Python M2Crypto:从不透明签名S/MIME（pkcs7 MIME）中提取消息

我在从不透明签名的S/MIME消息中提取消息数据时遇到问题，如：

至：ngps@post1.com
发件人：ngps@mpost1.com
主题：测试
MIME版本：1.0
内容处置：附件；filename=“smime.p7m”
内容类型：应用程序/pkcs7 mime；smime类型=有符号数据；name=“smime.p7m”
内容传输编码：base64
Miihqwyjkozihvcnaqccoihndcbzacaqexczajbgurdgmgguamiicqwyjkozi
HVCNAQCBOIICNASCAJANCLMVTULNR3VYZSBNDW0AXB1CNBVC2UGSW50
ZXJUZXQGTWFPBCBFEHRLBNNPB25ZIFSTRKMGMJMXMSWGUKZDIZMTJDIC0GDQPW
CM92AWRLCYBHIGNBNNPC3RLBNQGD2F5IHRVIHNLBMQGYW5IHJLY2VPDMUGC2VJ
dXJlIE1JTUUgZGF0YS4gQmFzZWQgb24gdGhlDQpwb3B1bGFyIEludGVybmV0IE1J
TUUGC3RHBMRHCQSIFMVTULNRSBWCM92AWRLCYB0AGUGZM9SBG93AW5NIGNYEXB0
B2DYYXBOAWMNLY3VYAXR5IHNLCNZPY2VZIGZVCILBGVJDHJVBMLJIG1LC3NH
Z2LuzyBhcHBsWnHdGlVbNmGlsBhdxRozW50AwnHdGlVbiWncM1LC3NHZ2UgaW50
ZWDYAXR5IGFUZCBUB24TCMVWDWRPYXRPB24GB2YGB3JPZ2LUICH2LUZYBKAWDP
DGFSIHNPZ25HDHVYZXMPDQPHBMMQGCHJPDMFJESBHMQGZGF0YSBZZWN1CML0ESAO
DXNPBMCGZW5JCNLWDGLVBIKUDQONCLMVTULNRSBPCYBIDWLSDCBVIB0AGUGUETD
UyAjNyBzdGFuZGFyZC4gW1BLQ1M3XQ0KDQpTL01JTUUgaXMgaW1wbGVtZW50ZWQg
aW4gTmV0c2NhcGUgTWVzc2VuZ2VyIGFuZCBNaWNyb3NvZnQgT3V0bG9vay4NCqCC
AXAWGGMMMIICDAADAGECMA0GCSQGSIB3DQEBBAUMHSXCZAJBGNVBaytalNH
MREWDWYDVQKEWHNMKNYEXB0BZEUMBIGA1ECXMLTTJDCNLWDG8GQ0EXJDAIBGNV
BAMTG00YQ3J5CHRVIENLCNRPZMLJYXRIE1HC3RLCJEDMBSGSQGSIB3DQEJARYO
BMDWC0BWB3N0MS5JB20WHHCNMDAWOTEWMDK1ODWWHCNMDIWOTEWMDK1ODWWJBZ
MQSWCQYDVQGEWJTRZERMA8GA1UECHMITTJDCNLWDG8XGDAWBGGNVBAMTD00YQ3J5
CHRVIENSAWVudedDBSGSQGSIB3DQEJARYOBMDWC0BWB3N0MS5JB20WXDANBGKQ
HKIG9W0BAQEFAALADBIAKEAOZ3ZUF0DMXSU+1fso+eTdmjDY71gWNeXWX28qsBJ
0ufmq4jctw7gv4fj0tzgqhvirxgkruvzsqu8eivjup/NwIDAQABo4IBBDCCAQAw
CQYDVR0TBAIWADASBGLHKGBHVHCAQ0EHXYDT3BLNTTCBHZW5LCMF0ZWQGQ2VY
dGlmaWNhdGUwHQYDVR0OBBYEFMcQhEeJ1x9d+8Rzag9yjCiutYKOMIGlBgNVHSME
gZ0wgZqAFPuHI2nrnDqTFeXFvylRT/7tKDgBoX+KFTB7MQSWCQYDVQGEWJTRZER
MA8GA1ECHITTJDCNLWDG8XDASBGNVBASTC00YQ3J5CHRVIENBMSQWIGYDVQQD
extnmknyexb0bybdzxj0awzpy2f0zsbnyxn0zxixhtabgkqhkig9w0bcqewdm5n
CHNACG9ZDDUEY29TGGEAMA0GCSQGSIB3DQEBBAUA4GBAKY2CWA2BF6CBBPE4ICI
//wOqkLDbsI3YZyUSj7ZPnefghx9EwRJfLB3/sXEf78OHL7yV6IMrvEVEAJCYs+3
带LSPCMJC0HOOMXNT0VJYCCD0JEAEWIHQGBOO9V0REXZRUY8YNKWO1W8MMSIVQH
+D5uTB0jKL/ML1EVLW3NJF68MYIBWTCCAB0CAQEWGYAWEZELMAKA1UEBHMCU0Cx
ETAPBGNVAOTCE0YQ3J5CHRVMRQWEGYDVQQLEWTNMKNYEXB0BYBDQTEKMCIGA1UE
AxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5u
Z3BZQHBVC3QXLMNVBQIBAJAJBGURDGMCGUAOIHYMBGGSQGSIB3DQEJAZELBKQ
HKIG9W0BBWEWHAYJKOZHIHVCNAQKFMQ8XDETZMDCXNTE1MDKZN1WIWYJKOZHIHVCN
AQkEMRYEFI/KcwJXhIg0bRzYLfAtDhxRMzghMHkGCSqGSIb3DQEJDzFsMGowCwYJ
YIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcw
DgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3
DQMCAGEOMA0GCSQGSIB3DQEBAQEAPRW12PT+5T9kftixVi+MzE/SLZnOJqw9x
2q1YcztjY4drOJi6CH8bHOlfb1nXr/mBQuijLA5wFl22PDGTrlZ5

