使用 Mimekit 進行數字簽名驗證失敗

Question

我們正在嘗試使用 MimeKit 來驗證數字簽名的電子郵件 (.p7m) 簽名。 當我調用signature.Verify(); 它拋出錯誤消息：

{“無法驗證數字簽名：需要非空集\\r\\n參數名稱：值”}。

但同樣的郵件被 Limilabs.Mail 成功驗證。

我正在使用下面的代碼來驗證簽名。

if (message.Body is MultipartSigned)
{
    var signed = (MultipartSigned)message.Body;
    foreach (var signature in signed.Verify())
    {
        try
        {
            bool valid = signature.Verify();

            // If valid is true, then it signifies that the signed content
            // has not been modified since this particular signer signed the
            // content.
            // However, if it is false, then it indicates that the signed
            // content has been modified.
        }
        catch (DigitalSignatureVerifyException)
        {
            // There was an error verifying the signature.
        }
    }
}

任何人都可以幫助我解決為什么我收到錯誤？

Answer 1

這里的問題是，默認情況下，當開發人員沒有明確提供用於MultipartSigned.Verify()方法調用的上下文並且也沒有注冊替代 S/MIME 時，MimeKit 默認使用DefaultSecureMimeContext后端使用CryptographyContext.Register()上下文。

由於DefaultSecureMimeContext以一個空的 S/MIME 證書數據庫開始，因此它沒有受信任的錨點（又名根證書頒發機構證書），因此在它為 S/MIME 簽名者構建證書鏈時拋出您看到的異常驗證簽名。

您可以通過導入一些根證書頒發機構證書（最好包括為所述簽名者構建證書鏈所需的證書）或使用WindowsSecureMimeContext來解決此問題：

if (message.Body is MultipartSigned)
{
    var signed = (MultipartSigned)message.Body;

    using (var ctx = new WindowsSecureMimeContext ()) {
        foreach (var signature in signed.Verify(ctx))
        {
            try
            {
                bool valid = signature.Verify();

                // If valid is true, then it signifies that the signed content
                // has not been modified since this particular signer signed the
                // content.
                // However, if it is false, then it indicates that the signed
                // content has been modified.
            }
            catch (DigitalSignatureVerifyException)
            {
                // There was an error verifying the signature.
            }
        }
    }
}