Python M2Crypto:从不透明签名S/MIME(pkcs7 MIME)中提取消息
我在从不透明签名的S/MIME消息中提取消息数据时遇到问题,如:Python M2Crypto:从不透明签名S/MIME(pkcs7 MIME)中提取消息,python,debian,m2crypto,smime,Python,Debian,M2crypto,Smime,我在从不透明签名的S/MIME消息中提取消息数据时遇到问题,如: 至:ngps@post1.com 发件人:ngps@mpost1.com 主题:测试 MIME版本:1.0 内容处置:附件;filename=“smime.p7m” 内容类型:应用程序/pkcs7 mime;smime类型=有符号数据;name=“smime.p7m” 内容传输编码:base64 Miihqwyjkozihvcnaqccoihndcbzacaqexczajbgurdgmgguamiicqwyjkozi HVCNAQ
至:ngps@post1.com
发件人:ngps@mpost1.com
主题:测试
MIME版本:1.0
内容处置:附件;filename=“smime.p7m”
内容类型:应用程序/pkcs7 mime;smime类型=有符号数据;name=“smime.p7m”
内容传输编码:base64
Miihqwyjkozihvcnaqccoihndcbzacaqexczajbgurdgmgguamiicqwyjkozi
HVCNAQCBOIICNASCAJANCLMVTULNR3VYZSBNDW0AXB1CNBVC2UGSW50
ZXJUZXQGTWFPBCBFEHRLBNNPB25ZIFSTRKMGMJMXMSWGUKZDIZMTJDIC0GDQPW
CM92AWRLCYBHIGNBNNPC3RLBNQGD2F5IHRVIHNLBMQGYW5IHJLY2VPDMUGC2VJ
dXJlIE1JTUUgZGF0YS4gQmFzZWQgb24gdGhlDQpwb3B1bGFyIEludGVybmV0IE1J
TUUGC3RHBMRHCQSIFMVTULNRSBWCM92AWRLCYB0AGUGZM9SBG93AW5NIGNYEXB0
B2DYYXBOAWMNLY3VYAXR5IHNLCNZPY2VZIGZVCILBGVJDHJVBMLJIG1LC3NH
Z2LuzyBhcHBsWnHdGlVbNmGlsBhdxRozW50AwnHdGlVbiWncM1LC3NHZ2UgaW50
ZWDYAXR5IGFUZCBUB24TCMVWDWRPYXRPB24GB2YGB3JPZ2LUICH2LUZYBKAWDP
DGFSIHNPZ25HDHVYZXMPDQPHBMMQGCHJPDMFJESBHMQGZGF0YSBZZWN1CML0ESAO
DXNPBMCGZW5JCNLWDGLVBIKUDQONCLMVTULNRSBPCYBIDWLSDCBVIB0AGUGUETD
UyAjNyBzdGFuZGFyZC4gW1BLQ1M3XQ0KDQpTL01JTUUgaXMgaW1wbGVtZW50ZWQg
aW4gTmV0c2NhcGUgTWVzc2VuZ2VyIGFuZCBNaWNyb3NvZnQgT3V0bG9vay4NCqCC
AXAWGGMMMIICDAADAGECMA0GCSQGSIB3DQEBBAUMHSXCZAJBGNVBaytalNH
MREWDWYDVQKEWHNMKNYEXB0BZEUMBIGA1ECXMLTTJDCNLWDG8GQ0EXJDAIBGNV
BAMTG00YQ3J5CHRVIENLCNRPZMLJYXRIE1HC3RLCJEDMBSGSQGSIB3DQEJARYO
BMDWC0BWB3N0MS5JB20WHHCNMDAWOTEWMDK1ODWWHCNMDIWOTEWMDK1ODWWJBZ
MQSWCQYDVQGEWJTRZERMA8GA1UECHMITTJDCNLWDG8XGDAWBGGNVBAMTD00YQ3J5
CHRVIENSAWVudedDBSGSQGSIB3DQEJARYOBMDWC0BWB3N0MS5JB20WXDANBGKQ
HKIG9W0BAQEFAALADBIAKEAOZ3ZUF0DMXSU+1fso+eTdmjDY71gWNeXWX28qsBJ
0ufmq4jctw7gv4fj0tzgqhvirxgkruvzsqu8eivjup/NwIDAQABo4IBBDCCAQAw
CQYDVR0TBAIWADASBGLHKGBHVHCAQ0EHXYDT3BLNTTCBHZW5LCMF0ZWQGQ2VY
dGlmaWNhdGUwHQYDVR0OBBYEFMcQhEeJ1x9d+8Rzag9yjCiutYKOMIGlBgNVHSME
gZ0wgZqAFPuHI2nrnDqTFeXFvylRT/7tKDgBoX+KFTB7MQSWCQYDVQGEWJTRZER
MA8GA1ECHITTJDCNLWDG8XDASBGNVBASTC00YQ3J5CHRVIENBMSQWIGYDVQQD
extnmknyexb0bybdzxj0awzpy2f0zsbnyxn0zxixhtabgkqhkig9w0bcqewdm5n
CHNACG9ZDDUEY29TGGEAMA0GCSQGSIB3DQEBBAUA4GBAKY2CWA2BF6CBBPE4ICI
//wOqkLDbsI3YZyUSj7ZPnefghx9EwRJfLB3/sXEf78OHL7yV6IMrvEVEAJCYs+3
带LSPCMJC0HOOMXNT0VJYCCD0JEAEWIHQGBOO9V0REXZRUY8YNKWO1W8MMSIVQH
+D5uTB0jKL/ML1EVLW3NJF68MYIBWTCCAB0CAQEWGYAWEZELMAKA1UEBHMCU0Cx