它实际上是由test.py中的M2Crypto（0.21.1）

sign

函数生成的不透明S/MIME签名（未加密）消息opaque.p7。数据显然包含消息，它可以通过以下方式显示：

openssl smime-verify-noverify-in不透明.p7

不幸的是，当我想通过以下方式获取数据时：

p7，data=M2Crypto.SMIME.SMIME\u load\u pkcs7（'opaque.p7'））

不幸的是，

数据

是

无

。这只是不透明s/MIME变体的一个问题，因为同样适用于

clear.p7

我想这可能是兼容性问题，我的OpenSSL版本是1.0.1e（Debian Wheezy）。。我想知道是否有人让它工作了

更新 以下是修改后的test.py（原件）的输出，以证明对于透明和不透明的S/MIME消息，M2Crypto都正确地提取签名者证书，但不从不透明的SMIME中提取任何数据：

测试加密/解密。。。好啊
测试签名和保存。。。好啊
测试加载和验证不透明。。。好啊
数据：“”
签署人：['C=AU，ST=Some State，O=Internet Widgits Pty Ltd']
测试加载和验证清除。。。好啊
数据：“实际消息”
签署人：['C=AU，ST=Some State，O=Internet Widgits Pty Ltd']
测试签名/验证。。。好啊

test.py已修补，因为它在许多地方失败

--- M2Crypto-0.21.1.orig/demo/smime/test.py 2011-01-15 20:10:06.000000000 +0100
+++ M2Crypto-0.21.1/demo/smime/test.py  2013-07-16 16:37:57.224845942 +0200
@@ -6,18 +6,7 @@
 
 from M2Crypto import BIO, Rand, SMIME, X509
 
-ptxt = """
-S/MIME - Secure Multipurpose Internet Mail Extensions [RFC 2311, RFC 2312] - 
-provides a consistent way to send and receive secure MIME data. Based on the
-popular Internet MIME standard, S/MIME provides the following cryptographic
-security services for electronic messaging applications - authentication,
-message integrity and non-repudiation of origin (using digital signatures)
-and privacy and data security (using encryption).
-
-S/MIME is built on the PKCS #7 standard. [PKCS7]
-
-S/MIME is implemented in Netscape Messenger and Microsoft Outlook.
-"""
+ptxt = 'actual message'
 
 def makebuf():
     buf = BIO.MemoryBuffer(ptxt)
@@ -27,14 +16,14 @@
     print 'test sign & save...',
     buf = makebuf()
     s = SMIME.SMIME()
-    s.load_key('client.pem')
-    p7 = s.sign(buf)
+    s.load_key('client_.pem')
+    p7 = s.sign(buf, flags=SMIME.PKCS7_DETACHED)
     out = BIO.openfile('clear.p7', 'w')
     out.write('To: ngps@post1.com\n')
     out.write('From: ngps@post1.com\n')
     out.write('Subject: testing\n')
     buf = makebuf() # Recreate buf, because sign() has consumed it.
-    s.write(out, p7, buf)
+    s.write(out, p7, buf, flags=SMIME.PKCS7_DETACHED)
     out.close()
 
