我在从opaque签名的S / MIME邮件中提取邮件数据时遇到问题,例如:
To: ngps@post1.com
From: ngps@mpost1.com
Subject: testing
MIME-Version: 1.0
Content-Disposition: attachment; filename="smime.p7m"
Content-Type: application/pkcs7-mime; smime-type=signed-data; name="smime.p7m"
Content-Transfer-Encoding: base64
MIIHQwYJKoZIhvcNAQcCoIIHNDCCBzACAQExCzAJBgUrDgMCGgUAMIICQwYJKoZI
hvcNAQcBoIICNASCAjANClMvTUlNRSAtIFNlY3VyZSBNdWx0aXB1cnBvc2UgSW50
ZXJuZXQgTWFpbCBFeHRlbnNpb25zIFtSRkMgMjMxMSwgUkZDIDIzMTJdIC0gDQpw
cm92aWRlcyBhIGNvbnNpc3RlbnQgd2F5IHRvIHNlbmQgYW5kIHJlY2VpdmUgc2Vj
dXJlIE1JTUUgZGF0YS4gQmFzZWQgb24gdGhlDQpwb3B1bGFyIEludGVybmV0IE1J
TUUgc3RhbmRhcmQsIFMvTUlNRSBwcm92aWRlcyB0aGUgZm9sbG93aW5nIGNyeXB0
b2dyYXBoaWMNCnNlY3VyaXR5IHNlcnZpY2VzIGZvciBlbGVjdHJvbmljIG1lc3Nh
Z2luZyBhcHBsaWNhdGlvbnMgLSBhdXRoZW50aWNhdGlvbiwNCm1lc3NhZ2UgaW50
ZWdyaXR5IGFuZCBub24tcmVwdWRpYXRpb24gb2Ygb3JpZ2luICh1c2luZyBkaWdp
dGFsIHNpZ25hdHVyZXMpDQphbmQgcHJpdmFjeSBhbmQgZGF0YSBzZWN1cml0eSAo
dXNpbmcgZW5jcnlwdGlvbikuDQoNClMvTUlNRSBpcyBidWlsdCBvbiB0aGUgUEtD
UyAjNyBzdGFuZGFyZC4gW1BLQ1M3XQ0KDQpTL01JTUUgaXMgaW1wbGVtZW50ZWQg
aW4gTmV0c2NhcGUgTWVzc2VuZ2VyIGFuZCBNaWNyb3NvZnQgT3V0bG9vay4NCqCC
AxAwggMMMIICdaADAgECAgECMA0GCSqGSIb3DQEBBAUAMHsxCzAJBgNVBAYTAlNH
MREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNV
BAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYO
bmdwc0Bwb3N0MS5jb20wHhcNMDAwOTEwMDk1ODIwWhcNMDIwOTEwMDk1ODIwWjBZ
MQswCQYDVQQGEwJTRzERMA8GA1UEChMITTJDcnlwdG8xGDAWBgNVBAMTD00yQ3J5
cHRvIENsaWVudDEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0MS5jb20wXDANBgkq
hkiG9w0BAQEFAANLADBIAkEAoz3zUF0dmxSU+1fso+eTdmjDY71gWNeXWX28qsBJ
0UFmq4JCtw7Gv4fJ0TZgQHVIrXgKrUvzsquu8eiVjuP/NwIDAQABo4IBBDCCAQAw
CQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
dGlmaWNhdGUwHQYDVR0OBBYEFMcQhEeJ1x9d+8Rzag9yjCiutYKOMIGlBgNVHSME
gZ0wgZqAFPuHI2nrnDqTFeXFvylRT/7tKDgBoX+kfTB7MQswCQYDVQQGEwJTRzER
MA8GA1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQD
ExtNMkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5n
cHNAcG9zdDEuY29tggEAMA0GCSqGSIb3DQEBBAUAA4GBAKy2cWa2BF6cbBPE4ici
//wOqkLDbsI3YZyUSj7ZPnefghx9EwRJfLB3/sXEf78OHL7yV6IMrvEVEAJCYs+3
w/lspCMJC0hOomxnt0vjyCCd0JeaEwihQGbOo9V0reXzrUy8yNkwo1w8mMSbIvqh
+D5uTB0jKL/ml1EVLw3NJf68MYIBwTCCAb0CAQEwgYAwezELMAkGA1UEBhMCU0cx
ETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UE
AxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5u
Z3BzQHBvc3QxLmNvbQIBAjAJBgUrDgMCGgUAoIHYMBgGCSqGSIb3DQEJAzELBgkq
hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEzMDcxNTE1MDkzN1owIwYJKoZIhvcN
AQkEMRYEFI/KcwJXhIg0bRzYLfAtDhxRMzghMHkGCSqGSIb3DQEJDzFsMGowCwYJ
YIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcw
DgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3
DQMCAgEoMA0GCSqGSIb3DQEBAQUABEAPrw12PT+5T9kftixVi+MzE/SLZnOJqw9x
2q1YcztjY4drOJi6CH8bHOlfb1nXr/mBQuijLA5wFl22PDGTrlZ5
实际上是来自demo/smime/ test.py的M2Crypto(0.21.1)sign函数生成的不透明的S / MIME签名(未加密)消息opaque.p7。数据显然包含消息,它可以显示为例如作者:openssl smime -verify -noverify -in opaque.p7。
不幸的是,当我想要获取数据时:
p7, data = M2Crypto.SMIME.smime_load_pkcs7('opaque.p7')
不幸的是,data是None。这只是不透明的S / MIME变体的一个问题,因为同样适用于clear.p7。
我想这可能是一些兼容性问题,我的OpenSSL版本是1.0.1e(Debian Wheezy)..我想知道是否有人让它工作。
以下是修改后的test.py(原始here)的输出,为了证明清除和不透明的S / MIME消息,M2Crypto正确提取签名者证书,但不提取不透明SMIME中的数据:
test encrypt/decrypt... ok
test sign & save... ok
test load & verify opaque... ok
DATA: ''
SIGNERS: ['C=AU, ST=Some-State, O=Internet Widgits Pty Ltd']
test load & verify clear... ok
DATA: 'actual message'
SIGNERS: ['C=AU, ST=Some-State, O=Internet Widgits Pty Ltd']
test sign/verify... ok
test.py已修补,因为它在很多地方失败了..
--- M2Crypto-0.21.1.orig/demo/smime/test.py 2011-01-15 20:10:06.000000000 +0100
+++ M2Crypto-0.21.1/demo/smime/test.py 2013-07-16 16:37:57.224845942 +0200
@@ -6,18 +6,7 @@
from M2Crypto import BIO, Rand, SMIME, X509
-ptxt = """
-S/MIME - Secure Multipurpose Internet Mail Extensions [RFC 2311, RFC 2312] -
-provides a consistent way to send and receive secure MIME data. Based on the
-popular Internet MIME standard, S/MIME provides the following cryptographic
-security services for electronic messaging applications - authentication,
-message integrity and non-repudiation of origin (using digital signatures)
-and privacy and data security (using encryption).
-
-S/MIME is built on the PKCS #7 standard. [PKCS7]
-
-S/MIME is implemented in Netscape Messenger and Microsoft Outlook.
-"""
+ptxt = 'actual message'
def makebuf():
buf = BIO.MemoryBuffer(ptxt)
@@ -27,14 +16,14 @@
print 'test sign & save...',
buf = makebuf()
s = SMIME.SMIME()
- s.load_key('client.pem')
- p7 = s.sign(buf)
+ s.load_key('client_.pem')
+ p7 = s.sign(buf, flags=SMIME.PKCS7_DETACHED)
out = BIO.openfile('clear.p7', 'w')
out.write('To: ngps@post1.com\n')
out.write('From: ngps@post1.com\n')
out.write('Subject: testing\n')
buf = makebuf() # Recreate buf, because sign() has consumed it.
