校验数据库基本信息采集器软件包完整性

Windows版本

1. 使用Administrator用户登录用于安装离线采集器的Windows主机。
2. 下载并安装v3.2.6版本及以上的OpenSSL。
3. 从华为云Support网站下载根CA证书（Huawei Software Integrity Protection Root CA.der）到本地。
4. 在MgC控制台的迁移中心Agent页面采集器Tab页签，分别单击“数据库基本信息采集器”框中的“下载 >下载安装包”和“下载 >下载CMS和CRL”。将数据库基本信息采集器安装程序、CMS和CRL文件下载到一个空目录下（例如：C:\cmsVerify）。请注意，文件命名要和下图一致。

   

5. 新建“C:\cmsVerify\verify.ps1”文件，并将以下内容复制到该文件中。

   $workDir = $args[0]  
   $opensslBinPath = $args[1]  
   
   function cmsVerify {  
   	Write-Host "workDir: $workDir"  
   	Write-Host "opensslBinPath: $opensslBinPath"  
   	$packageName="agent_collector_database_all_basic_info-2.0.0.zip"  
   	$packageFilePath = Join-Path $workDir $packageName  
   	$cmsFilePath = "$packageFilePath.cms"  
   	$crlFilePath = "$packageFilePath.cms.crl"  
   	$rootCaFilePath = Join-Path $workDir "Huawei Software Integrity Protection Root CA.der"  
   	$tmpDir = "tmp_$(Get-Date -Format 'yyyyMMddHHmmss')"  
   	$fullTmpDir = Join-Path $workDir $tmpDir  
   	$opensslExePath = Join-Path $opensslBinPath "openssl.exe"  
   	New-Item -ItemType Directory -Path $fullTmpDir -Force | Out-Null  
   	Write-Host "tmpPath: $fullTmpDir"  
   
   	# get sign time  
   	$asnOutput = & "$opensslExePath" asn1parse -inform DER -in $cmsFilePath  
   	$signingTimeLineNum = $asnOutput | Out-String -Stream | Select-String -Pattern ":signingTime" | Select-Object -Skip 1 -First 1 | ForEach-Object { $_.LineNumber }  
   	$timeLineNum = $signingTimeLineNum + 2  
   	$originalTimeStr = ((($asnOutput | Select-Object -Index ($timeLineNum - 1))  -replace '\s+', '') -split ':UTCTIME:' ) | Select-Object -Skip 1 -First 1  
   	$timeStr = $originalTimeStr.Trim()  
   	$year = "20" + $timeStr.Substring(0, 2)  
   	$month = $timeStr.Substring(2, 2)  
   	$day = $timeStr.Substring(4, 2)  
   	$hour = $timeStr.Substring(6, 2)  
   	$minute = $timeStr.Substring(8, 2)  
   	$second = $timeStr.Substring(10, 2)  
   	$dateTime = New-Object DateTime ($year, $month, $day, $hour, $minute, $second)  
   	$signTimestap = [int][double]::Parse((Get-Date $dateTime -UFormat "%s"))  
   	Write-Host "signTimestap: $signTimestap"  
   
   	# split the CRL file and obtain all revocation lists  
   	Write-Host "start handle crl file"  
   	$asn1ParseResult = & "$opensslExePath" asn1parse -in $crlFilePath -inform DER  
   	$handledLen = 0  
   	$crlPemPath = Join-Path $fullTmpDir "crl.pem"  
   	New-Item -Path $crlPemPath -ItemType File -Force | Out-Null  
   	for ($i = 1; $i -le 1000; $i++) {  
   		$fileHead = $asn1ParseResult | Select-String -Pattern "^\s*${handledLen}:d=.*"  
   		if (-not $fileHead) {  
   			Write-Host "crl file is end"  
   			break  
   		}  
   		Write-Host "find file head info: $fileHead"  
   		$headLen = [regex]::Match($fileHead, 'hl=(\d+)').Groups[1].Value  
   		$contLen = [regex]::Match($fileHead, '(?<!h)l=\s*(\d+)').Groups[1].Value  
   		$headLen = [int]$headLen  
   		$contLen = [int]$contLen  
   		$totalLen = $headLen + $contLen  
   		# extract CRL fragment  
   		$tmpCrlPath = Join-Path $fullTmpDir "tmp.crl"  
   		$buffer = [System.IO.File]::ReadAllBytes($crlFilePath)  
   		$segment = $buffer[$handledLen..($handledLen + $totalLen - 1)]  
   		[System.IO.File]::WriteAllBytes($tmpCrlPath, $segment)  
   		# attempt to convert to PEM format  
   		& "$opensslExePath" crl -inform DER -in $tmpCrlPath -outform PEM -out "$fullTmpDir\tmp.pem" 2>$null  
   		if ($LASTEXITCODE -eq 0) {  
   			Get-Content "$fullTmpDir\tmp.pem" | Add-Content $crlPemPath  
   			Write-Host "convert to crl pem success!"  
   		} else {  
   			Write-Host "not crl format"  
   		}  
   		$handledLen += $totalLen  
   	}  
   	Write-Host "handle crl file finish"  
   
   	# convert root CA format to CER  
   	$rootCaCerPath = Join-Path $fullTmpDir "rootCa.cer"  
   	& "$opensslExePath" x509 -inform der -in $rootCaFilePath -out $rootCaCerPath  
   
   	# verify the integrity of the software package and obtain the certificate chain  
   	Write-Host "start verify cms"  
   	$cmsVerifiedData = Join-Path $fullTmpDir "cmsVerifiedData"  
   	$cmsCertChain = Join-Path $fullTmpDir "cmsCertChain.pem"  
   	& "$opensslExePath" cms -verify -attime $signTimestap -inform DER -in $cmsFilePath -content $packageFilePath -CAfile $rootCaCerPath -out $cmsVerifiedData -binary -purpose any -certsout $cmsCertChain  
   	if ($LASTEXITCODE -eq 0) {  
   		Write-Host "verify cms success!!!"  
   	} else {  
   		Write-Host "verify cms failed!!!"  
   		return 1  
   	}  
   
   	# verify the validity of the certificate chain  
   	Write-Host "start verify cert chain"  
   	& "$opensslExePath" verify -attime $signTimestap -crl_check -CAfile $rootCaCerPath -untrusted $cmsCertChain -CRLfile $crlPemPath $cmsCertChain  
   	if ($LASTEXITCODE -eq 0) {  
   		Write-Host "verify cert chain success!!!"  
   	} else {  
   		Write-Host "verify cert chain failed!!!"  
   		return 1  
   	}  
       return 0  
   }  
   
   cmsVerify  
   if ($LASTEXITCODE -eq 0) {  
       Write-Host "verify success!!!" -ForegroundColor Green  
   } else {  
       Write-Host "verify failed!!!" -ForegroundColor Red  
   }

6. 打开PowerShell终端，执行如下脚本进行CMS验签。请注意，根据实际的文件目录和OpenSSL安装路径进行替换。

   C:\cmsVerify\verify.ps1 "C:\cmsVerify" "C:\OpenSSL-Win64\bin"

7. 如果最后一行输出“verify success!!!”则表示验签成功，否则验签失败。