输入:使用openssl完成的大型多部分签名和加密电子邮件(~10MB)。
解密文件似乎足够快。
获取解密信息以验证它们的时间比较长。似乎M2Crypto库存在一些问题。如果您通过写入p7s的文件替换smime_load_pkcs7_bio调用+使用smime_load_pkcs7调用来读取它,则速度要快得多。但是我想避免在磁盘上写/读(因为它现在是我的瓶颈)。
问题: 有没有人对此性能问题有一些解决方法或解决方案?
python 2.7代码:
from M2Crypto import SMIME, X509, BIO, m2
# read signed and encrypted file
with open("toto.p7m", "r") as p7mFile:
p7mBio = BIO.File(p7mFile)
p7m = SMIME.PKCS7(m2.pkcs7_read_bio_der(p7mBio._ptr()), 1)
s = SMIME.SMIME()
# Decrypt
s.load_key('cnt.key', 'cnt.crt', callback = lambda x : 'cnt_password.info')
p7s = s.decrypt(p7m)
print("Decryption ok (and fast).")
# Verify
p7s_bio = BIO.MemoryBuffer(p7s)
p7, data = SMIME.smime_load_pkcs7_bio(p7s_bio)
# MUCH FASTER !!!
#p7, data = SMIME.smime_load_pkcs7('toto.p7s')
print("Wow this long to load something that is in memory!")
sk = p7.get0_signers(X509.X509_Stack())
if 0 == len(sk) :
print("ERROR : No signers.")
s.set_x509_stack(sk)
st = X509.X509_Store()
st.load_info('ca.crt')
s.set_x509_store(st)
v = s.verify(p7, data)
if v:
print("Client signature verified.")
else:
print("ERROR : Signature verification FAILED.")
生成密钥/证书
# generate control authority (key+cert)
openssl genrsa -out ca.key 2048 -passout file:ca_password.info
openssl req -x509 -new -nodes -key ca.key -passin file:ca_password.info -days 7300 -sha256 -extensions v3_ca -out ca.crt -subj "/C=XX/ST=Xxxxxx/L=XXXX/O=XXXXX/OU=XXXX/CN=XXX Xxxx XX"
openssl x509 -noout -text -in ca.crt
# generate client key + cert for CNT
openssl genrsa -out cnt.key 2048 -passout file:cnt_password.info
openssl req -new -key cnt.key -out cnt.csr -subj "/C=XX/ST=Xxxxxx/L=XXXX/O=XXXXX/OU=XXXX/CN=CNT xxxx"
echo "authorityKeyIdentifier = keyid,issuer" > cnt.ext
echo "basicConstraints = CA:FALSE" >> cnt.ext
echo "keyUsage = digitalSignature, keyEncipherment" >> cnt.ext
echo "subjectKeyIdentifier = hash" >> cnt.ext
openssl x509 -req -in cnt.csr -passin file:cnt_password.info -CA ca.crt -CAkey ca.key -CAcreateserial -out cnt.crt -days 1024 -extfile cnt.ext
openssl x509 -noout -text -in cnt.crt
# generate client key + cert for ET
openssl genrsa -out et.key 2048 -passout file:et_password.info
openssl req -new -key et.key -out et.csr -subj "/C=XX/ST=Xxxxxx/L=XXXX/O=XXXXX/OU=XXXX/CN=ET xxxx"
echo "authorityKeyIdentifier = keyid,issuer" > et.ext
echo "basicConstraints = CA:FALSE" >> et.ext
echo "keyUsage = digitalSignature, keyEncipherment" >> et.ext
echo "subjectKeyIdentifier = hash" >> et.ext
openssl x509 -req -in et.csr -passin file:et_password.info -CA ca.crt -CAkey ca.key -CAcreateserial -out et.crt -days 1024 -extfile et.ext
openssl x509 -noout -text -in et.crt
生成测试数据以进入电子邮件
dd if=/dev/urandom of=sample1.jpg bs=1K count=743
dd if=/dev/urandom of=sample2.jpg bs=1K count=3009
dd if=/dev/urandom of=sample3.xml bs=1K count=5
dd if=/dev/urandom of=sample4.mp4 bs=1K count=2864
生成电子邮件
电子邮件是由一些带有Mail / mime.php库的PHP代码生成的。
<?php
date_default_timezone_set('Europe/Paris');
require_once 'Mail/mime.php';
function add_fichier_2_mail(&$mime, $filename) {
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime_type=finfo_file($finfo,$filename);
finfo_close($finfo);
$mime->addAttachment($filename, $mime_type);
}
$crlf = "\n";
$mime_mif = new Mail_mime($crlf);
add_fichier_2_mail($mime_mif, "sample1.jpg");
add_fichier_2_mail($mime_mif, "sample2.jpg");
add_fichier_2_mail($mime_mif, "sample3.xml");
add_fichier_2_mail($mime_mif, "sample4.mp4");
$body = $mime_mif->get();
$hdrs=array();
$entete = $mime_mif->headers($hdrs);
unset($mime_mif);
$msg='';
foreach ($entete as $key=>$value) {
$msg.=$key.': '.$value.$crlf;
}
$msg.=$crlf.$crlf.$body;
file_put_contents("email_clear.eml",$msg);
?>
签名/加密电子邮件
电子邮件由ET私钥签名,然后由CNT公共证书加密。这给出了以下命令:
openssl smime -sign -binary -nodetach -certfile et.crt -signer et.crt -inkey et.key -in email_clear.eml -out email_signed.p7s
openssl smime -encrypt -outform DER -binary -des3 -in email_signed.p7s -out email_crypted_signed.p7m cnt.crt
答案 0 :(得分:1)
我能够在我的机器上确认这一点,但无法弄清楚它为什么会发生。问题似乎出现在BIO.MemoryBuffer类......
正如我评论的那样,立即跳出来的解决方法是创建一个RAM磁盘并对其使用smime_load_pkcs7。
mkdir -p /mnt/tmpfs
mount -o size=16G -t tmpfs none /mnt/tmpfs
这有两个好处:(1)您可以避免M2Crypto中的错误代码;(2)您可以避免写入或读取磁盘。