Python 非分离式PKCS#7 SHA1和#x2B;无加密的RSA签名
我正在尝试在python3上创建一个非分离签名。我目前有代码在python2上使用m2crypto实现这一点,但m2crypto不适用于python3 我一直在尝试rsa、pycrypto和openssl,但还没有找到方法 下面是等效的OpenSSL命令:Python 非分离式PKCS#7 SHA1和#x2B;无加密的RSA签名,python,rsa,signing,pycrypto,pyopenssl,Python,Rsa,Signing,Pycrypto,Pyopenssl,我正在尝试在python3上创建一个非分离签名。我目前有代码在python2上使用m2crypto实现这一点,但m2crypto不适用于python3 我一直在尝试rsa、pycrypto和openssl,但还没有找到方法 下面是等效的OpenSSL命令: openssl smime -sign -signer $CRTFILE -inkey $KEYFILE -outformDER -nodetach 这是我无法模仿的nodetach选项,或者 有人在python3上这样做吗?我希望尽可能避
openssl smime -sign -signer $CRTFILE -inkey $KEYFILE -outformDER -nodetach
nodetach有人在python3上这样做吗?我希望尽可能避免使用Popen+openssl。我最终用
openssl.cryptofrom OpenSSL import crypto
PKCS7_NOSIGS = 0x4 # defined in pkcs7.h
def create_embeded_pkcs7_signature(data, cert, key):
"""
Creates an embeded ("nodetached") pkcs7 signature.
This is equivalent to the output of::
openssl smime -sign -signer cert -inkey key -outform DER -nodetach < data
:type data: bytes
:type cert: str
:type key: str
""" # noqa: E501
assert isinstance(data, bytes)
assert isinstance(cert, str)
try:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
signcert = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
except crypto.Error as e:
raise ValueError('Certificates files are invalid') from e
bio_in = crypto._new_mem_buf(data)
pkcs7 = crypto._lib.PKCS7_sign(
signcert._x509, pkey._pkey, crypto._ffi.NULL, bio_in, PKCS7_NOSIGS
)
bio_out = crypto._new_mem_buf()
crypto._lib.i2d_PKCS7_bio(bio_out, pkcs7)
signed_data = crypto._bio_to_string(bio_out)
return signed_data
来自OpenSSL导入加密
PKCS7_NOSIGS=0x4#在PKCS7.h中定义
def创建嵌入式pkcs7签名(数据、证书、密钥):
"""
创建嵌入的(“节点连接的”)pkcs7签名。
这相当于输出::
openssl smime-sign-signer cert-inkey-outform DER-Nodeach<数据
:类型数据:字节
:type cert:str
:type键:str
“”#noqa:E501
断言isinstance(数据,字节)
断言isinstance(证书、str)
尝试:
pkey=crypto.load\u privatekey(crypto.FILETYPE\u PEM,key)
signcert=crypto.load\u证书(crypto.FILETYPE\u PEM,cert)
加密错误除外,如e:
来自e的raise VALUERROR('证书文件无效')
bio_in=加密。_new_mem_buf(数据)
pkcs7=加密。\u lib.pkcs7\u符号(
signcert.\u x509,pkey.\u pkey,crypto.\u ffi.NULL,bio\u in,PKCS7\u NOSIGS
)
bio_out=crypto.\u new_mem_buf()
加密库i2d\U PKCS7\U bio(bio\U out,PKCS7)
签名数据=加密。_bio_到_字符串(bio_out)
返回已签名的数据
pyca/cryptographyfrom cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.bindings.openssl.binding import Binding
_lib = Binding.lib
_ffi = Binding.ffi
msg = "Hello, World!"
with open('key.pem', 'rb') as key_file:
private_key = serialization.load_pem_private_key(
key_file.read(), None, default_backend())
with open('cert.pem', 'rb') as cert_file:
cert = x509.load_pem_x509_certificate(
cert_file.read(), default_backend())
bio_in = _lib.BIO_new_mem_buf(msg.encode('utf-8'), len(msg))
pkcs7 = _lib.PKCS7_sign(cert._x509, private_key._evp_pkey, _ffi.NULL, bio_in, 0)
bio_out=_lib.BIO_new(_lib.BIO_s_mem())
_lib.PEM_write_bio_PKCS7(bio_out, pkcs7)
result_buffer = _ffi.new('char**')
buffer_length = _lib.BIO_get_mem_data(bio_out, result_buffer)
sout = _ffi.buffer(result_buffer[0], buffer_length)[:]
print(sout.decode('utf-8'))
opensslsime