如何使用M2Crypto从PKCS7信封中获取签名内容? [英] How to get the signed content from a PKCS7 envelop with M2Crypto?

问题描述

我需要获取PKCS#7信封的摘要以进行手动检查.

I need to get the digest of a PKCS#7 envelop to manually check it.

通常，当您要验证pkcs#7信封的签名时，您可以这样做:

Usually when you want to validate the signature of a pkcs#7 envelop you do that:

from M2Crypto import SMIME, X509, BIO

sm_obj = SMIME.SMIME()
x509 = X509.load_cert(join(PATH, 'QualifiedChain.crt'))
sk = X509.X509_Stack()
sk.push(x509)
sm_obj.set_x509_stack(sk)

st = X509.X509_Store()

st.load_info(join(PATH, 'QualifiedChain.crt'))

sm_obj.set_x509_store(st)

# re-wrap signature so that it fits base64 standards
cooked_sig = '\n'.join(raw_sig[pos:pos + 76] for pos in
                       xrange(0, len(raw_sig), 76))

# now, wrap the signature in a PKCS7 block
sig = "-----BEGIN PKCS7-----\n%s\n-----END PKCS7-----\n" % cooked_sig


# and load it into an SMIME p7 object through the BIO I/O buffer:
buf = BIO.MemoryBuffer(sig)
p7 = SMIME.load_pkcs7_bio(buf)

signers = p7.get0_signers(sk)
certificat = signers[0]
data_bio = BIO.MemoryBuffer(MSG)
sm_obj.verify(p7, data_bio)  # This is the line that count.

但是在我的情况下，摘要类型为md5sha1，openssl无法识别该类型:

But in my case, the digest type is md5sha1 that is not recognized by openssl:

$ openssl list-message-digest-commands
md4
md5
rmd160
sha
sha1

我需要做些什么来获取pkcs#7 signatureContent并手动检查它.

What I need to do I to get the pkcs#7 signedContent and to manually check it.

我需要的是等效于org.bouncycastle.cms.CMSSignedDataParser的Python.

What I need is a Python equivalent to org.bouncycastle.cms.CMSSignedDataParser.

如何获取摘要以能够手动验证它而不必使用sm_obj.verify?

How can I get the digest to be able to validate it manually without having to use sm_obj.verify?

推荐答案

PKCS7具有SignerInfos的集合.每个SignerInfo可能具有不同的消息摘要算法.

A PKCS7 has a collection of SignerInfos. Each SignerInfo may have a different Message Digest Algorithm.

请参见 https://github.com/erny/pyx509 .这需要pyasn1和pyasn1-modules.

See https://github.com/erny/pyx509. This needs pyasn1 and pyasn1-modules.

./pkcs_parse <pkcs7 signature in DER format>

这将提取每个签署者信息的摘要算法.

This extracts the digest algorithm for each Signer Info.

这篇关于如何使用M2Crypto从PKCS7信封中获取签名内容?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！