与 openssl 相比，m2crypto 的错误行为

发布于 2024-09-07 06:54:04 字数 1579 浏览 8 评论 0原文

我必须整合并可能重写一堆 bash 脚本来验证传入的 smime 消息是否有效（即使用公司的私钥加密并签署一组特定的公钥）

这堆 bash 将被一个小应用程序取代，可能在 M2Crypto 的帮助下用 Python 编写。

到目前为止，解密部分确实进展顺利，但我在签名验证方面遇到了问题。

我需要编写 python 代码来替换这个单独的 bash 行

 openssl smime -verify -in to_verify.txt -CAfile signer_pubkey.pem -out verified.txt

to_verify.txt 的内容是“通常的”多部分/签名 p7，可以附加或不附加签名。

上一条命令在验证成功时以 0 退出，并从 smime 信封中提取内容。

现在，回到 python，取自 m2crypto 示例：

import os
from M2Crypto import BIO, Rand, SMIME, X509
cert_dir = '/home/niphlod/certs'
doc_dir = '/home/niphlod/datastore'

signer = os.path.join(cert_dir, 'signer_pubkey.pem')
letter = os.path.join(doc_dir,'out_decrypt.txt')

# Instantiate an SMIME object.
s = SMIME.SMIME()

# Load the signer's cert. 
x509 = X509.load_cert(signer)
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)

# Load the signer's CA cert. They're all self-signed, hence the following
st = X509.X509_Store()
st.load_info(signer)
s.set_x509_store(st)

# Load the data, verify it.
p7, data = SMIME.smime_load_pkcs7(letter)
v = s.verify(p7)
print v
print data
print data.read()

嗯......令人惊讶的是，我得到

Traceback (most recent call last):
  File "m2crypto_verify.py", line 28, in <module>
    v = s.verify(p7)
  File "/usr/lib/pymodules/python2.6/M2Crypto/SMIME.py", line 215, in verify
    blob = m2.pkcs7_verify0(p7, self.x509_stack._ptr(), self.x509_store._ptr(), flags)
M2Crypto.SMIME.PKCS7_Error: no content

Openssl 正在正确读取、提取和验证此文件，但是 m2crypto 如何报告没有内容？

BUMP：没人对此感兴趣吗？

原文

I have to consolidate and possibly rewrite a bunch of bash scripts that verify that incoming smime messages are valid (i.e. encrypted with company's private key and signed a certain set of public keys)

This bunch of bash is going to be replaced by a small application, written possibly in Python with the help of M2Crypto.

Until now, the decryption part is really going well, but I'm having a problem with signature verification.

I need to write python code that will replace this single bash line

 openssl smime -verify -in to_verify.txt -CAfile signer_pubkey.pem -out verified.txt

The content of to_verify.txt is the "usual" multipart/signed p7, that can have the signature attached or not.

The previous command exits with 0 when the verification is successfull and extract the content from the smime envelope.

now, back on python, taken from m2crypto examples:

import os
from M2Crypto import BIO, Rand, SMIME, X509
cert_dir = '/home/niphlod/certs'
doc_dir = '/home/niphlod/datastore'

signer = os.path.join(cert_dir, 'signer_pubkey.pem')
letter = os.path.join(doc_dir,'out_decrypt.txt')

# Instantiate an SMIME object.
s = SMIME.SMIME()

# Load the signer's cert. 
x509 = X509.load_cert(signer)
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)

# Load the signer's CA cert. They're all self-signed, hence the following
st = X509.X509_Store()
st.load_info(signer)
s.set_x509_store(st)

# Load the data, verify it.
p7, data = SMIME.smime_load_pkcs7(letter)
v = s.verify(p7)
print v
print data
print data.read()

Well.... surprise, I get

Traceback (most recent call last):
  File "m2crypto_verify.py", line 28, in <module>
    v = s.verify(p7)
  File "/usr/lib/pymodules/python2.6/M2Crypto/SMIME.py", line 215, in verify
    blob = m2.pkcs7_verify0(p7, self.x509_stack._ptr(), self.x509_store._ptr(), flags)
M2Crypto.SMIME.PKCS7_Error: no content

Openssl is reading, extracting and verifying this files correctly, but how can m2crypto report that there is no content ?

BUMP: noone interested in this ?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

野心澎湃 2024-09-14 06:54:04

我使用 M2Crypto v0.17 解决了类似的问题，方法是将以下行更改

 v= s.verify(p7)

为：

 v = s.verify(p7,data)

I've worked around a similar problem using M2Crypto v0.17 by changing the line:

 v= s.verify(p7)

 v = s.verify(p7,data)

回复收藏 0 原文

醉生梦死 2024-09-14 06:54:04

凯文的回答是正确的。

    v = s.verify(p7,data)

verify() 方法需要比较签名消息的两部分（明文与加密消息）。

此函数采用 M2Crypto 文档中提到的一些参数。它调用 OpenSSL 文档中记录的 openssl PKCS7_verify 方法。不幸的是，M2Crypto 的教程包含错误的默认值（至少在我的环境中是 v0.20.1）。

Kevin's answer is right.

    v = s.verify(p7,data)

The verify() method needs to compare the two parts of the signed message (the plain text against the encrypted one).

This function takes a few argument as mentioned in the M2Crypto doc. It calls openssl PKCS7_verify method documented in OpenSSL's doc. It's unfortunate that M2Crypto's tutorial contains erroneous default values (at least with the v0.20.1 in my environment).

回复收藏 0 原文

寄人书 2024-09-14 06:54:04

这是我使用 M2Crypto 进行 S/Mime 验证的机制

# Load the data
#
try:
  p7, data = SMIME.smime_load_pkcs7( letter )
except SMIME.SMIME_Error, e:
  print 'Error: could not load {file} because {error}'.format(file=letter,error=e)
  sys.exit()

# Verify the data
#
try:
  if data is not None:
    v = s.verify(p7, data)
  else:
    v = s.verify(p7)
  if v:
    print 'Client signature verified'
except SMIME.SMIME_Error, e:
  print 'Error: message verification failed %s' % e

This is the mechanism I'm using for doing S/Mime verification with M2Crypto

# Load the data
#
try:
  p7, data = SMIME.smime_load_pkcs7( letter )
except SMIME.SMIME_Error, e:
  print 'Error: could not load {file} because {error}'.format(file=letter,error=e)
  sys.exit()

# Verify the data
#
try:
  if data is not None:
    v = s.verify(p7, data)
  else:
    v = s.verify(p7)
  if v:
    print 'Client signature verified'
except SMIME.SMIME_Error, e:
  print 'Error: message verification failed %s' % e

回复收藏 0 原文

~没有更多了~