在 Python 中创建和保存 CMS/PKCS#7 对象
Creating and saving CMS / PKCS#7 objects in Python
我需要能够在 Python 中生成、保存和读取 CMS/PKCS#7 数据。似乎可以使用 asn1crypto 库来完成,但我很难找到可以将数据保存到磁盘(PEM/DER 格式)的函数。有一个 testbench at asn1crypto/tests/test_cms.py,但它只展示了如何从文件中读取 CMS / PKCS#7 数据并将其存储到相应的 asn1crypto.cms 对象中。我找不到手册甚至 asn1crypto.cms 函数(方法)列表。
现在,我能够生成所有必要的部分,如签名、加密数据、对称密钥等,所以我需要做的是找到一种方法将它们融合到 CMS/PKCS 中# 7 种兼容的文件格式。基本上,我正在为 shell 的 openssl cms 和 openssl engine 功能寻找等效的 Python 流程。显示如何创建和保存 CMS 对象(例如 SignedData、EnvelopedData 等)的简单 Python 示例将大有帮助。
所以,在使用 asn1crypto 和 pkcs11 包玩了很多天之后,我能够创建一个签名数据文件。为了签名,我在我的 Yubikey 5 中使用了 PIV 签名槽。下面是我的脚本的摘录,展示了它的本质(请原谅大代码):
from asn1crypto import cms, util, algos, x509, core, pem
import pkcs11
from pkcs11 import Attribute, ObjectClass, KeyType
data = b'Just a test'
# Creating a SignedData object from cms
sd = cms.SignedData()
# Populating some of its fields
sd['version']='v1'
sd['encap_content_info']=util.OrderedDict([
('content_type', 'data'),
('content', data)])
sd['digest_algorithms']=[ util.OrderedDict([
('algorithm', 'sha256'),
('parameters', None) ])
# Initiating my Yubikey smart card
lib = pkcs11.lib('.../onepin-opensc-pkcs11.so')
token = lib.get_token(token_label='PIV Card Holder pin (PIV_II)')
session = token.open(user_pin='123456')
# Getting the private key and certificate objects using pkcs11
privateKey = next(session.get_objects({
Attribute.CLASS: ObjectClass.PRIVATE_KEY,
Attribute.LABEL: "SIGN key" })
certObj = next(session.get_objects({
Attribute.CLASS: ObjectClass.CERTIFICATE,
Attribute.LABEL: 'Certificate for Digital Signature' })
# Getting the raw value (DER) of certificate and storing it in x509
cert = x509.Certificate.load(certObj[Attribute.VALUE])
# Adding this certificate to SignedData object
sd['certificates'] = [cert]
# Setting signer info section
signer_info = cms.SignerInfo()
signer_info['version']=cms_version
signer_info['digest_algorithm']=util.OrderedDict([
('algorithm', 'sha256'),
('parameters', None) ])
signer_info['signature_algorithm']=util.OrderedDict([
('algorithm', 'sha256_rsa'),
('parameters', None) ])
# Creating a signature using a private key object from pkcs11
signer_info['signature'] = privateKey.sign(
data,
mechanism=pkcs11.mechanisms.Mechanism.SHA256_RSA_PKCS )
# Finding subject_key_identifier from certificate (asn1crypto.x509 object)
key_id = cert.key_identifier_value.native
signer_info['sid'] = cms.SignerIdentifier({
'subject_key_identifier': key_id })
# Adding SignerInfo object to SignedData object
sd['signer_infos'] = [ signer_info ]
# Writing everything into ASN.1 object
asn1obj = cms.ContentInfo()
asn1obj['content_type'] = 'signed_data'
asn1obj['content'] = sd
# This asn1obj can be dumped to a disk using dump() method (DER format)
with open('signed_data.der','wb+') as fout:
fout.write(asn1obj.dump())
然后我使用 openssl cms -verify -in signed_data.der -inform DER -CAfile rootCertificate.pem 验证了签名并且成功了!