ETAPBGNVAOTCE0YQ3J5CHRVMRQWEGYDVQQLEWTNMKNYEXB0BYBDQTEKMCIGA1UE
AxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5u
Z3BZQHBVC3QXLMNVBQIBAJAJBGURDGMCGUAOIHYMBGGSQGSIB3DQEJAZELBKQ
HKIG9W0BBWEWHAYJKOZHIHVCNAQKFMQ8XDETZMDCXNTE1MDKZN1WIWYJKOZHIHVCN
AQkEMRYEFI/KcwJXhIg0bRzYLfAtDhxRMzghMHkGCSqGSIb3DQEJDzFsMGowCwYJ
YIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcw
DgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3
DQMCAGEOMA0GCSQGSIB3DQEBAQEAPRW12PT+5T9kftixVi+MzE/SLZnOJqw9x
2q1YcztjY4drOJi6CH8bHOlfb1nXr/mBQuijLA5wFl22PDGTrlZ5
它实际上是由test.py中的M2Crypto(0.21.1)sign
函数生成的不透明S/MIME签名(未加密)消息opaque.p7。数据显然包含消息,它可以通过以下方式显示:openssl smime-verify-noverify-in不透明.p7
不幸的是,当我想通过以下方式获取数据时:
p7,data=M2Crypto.SMIME.SMIME\u load\u pkcs7('opaque.p7'))
不幸的是,数据
是无
。这只是不透明s/MIME变体的一个问题,因为同样适用于clear.p7
我想这可能是兼容性问题,我的OpenSSL版本是1.0.1e(Debian Wheezy)。。我想知道是否有人让它工作了
更新
以下是修改后的test.py(原件)的输出,以证明对于透明和不透明的S/MIME消息,M2Crypto都正确地提取签名者证书,但不从不透明的SMIME中提取任何数据:
测试加密/解密。。。好啊
测试签名和保存。。。好啊
测试加载和验证不透明。。。好啊
数据:“”
签署人:['C=AU,ST=Some State,O=Internet Widgits Pty Ltd']
测试加载和验证清除。。。好啊
数据:“实际消息”
签署人:['C=AU,ST=Some State,O=Internet Widgits Pty Ltd']
测试签名/验证。。。好啊
test.py已修补,因为它在许多地方失败
--- M2Crypto-0.21.1.orig/demo/smime/test.py 2011-01-15 20:10:06.000000000 +0100
+++ M2Crypto-0.21.1/demo/smime/test.py 2013-07-16 16:37:57.224845942 +0200
@@ -6,18 +6,7 @@
from M2Crypto import BIO, Rand, SMIME, X509
-ptxt = """
-S/MIME - Secure Multipurpose Internet Mail Extensions [RFC 2311, RFC 2312] -
-provides a consistent way to send and receive secure MIME data. Based on the
-popular Internet MIME standard, S/MIME provides the following cryptographic
-security services for electronic messaging applications - authentication,
-message integrity and non-repudiation of origin (using digital signatures)
-and privacy and data security (using encryption).
-
-S/MIME is built on the PKCS #7 standard. [PKCS7]
-
-S/MIME is implemented in Netscape Messenger and Microsoft Outlook.
-"""
+ptxt = 'actual message'
def makebuf():
buf = BIO.MemoryBuffer(ptxt)
@@ -27,14 +16,14 @@
print 'test sign & save...',
buf = makebuf()
s = SMIME.SMIME()
- s.load_key('client.pem')
- p7 = s.sign(buf)
+ s.load_key('client_.pem')
+ p7 = s.sign(buf, flags=SMIME.PKCS7_DETACHED)
out = BIO.openfile('clear.p7', 'w')
out.write('To: ngps@post1.com\n')
out.write('From: ngps@post1.com\n')
out.write('Subject: testing\n')
buf = makebuf() # Recreate buf, because sign() has consumed it.
