0
我有一个签名的PKCS#7结构data-signed.pem
:PKCS#7签名与OpenSSL的检验,但不能与M2Crypto
$ openssl smime -verify -CAfile cert.pem -content data.txt -in p7.pem -inform pem
[...]
Verification successful
但相同的:
$ openssl smime -sign -binary -in data.txt -inkey key.pem -outform pem -out p7.pem -signer cert.pem
它通过OpenSSL的命令行成功验证操作(IMO)与M2Crypto失败:
$ python
>>> from M2Crypto import SMIME, X509, BIO
>>> sm_obj = SMIME.SMIME()
# The certificate is self-signed, so I add it to both
# trusted CA store and certificate stack:
>>> x509 = X509.load_cert('cert.pem')
>>> sk = X509.X509_Stack()
>>> sk.push(x509)
>>> sm_obj.set_x509_stack(sk)
>>> st = X509.X509_Store()
>>> st.load_info('cert.pem')
>>> sm_obj.set_x509_store(st)
# Now the actual verification:
>>> p7 = SMIME.load_pkcs7('p7.pem')
>>> data_bio = BIO.MemoryBuffer('data.txt')
>>> sm_obj.verify(p7, data_bio)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python2.7/dist-packages/M2Crypto-0.22.3-py2.7-linux-i686.egg/M2Crypto/SMIME.py", line 217, in verify
blob = m2.pkcs7_verify1(p7, self.x509_stack._ptr(), self.x509_store._ptr(), data_bio._ptr(), flags)
M2Crypto.SMIME.PKCS7_Error: digest failure
如果我创建一个非分离签名,它验证成功:
$ openssl smime -sign -nodetach -binary -in data.txt -inkey key.pem -outform pem -out data-nodetach-signed.pem -signer cert.pem
$ python
[...]
>>> p7 = SMIME.load_pkcs7('data-nodetach-signed.pem')
>>> content = sm_obj.verify(p7)
>>>
如何使用M2Crypto验证与分离签名?