PKCS#7 签名使用 OpenSSL 进行验证,但不使用 M2Crypto
PKCS#7 signature verifies with OpenSSL, but not with M2Crypto
我有一个签名的 PKCS#7 结构 data-signed.pem:
$ openssl smime -sign -binary -in data.txt -inkey key.pem -outform pem -out p7.pem -signer cert.pem
通过OpenSSL命令行验证成功:
$ openssl smime -verify -CAfile cert.pem -content data.txt -in p7.pem -inform pem
[...]
Verification successful
但是 M2Crypto 的相同操作 (IMO) 失败了:
$ python
>>> from M2Crypto import SMIME, X509, BIO
>>> sm_obj = SMIME.SMIME()
# The certificate is self-signed, so I add it to both
# trusted CA store and certificate stack:
>>> x509 = X509.load_cert('cert.pem')
>>> sk = X509.X509_Stack()
>>> sk.push(x509)
>>> sm_obj.set_x509_stack(sk)
>>> st = X509.X509_Store()
>>> st.load_info('cert.pem')
>>> sm_obj.set_x509_store(st)
# Now the actual verification:
>>> p7 = SMIME.load_pkcs7('p7.pem')
>>> data_bio = BIO.MemoryBuffer('data.txt')
>>> sm_obj.verify(p7, data_bio)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python2.7/dist-packages/M2Crypto-0.22.3-py2.7-linux-i686.egg/M2Crypto/SMIME.py", line 217, in verify
blob = m2.pkcs7_verify1(p7, self.x509_stack._ptr(), self.x509_store._ptr(), data_bio._ptr(), flags)
M2Crypto.SMIME.PKCS7_Error: digest failure
如果我创建一个非分离签名,它验证成功:
$ openssl smime -sign -nodetach -binary -in data.txt -inkey key.pem -outform pem -out data-nodetach-signed.pem -signer cert.pem
$ python
[...]
>>> p7 = SMIME.load_pkcs7('data-nodetach-signed.pem')
>>> content = sm_obj.verify(p7)
>>>
如何使用带分离签名的M2Crypto验证?
我在使用 M2Crypto 时犯了一个愚蠢的错误:
>>> data_bio = BIO.MemoryBuffer('data.txt')
这当然不是读取文件'data.txt',而是读取字符串'data.txt',不校验。正确的行是
>>> data_bio = BIO.openfile('data.txt')
我有一个签名的 PKCS#7 结构 data-signed.pem:
$ openssl smime -sign -binary -in data.txt -inkey key.pem -outform pem -out p7.pem -signer cert.pem
通过OpenSSL命令行验证成功:
$ openssl smime -verify -CAfile cert.pem -content data.txt -in p7.pem -inform pem
[...]
Verification successful
但是 M2Crypto 的相同操作 (IMO) 失败了:
$ python
>>> from M2Crypto import SMIME, X509, BIO
>>> sm_obj = SMIME.SMIME()
# The certificate is self-signed, so I add it to both
# trusted CA store and certificate stack:
>>> x509 = X509.load_cert('cert.pem')
>>> sk = X509.X509_Stack()
>>> sk.push(x509)
>>> sm_obj.set_x509_stack(sk)
>>> st = X509.X509_Store()
>>> st.load_info('cert.pem')
>>> sm_obj.set_x509_store(st)
# Now the actual verification:
>>> p7 = SMIME.load_pkcs7('p7.pem')
>>> data_bio = BIO.MemoryBuffer('data.txt')
>>> sm_obj.verify(p7, data_bio)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python2.7/dist-packages/M2Crypto-0.22.3-py2.7-linux-i686.egg/M2Crypto/SMIME.py", line 217, in verify
blob = m2.pkcs7_verify1(p7, self.x509_stack._ptr(), self.x509_store._ptr(), data_bio._ptr(), flags)
M2Crypto.SMIME.PKCS7_Error: digest failure
如果我创建一个非分离签名,它验证成功:
$ openssl smime -sign -nodetach -binary -in data.txt -inkey key.pem -outform pem -out data-nodetach-signed.pem -signer cert.pem
$ python
[...]
>>> p7 = SMIME.load_pkcs7('data-nodetach-signed.pem')
>>> content = sm_obj.verify(p7)
>>>
如何使用带分离签名的M2Crypto验证?
我在使用 M2Crypto 时犯了一个愚蠢的错误:
>>> data_bio = BIO.MemoryBuffer('data.txt')
这当然不是读取文件'data.txt',而是读取字符串'data.txt',不校验。正确的行是
>>> data_bio = BIO.openfile('data.txt')