- s.write(out, p7, buf)
+ s.write(out, p7, buf, flags=SMIME.PKCS7_DETACHED)
out.close()
buf = makebuf()
@@ -50,36 +39,42 @@
def verify_clear():
print 'test load & verify clear...',
s = SMIME.SMIME()
- x509 = X509.load_cert('client.pem')
+ x509 = X509.load_cert('client_.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
st = X509.X509_Store()
- st.load_info('ca.pem')
+ st.load_info('client_.pem')
s.set_x509_store(st)
p7, data = SMIME.smime_load_pkcs7('clear.p7')
- v = s.verify(p7)
- if v:
+ data_s = data.read() if isinstance(data, BIO.BIO) else ''
+ v = s.verify(p7, BIO.MemoryBuffer(data_s))
+ if v and (v == ptxt):
print 'ok'
else:
print 'not ok'
+ print ' DATA: %r' % (data_s,)
+ print ' SIGNERS: %r' % ([ x.get_subject().as_text() for x in p7.get0_signers(sk)],)
def verify_opaque():
print 'test load & verify opaque...',
s = SMIME.SMIME()
- x509 = X509.load_cert('client.pem')
+ x509 = X509.load_cert('client_.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
st = X509.X509_Store()
- st.load_info('ca.pem')
+ st.load_info('client_.pem')
s.set_x509_store(st)
p7, data = SMIME.smime_load_pkcs7('opaque.p7')
- v = s.verify(p7, data)
- if v:
+ data_s = data.read() if isinstance(data, BIO.BIO) else ''
+ v = s.verify(p7, makebuf()) # here we are verify against ptxt, since we get no data
+ if v and (v == ptxt):
print 'ok'
else:
print 'not ok'
+ print ' DATA: %r' % (data_s,)
+ print ' SIGNERS: %r' % ([ x.get_subject().as_text() for x in p7.get0_signers(sk)],)
def verify_netscape():
print 'test load & verify netscape messager output...',
@@ -102,31 +97,32 @@
s = SMIME.SMIME()
# Load a private key.
- s.load_key('client.pem')
+ s.load_key('client_.pem')
# Sign.
- p7 = s.sign(buf)
+ p7 = s.sign(buf, flags=SMIME.PKCS7_DETACHED)
# Output the stuff.
+ buf = makebuf()
bio = BIO.MemoryBuffer()
- s.write(bio, p7, buf)
+ s.write(bio, p7, buf, flags=SMIME.PKCS7_DETACHED)
# Plumbing for verification: CA's cert.
st = X509.X509_Store()
- st.load_info('ca.pem')
+ st.load_info('client_.pem')
s.set_x509_store(st)
# Plumbing for verification: Signer's cert.
- x509 = X509.load_cert('client.pem')
+ x509 = X509.load_cert('client_.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
# Verify.
p7, buf = SMIME.smime_load_pkcs7_bio(bio)
- v = s.verify(p7, flags=SMIME.PKCS7_DETACHED)
-
- if v:
+ v = s.verify(p7, buf, flags=SMIME.PKCS7_DETACHED)
+
+ if v and (v == ptxt):
print 'ok'
else:
print 'not ok'
client.pem包含过期的证书,因此它使用的是由openssl req -new -x509 -newkey rsa -nodes -keyout client_.pem -out client_.pem生成的自签名client_.pem
(请注意, test load& verify opaque testcase假装成功,因为验证步骤已更改为针对原始已知文本进行验证)
答案 0 :(得分:1)
我认为这里的主要误解是,对于“multipart/signed”以外的MIME类型,smime_load_pkcs7() 意味着返回None在元组的第二部分中,SMIME.SMIME.verify() 意味着将None作为其第二个参数。
当您致电s.verify(a, b)时,并不意味着“验证a中的签名是否与消息b匹配”,这意味着“验证PKCS7结构{{1}如果xIM9存储和堆栈在SMIME对象a上,则有一个有效的签名。哦,如果s有一条分离的消息,你可以在a中找到消息部分。“
如果您想修复b功能,请完全删除verify_opaque()内容,然后重新拨打原始data_s电话。如果s.verify(p7, data),则原始邮件的提取按预期进行和验证签名。如果您仍想打印“DATA:”行,请使用v == ptxt代替v。
如果您的问题是如何从任意不透明的签名邮件中获取原始邮件数据,那么您似乎需要获得有效的data_s上下文M2Crypto.SMIME.SMIME并致电s用它!这不是我以前需要做的操作,所以我可能会遗漏一些简单的API,但据我所知,M2Crypto不会暴露任何更简单的方法。至少,如果您没有要检查的有效证书集,或者您不关心,您可以将s.verify()标记传递给PKCS7_NOVERIFY,就像使用openssl一样cmdline工具。