我有一个签名的PKCS#7结构data-signed.pem:
$ openssl smime -sign -binary -in data.txt -inkey key.pem -outform pem -out p7.pem -signer cert.pem
它通过OpenSSL命令行成功验证:
$ openssl smime -verify -CAfile cert.pem -content data.txt -in p7.pem -inform pem
[...]
Verification successful
但同样的操作(IMO)因M2Crypto而失败:
$ python
>>> from M2Crypto import SMIME, X509, BIO
>>> sm_obj = SMIME.SMIME()
# The certificate is self-signed, so I add it to both
# trusted CA store and certificate stack:
>>> x509 = X509.load_cert('cert.pem')
>>> sk = X509.X509_Stack()
>>> sk.push(x509)
>>> sm_obj.set_x509_stack(sk)
>>> st = X509.X509_Store()
>>> st.load_info('cert.pem')
>>> sm_obj.set_x509_store(st)
# Now the actual verification:
>>> p7 = SMIME.load_pkcs7('p7.pem')
>>> data_bio = BIO.MemoryBuffer('data.txt')
>>> sm_obj.verify(p7, data_bio)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python2.7/dist-packages/M2Crypto-0.22.3-py2.7-linux-i686.egg/M2Crypto/SMIME.py", line 217, in verify
blob = m2.pkcs7_verify1(p7, self.x509_stack._ptr(), self.x509_store._ptr(), data_bio._ptr(), flags)
M2Crypto.SMIME.PKCS7_Error: digest failure
如果我创建了非分离签名,则会成功验证:
$ openssl smime -sign -nodetach -binary -in data.txt -inkey key.pem -outform pem -out data-nodetach-signed.pem -signer cert.pem
$ python
[...]
>>> p7 = SMIME.load_pkcs7('data-nodetach-signed.pem')
>>> content = sm_obj.verify(p7)
>>>
如何使用分离签名的M2Crypto验证?
答案 0 :(得分:1)
我在使用M2Crypto时遇到了一个愚蠢的错误:
'ga:XXXXX'当然,这不会读取文件&#39; data.txt&#39;,而是读取字符串&#39; data.txt&#39;,它不会验证。正确的行是
>>> data_bio = BIO.MemoryBuffer('data.txt')