pyOpenSSL的PKCS7对象提供的信息很少，如何获取签名中公钥的sha1摘要 [英] pyOpenSSL's PKCS7 object provide very little information, how can I get the sha1 digest of the public key in the signature

问题描述

我想用Python解析android apk的CERT.RSA. 我知道可以用pyOpenSSL解析

I would like to parse android apk's CERT.RSA in Python. I know it can be parsed with pyOpenSSL

import OpenSSL

cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1， open('CERT.RSA'，'rb').read())

cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, open('CERT.RSA', 'rb').read())

cert = OpenSSL.crypto.load_pkcs7_data(type, buffer)

cert的类型为'OpenSSL.crypto.PKCS7'.

cert is of type 'OpenSSL.crypto.PKCS7'.

但是现在PKCS7对象不完整，我无法获取所需的属性，是否有其他方法可以解析该文件?

BUT right now PKCS7 object is not complete, I cannot get attributes I need, is there any alternative way to parse that file?

推荐答案

评论:我不知道是否可以将其转换为其他格式，以便对其进行解析

Comments: I don't know if there's a way to convert it to another format so it can be parsed

您可以使用openssl将PKCS#7转换为PEM，使用PyOpenSSL

You can convert PKCS#7 to PEM using openssl, PEM is readable using PyOpenSSL

openssl pkcs7 -print_certs -in sample.p7b -out sample.cer

---

问题:...如何获取签名中公钥的sha1摘要

Question: ... how can I get the sha1 digest of the public key in the signature

未实施，拉取请求自2015年以来一直处于停滞状态.
使用请求请求中的代码即可完成操作.

It's not implemented, the Pull Request stalles since 2015.
Useing the code from the Pull Request you can doit.

来自:GitHub pyca/pyopenssl: 用于pkcs#7证书，crl和数据#367的实现获取器

From: GitHub pyca/pyopenssl: implement getters for pkcs#7 certificates, crl's, and data #367

    def get_certificates(self):
        from OpenSSL.crypto import _lib, _ffi, X509
        """
        https://github.com/pyca/pyopenssl/pull/367/files#r67300900

        Returns all certificates for the PKCS7 structure, if present. Only
        objects of type ``signedData`` or ``signedAndEnvelopedData`` can embed
        certificates.

        :return: The certificates in the PKCS7, or :const:`None` if
            there are none.
        :rtype: :class:`tuple` of :class:`X509` or :const:`None`
        """
        certs = _ffi.NULL
        if self.type_is_signed():
            certs = self._pkcs7.d.sign.cert
        elif self.type_is_signedAndEnveloped():
            certs = self._pkcs7.d.signed_and_enveloped.cert

        pycerts = []
        for i in range(_lib.sk_X509_num(certs)):
            pycert = X509.__new__(X509)
            # pycert._x509 = _lib.sk_X509_value(certs, i)
            # According to comment from @ Jari Turkia
            # to prevent segfaults use '_lib.X509_dup('
            pycert._x509 = _lib.X509_dup(_lib.sk_X509_value(certs, i))
            pycerts.append(pycert)

        if not pycerts:
            return None
        return tuple(pycerts)

用法:

pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, open('signature.der', 'rb').read())
certs = get_certificates(pkcs7)
print(certs)
for cert in certs:
    print('digest:{}'.format(cert.digest('sha256')))

输出:

(<OpenSSL.crypto.X509 object at 0xf671b62c>, <OpenSSL.crypto.X509 object at 0xf671b86c>)
digest:b'48:19:A4:2A:56:94:22:14:73:EC:2B:01:45:9E:0B:87:92:44:26:5E:57:AF:59:F5:4C:89:F3:79:83:14:11:A3'
digest:b'25:BC:AC:86:8F:51:8B:EE:47:CC:8B:A7:78:91:7E:86:09:56:19:4B:B9:C4:10:1B:DF:13:CA:A6:54:E1:F7:4C'

使用Python:3.4.2测试-OpenSSL:17.1.0-密码学:1.9-cffi:1.10.0

Tested with Python:3.4.2 - OpenSSL:17.1.0 - cryptography:1.9 - cffi:1.10.0

使用

OpenSSL.crypto.load_pkcs7_data(type, buffer)

从以类型type编码的字符串缓冲区中加载pkcs7数据.
类型类型必须为FILETYPE_PEM或FILETYPE_ASN1).

Load pkcs7 data from the string buffer encoded with the type type.
The type type must either FILETYPE_PEM or FILETYPE_ASN1).

这篇关于pyOpenSSL的PKCS7对象提供的信息很少，如何获取签名中公钥的sha1摘要的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！