify the zip file with the signature using openssl command line.<br><br>I think they are loosely following S/MIME in their own peculiar way.<br>
<br>It should be possible to script something to verify the signature using openssl and unzip, IMHO.<br><br>If anyone wants the files I got so far to work on then drop me a line.<br><br>--Amos<br><br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div dir="ltr">
<br>Regards,<br><font color="#888888">Dov</font><div><div></div><div class="h5"><br><br><div class="gmail_quote">2011/7/7 Amos Shapira <span dir="ltr"><<a href="mailto:amos.shapira@gmail.com" target="_blank">amos.shapira@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Can you provide a link or attach a sample of such a document?<br><br><div class="gmail_quote"><div><div></div><div>2011/7/7 Arie Skliarouk <span dir="ltr"><<a href="mailto:skliarie@gmail.com" target="_blank">skliarie@gmail.com</a>></span><br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div></div><div><div dir="ltr">Hi,<br><br>The government tenders publishing site <a href="http://www.mr.gov.il" target="_blank">http://www.mr.gov.il</a> signs documents on the site. They provide an windows program to verify the signature of the documents:<br>
<a href="http://www.mr.gov.il/Purchasing/Templates/Purchasing/TendersSearch/Display_SingleTenderY.aspx?idmichraz=523481&sourceid=1" target="_blank">http://www.mr.gov.il/Purchasing/Templates/Purchasing/TendersSearch/Display_SingleTenderY.aspx?idmichraz=523481&sourceid=1</a><br>
<br>Do anyone knows whether it is some standards-based format of homegrown one?<br><br>If it is the latter, what is the best strategy to complain on the fact?<br><br clear="all">--<br>Arie<br><br>
</div>
<br></div></div>_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il" target="_blank">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il" target="_blank">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
<br></blockquote></div><br></div></div></div>
</blockquote></div><br></div>