     buf = makebuf()
@@ -50,36 +39,42 @@
 def verify_clear():
     print 'test load & verify clear...',
     s = SMIME.SMIME()
-    x509 = X509.load_cert('client.pem')
+    x509 = X509.load_cert('client_.pem')
     sk = X509.X509_Stack()
     sk.push(x509)
     s.set_x509_stack(sk)
     st = X509.X509_Store()
-    st.load_info('ca.pem')
+    st.load_info('client_.pem')
     s.set_x509_store(st)
     p7, data = SMIME.smime_load_pkcs7('clear.p7')
-    v = s.verify(p7)
-    if v:
+    data_s = data.read() if isinstance(data, BIO.BIO) else ''
+    v = s.verify(p7, BIO.MemoryBuffer(data_s))
+    if v and (v == ptxt):
         print 'ok'
     else:
         print 'not ok'
+    print '  DATA: %r' % (data_s,)
+    print '  SIGNERS: %r' % ([ x.get_subject().as_text() for x in p7.get0_signers(sk)],)
     
 def verify_opaque():
     print 'test load & verify opaque...',
     s = SMIME.SMIME()
-    x509 = X509.load_cert('client.pem')
+    x509 = X509.load_cert('client_.pem')
     sk = X509.X509_Stack()
     sk.push(x509)
     s.set_x509_stack(sk)
     st = X509.X509_Store()
-    st.load_info('ca.pem')
+    st.load_info('client_.pem')
     s.set_x509_store(st)
     p7, data = SMIME.smime_load_pkcs7('opaque.p7')
-    v = s.verify(p7, data)
-    if v:
+    data_s = data.read() if isinstance(data, BIO.BIO) else ''
+    v = s.verify(p7, makebuf()) # here we are verify against ptxt, since we get no data
+    if v and (v == ptxt):
         print 'ok'
     else:
         print 'not ok'
+    print '  DATA: %r' % (data_s,)
+    print '  SIGNERS: %r' % ([ x.get_subject().as_text() for x in p7.get0_signers(sk)],)
     
 def verify_netscape():
     print 'test load & verify netscape messager output...',
@@ -102,31 +97,32 @@
     s = SMIME.SMIME()
 
     # Load a private key.
-    s.load_key('client.pem')
+    s.load_key('client_.pem')
 
     # Sign.
-    p7 = s.sign(buf)
+    p7 = s.sign(buf, flags=SMIME.PKCS7_DETACHED)
 
     # Output the stuff.
+    buf = makebuf()
     bio = BIO.MemoryBuffer()
-    s.write(bio, p7, buf)
+    s.write(bio, p7, buf, flags=SMIME.PKCS7_DETACHED)
     
     # Plumbing for verification: CA's cert.
     st = X509.X509_Store()
-    st.load_info('ca.pem')
+    st.load_info('client_.pem')
     s.set_x509_store(st)
 
     # Plumbing for verification: Signer's cert.
-    x509 = X509.load_cert('client.pem')
+    x509 = X509.load_cert('client_.pem')
     sk = X509.X509_Stack()
     sk.push(x509)
     s.set_x509_stack(sk)
 
     # Verify.
     p7, buf = SMIME.smime_load_pkcs7_bio(bio)
-    v = s.verify(p7, flags=SMIME.PKCS7_DETACHED)
-    
-    if v:
+    v = s.verify(p7, buf, flags=SMIME.PKCS7_DETACHED)
+
+    if v and (v == ptxt):
         print 'ok'
     else:
         print 'not ok'

client.pem包含过期的证书，因此它使用的是自签名的client.pem，它是由

openssl req-new-x509-newkey rsa-nodes-keyout client\ux.pem-out client\ux.pem

---

（请注意，test load&verify opaque testcase假装成功，因为验证步骤已更改为根据原始已知文本进行验证）

我认为这里的主要误解是，对于MIME类型，而不是“

多部分/签名的

”，

smime\u load\u pkcs7（）

意味着在元组的第二部分返回

None

，而

SMIME.SMIME.verify（）

意味着将

None

作为第二个参数

当您调用

s.verify（a，b）

时，它并不意味着“验证

a

中的签名是否与消息

b

匹配”，而是意味着鉴于SMIME对象

s

上的x509存储和堆栈，请验证PKCS7结构

a

是否具有有效的签名。哦，如果

a

有一个分离的消息，您可以在

b

中找到消息部分

如果要修复

verify\u opaque（）

函数，请取出

data\u s

文件，然后放回原始的

s.verify（p7，data）

调用。如果

v==ptxt

，则原始消息的提取按预期进行，并验证签名。如果仍要打印“数据：'行，使用

v

而不是

数据

如果您的问题是如何从任意不透明签名消息中获取原始消息数据，那么您似乎需要获得有效的

M2Crypto.SMIME.SMIME

context

s

并调用

s.ver