我需要能够在 Python 中生成、保存和读取 CMS/PKCS#7 数据。似乎可以使用 asn1crypto 库来完成,但我很难找到可以将数据保存到磁盘(PEM/DER 格式)的函数。有一个 testbench at asn1crypto/tests/test_cms.py,但它只展示了如何从文件中读取 CMS / PKCS#7 数据并将其存储到相应的 asn1crypto.cms 对象中。我找不到手册甚至 asn1crypto.cms 函数(方法)列表。
现在,我能够生成所有必要的部分,如签名、加密数据、对称密钥等,所以我需要做的是找到一种方法将它们融合到 CMS/PKCS 中# 7 种兼容的文件格式。基本上,我正在为 shell 的 openssl cms 和 openssl engine 功能寻找等效的 Python 流程。显示如何创建和保存 CMS 对象(例如 SignedData、EnvelopedData 等)的简单 Python 示例将大有帮助。
所以,在使用 asn1crypto 和 pkcs11 包玩了很多天之后,我能够创建一个签名数据文件。为了签名,我在我的 Yubikey 5 中使用了 PIV 签名槽。下面是我的脚本的摘录,展示了它的本质(请原谅大代码):
from asn1crypto import cms, util, algos, x509, core, pem
import pkcs11
from pkcs11 import Attribute, ObjectClass, KeyType
data = b'Just a test'
# Creating a SignedData object from cms
sd = cms.SignedData()
# Populating some of its fields
sd['version']='v1'
sd['encap_content_info']=util.OrderedDict([
('content_type', 'data'),
('content', data)])
sd['digest_algorithms']=[ util.OrderedDict([
('algorithm', 'sha256'),
('parameters', None) ])
# Initiating my Yubikey smart card
lib = pkcs11.lib('.../onepin-opensc-pkcs11.so')
token = lib.get_token(token_label='PIV Card Holder pin (PIV_II)')
session = token.open(user_pin='123456')
# Getting the private key and certificate objects using pkcs11
privateKey = next(session.get_objects({
Attribute.CLASS: ObjectClass.PRIVATE_KEY,
Attribute.LABEL: "SIGN key" })
certObj = next(session.get_objects({
Attribute.CLASS: ObjectClass.CERTIFICATE,
Attribute.LABEL: 'Certificate for Digital Signature' })
# Getting the raw value (DER) of certificate and storing it in x509
cert = x509.Certificate.load(certObj[Attribute.VALUE])
# Adding this certificate to SignedData object
sd['certificates'] = [cert]
# Setting signer info section
signer_info = cms.SignerInfo()
signer_info['version']=cms_version
signer_info['digest_algorithm']=util.OrderedDict([
('algorithm', 'sha256'),
('parameters', None) ])
signer_info['signature_algorithm']=util.OrderedDict([
('algorithm', 'sha256_rsa'),
('parameters', None) ])
# Creating a signature using a private key object from pkcs11
signer_info['signature'] = privateKey.sign(
data,
mechanism=pkcs11.mechanisms.Mechanism.SHA256_RSA_PKCS )
# Finding subject_key_identifier from certificate (asn1crypto.x509 object)
key_id = cert.key_identifier_value.native
signer_info['sid'] = cms.SignerIdentifier({
'subject_key_identifier': key_id })
# Adding SignerInfo object to SignedData object
sd['signer_infos'] = [ signer_info ]
# Writing everything into ASN.1 object
asn1obj = cms.ContentInfo()
asn1obj['content_type'] = 'signed_data'
asn1obj['content'] = sd
# This asn1obj can be dumped to a disk using dump() method (DER format)
with open('signed_data.der','wb+') as fout:
fout.write(asn1obj.dump())
然后我使用 openssl cms -verify -in signed_data.der -inform DER -CAfile rootCertificate.pem 验证了签名并且成功了!