pyOpenSSL 的 PKCS7 对象提供的信息很少，我怎样才能得到签名中公钥的 sha1 摘要 [英] pyOpenSSL's PKCS7 object provide very little information, how can I get the sha1 digest of the public key in the signature

问题描述

我想在 Python 中解析 android apk 的 CERT.RSA.我知道它可以用 pyOpenSSL 解析

导入 OpenSSL

cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,open('CERT.RSA', 'rb').read())

cert = OpenSSL.crypto.load_pkcs7_data(类型，缓冲区)

证书的类型为OpenSSL.crypto.PKCS7".

但是现在 PKCS7 对象不完整，我无法获得所需的属性，有没有其他方法来解析该文件?

解决方案

评论:不知道有没有办法把它转换成另一种格式以便解析

您可以使用 openssl 将 PKCS#7 转换为 PEM，使用 PyOpenSSL 可以读取 PEM

openssl pkcs7 -print_certs -in sample.p7b -out sample.cer

<小时><块引用>

问题:...我怎样才能得到签名中公钥的sha1摘要

它没有实现，Pull Request 自 2015 年以来停滞不前.
使用 Pull Request 中的代码即可.

<块引用>

来自:GitHub pyca/pyopenssl:实现 pkcs#7 证书、crl 和数据的 getter #367

 def get_certificates(self):从 OpenSSL.crypto 导入 _lib、_ffi、X509"""https://github.com/pyca/pyopenssl/pull/367/files#r67300900返回 PKCS7 结构的所有证书(如果存在).仅有的signedData"或signedAndEnvelopedData"类型的对象可以嵌入证书.:return: PKCS7 中的证书，或者:const:`None` 如果没有了.:rtype: :class:`tuple` of :class:`X509` 或 :const:`None`"""证书 = _ffi.NULL如果 self.type_is_signed():证书 = self._pkcs7.d.sign.certelif self.type_is_signedAndEnveloped():证书 = self._pkcs7.d.signed_and_envelope.certpycerts = []对于我在范围内(_lib.sk_X509_num(certs)):pycert = X509.__new__(X509)# pycert._x509 = _lib.sk_X509_value(certs, i)# 根据@Jari Turkia 的评论# 防止段错误使用 '_lib.X509_dup('pycert._x509 = _lib.X509_dup(_lib.sk_X509_value(certs, i))pycerts.append(pycert)如果不是 pycerts:返回无返回元组(pycerts)

用法:

pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, open('signature.der', 'rb').read())证书 = get_certificates(pkcs7)打印(证书)对于证书中的证书:print('digest:{}'.format(cert.digest('sha256')))

<块引用>

输出:

(<OpenSSL.crypto.X509 对象在 0xf671b62c>,<OpenSSL.crypto.X509 对象在 0xf671b86c>)摘要:b'48:19:A4:2A:56:94:22:14:73:EC:2B:01:45:9E:0B:87:92:44:26:5E:57:AF:59:F5:4C:89:F3:79:83:14:11:A3'摘要:b'25:BC:AC:86:8F:51:8B:EE:47:CC:8B:A7:78:91:7E:86:09:56:19:4B:B9:C4:10:1B:DF:13:CA:A6:54:E1:F7:4C'

使用 Python:3.4.2 - OpenSSL:17.1.0 - cryptography:1.9 - cffi:1.10.0

测试<小时>

使用

OpenSSL.crypto.load_pkcs7_data(类型，缓冲区)

<块引用>

从使用type类型编码的字符串缓冲区加载pkcs7数据.
类型类型必须是 FILETYPE_PEM 或 FILETYPE_ASN1).

I would like to parse android apk's CERT.RSA in Python. I know it can be parsed with pyOpenSSL

import OpenSSL

cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, open('CERT.RSA', 'rb').read())

cert = OpenSSL.crypto.load_pkcs7_data(type, buffer)

cert is of type 'OpenSSL.crypto.PKCS7'.

BUT right now PKCS7 object is not complete, I cannot get attributes I need, is there any alternative way to parse that file?

解决方案

Comments: I don't know if there's a way to convert it to another format so it can be parsed

You can convert PKCS#7 to PEM using openssl, PEM is readable using PyOpenSSL

openssl pkcs7 -print_certs -in sample.p7b -out sample.cer

---

Question: ... how can I get the sha1 digest of the public key in the signature

It's not implemented, the Pull Request stalles since 2015.
Useing the code from the Pull Request you can doit.

From: GitHub pyca/pyopenssl: implement getters for pkcs#7 certificates, crl's, and data #367

    def get_certificates(self):
        from OpenSSL.crypto import _lib, _ffi, X509
        """
        https://github.com/pyca/pyopenssl/pull/367/files#r67300900

        Returns all certificates for the PKCS7 structure, if present. Only
        objects of type ``signedData`` or ``signedAndEnvelopedData`` can embed
        certificates.

        :return: The certificates in the PKCS7, or :const:`None` if
            there are none.
        :rtype: :class:`tuple` of :class:`X509` or :const:`None`
        """
        certs = _ffi.NULL
        if self.type_is_signed():
            certs = self._pkcs7.d.sign.cert
        elif self.type_is_signedAndEnveloped():
            certs = self._pkcs7.d.signed_and_enveloped.cert

        pycerts = []
        for i in range(_lib.sk_X509_num(certs)):
            pycert = X509.__new__(X509)
            # pycert._x509 = _lib.sk_X509_value(certs, i)
            # According to comment from @ Jari Turkia
            # to prevent segfaults use '_lib.X509_dup('
            pycert._x509 = _lib.X509_dup(_lib.sk_X509_value(certs, i))
            pycerts.append(pycert)

        if not pycerts:
            return None
        return tuple(pycerts)

Usage:

pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, open('signature.der', 'rb').read())
certs = get_certificates(pkcs7)
print(certs)
for cert in certs:
    print('digest:{}'.format(cert.digest('sha256')))

Output:

(<OpenSSL.crypto.X509 object at 0xf671b62c>, <OpenSSL.crypto.X509 object at 0xf671b86c>)
digest:b'48:19:A4:2A:56:94:22:14:73:EC:2B:01:45:9E:0B:87:92:44:26:5E:57:AF:59:F5:4C:89:F3:79:83:14:11:A3'
digest:b'25:BC:AC:86:8F:51:8B:EE:47:CC:8B:A7:78:91:7E:86:09:56:19:4B:B9:C4:10:1B:DF:13:CA:A6:54:E1:F7:4C'

Tested with Python:3.4.2 - OpenSSL:17.1.0 - cryptography:1.9 - cffi:1.10.0

---

Use

OpenSSL.crypto.load_pkcs7_data(type, buffer)

Load pkcs7 data from the string buffer encoded with the type type.
The type type must either FILETYPE_PEM or FILETYPE_ASN1).

这篇关于pyOpenSSL 的 PKCS7 对象提供的信息很少，我怎样才能得到签名中公钥的 sha1 摘要的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！