- s.write(out, p7, buf)
+ s.write(out, p7, buf, flags=SMIME.PKCS7_DETACHED)
out.close()
buf = makebuf()
@@ -50,36 +39,42 @@
def verify_clear():
print 'test load & verify clear...',
s = SMIME.SMIME()
- x509 = X509.load_cert('client.pem')
+ x509 = X509.load_cert('client_.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
st = X509.X509_Store()
- st.load_info('ca.pem')
+ st.load_info('client_.pem')
s.set_x509_store(st)
p7, data = SMIME.smime_load_pkcs7('clear.p7')
- v = s.verify(p7)
- if v:
+ data_s = data.read() if isinstance(data, BIO.BIO) else ''
+ v = s.verify(p7, BIO.MemoryBuffer(data_s))
+ if v and (v == ptxt):
print 'ok'
else:
print 'not ok'
+ print ' DATA: %r' % (data_s,)
+ print ' SIGNERS: %r' % ([ x.get_subject().as_text() for x in p7.get0_signers(sk)],)
def verify_opaque():
print 'test load & verify opaque...',
s = SMIME.SMIME()
- x509 = X509.load_cert('client.pem')
+ x509 = X509.load_cert('client_.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
st = X509.X509_Store()
- st.load_info('ca.pem')
+ st.load_info('client_.pem')
s.set_x509_store(st)
p7, data = SMIME.smime_load_pkcs7('opaque.p7')
- v = s.verify(p7, data)
- if v:
+ data_s = data.read() if isinstance(data, BIO.BIO) else ''
+ v = s.verify(p7, makebuf()) # here we are verify against ptxt, since we get no data
+ if v and (v == ptxt):
print 'ok'
else:
print 'not ok'
+ print ' DATA: %r' % (data_s,)
+ print ' SIGNERS: %r' % ([ x.get_subject().as_text() for x in p7.get0_signers(sk)],)
def verify_netscape():
print 'test load & verify netscape messager output...',
@@ -102,31 +97,32 @@
s = SMIME.SMIME()
# Load a private key.
- s.load_key('client.pem')
+ s.load_key('client_.pem')
# Sign.
- p7 = s.sign(buf)
+ p7 = s.sign(buf, flags=SMIME.PKCS7_DETACHED)
# Output the stuff.
+ buf = makebuf()
bio = BIO.MemoryBuffer()
- s.write(bio, p7, buf)
+ s.write(bio, p7, buf, flags=SMIME.PKCS7_DETACHED)
# Plumbing for verification: CA's cert.
st = X509.X509_Store()
- st.load_info('ca.pem')
+ st.load_info('client_.pem')
s.set_x509_store(st)
# Plumbing for verification: Signer's cert.
- x509 = X509.load_cert('client.pem')
+ x509 = X509.load_cert('client_.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
# Verify.
p7, buf = SMIME.smime_load_pkcs7_bio(bio)
- v = s.verify(p7, flags=SMIME.PKCS7_DETACHED)
-
- if v:
+ v = s.verify(p7, buf, flags=SMIME.PKCS7_DETACHED)
+
+ if v and (v == ptxt):
print 'ok'
else:
print 'not ok'
client.pem包含过期的证书,因此它使用的是自签名的client.pem,它是由openssl req-new-x509-newkey rsa-nodes-keyout client\ux.pem-out client\ux.pem
(请注意,test load&verify opaque testcase假装成功,因为验证步骤已更改为根据原始已知文本进行验证)我认为这里的主要误解是,对于MIME类型,而不是“
多部分/签名的
”,smime\u load\u pkcs7()
意味着在元组的第二部分返回None
,而SMIME.SMIME.verify()
意味着将None
作为第二个参数
当您调用s.verify(a,b)
时,它并不意味着“验证a
中的签名是否与消息b
匹配”,而是意味着鉴于SMIME对象s
上的x509存储和堆栈,请验证PKCS7结构a
是否具有有效的签名。哦,如果a
有一个分离的消息,您可以在b
中找到消息部分
如果要修复verify\u opaque()
函数,请取出data\u s
文件,然后放回原始的s.verify(p7,data)
调用。如果v==ptxt
,则原始消息的提取按预期进行,并验证签名。如果仍要打印“数据:'行,使用v
而不是数据
如果您的问题是如何从任意不透明签名消息中获取原始消息数据,那么您似乎需要获得有效的M2Crypto.SMIME.SMIME
contexts
并调用s.ver