我試圖在python3上創建一個不分離的簽名。我目前有一些代碼可以在python2上使用m2crypto,但m2crypto不適用於python3。未分離的PKCS#7沒有M2Crypto的SHA1 + RSA簽名
我一直在嘗試rsa,pycrypto和openssl,但還沒有看到如何找到。
下面是等價的OpenSSL命令:
openssl smime -sign -signer $CRTFILE -inkey $KEYFILE -outformDER -nodetach
這是nodetach選項,我不能與任何rsa,pyopenssl或pycrypto模仿。
python3有沒有人這樣做?我想盡可能避免使用Popen + openssl。
其實我結束了OpenSSL.crypto解決這個,雖然,有一些內部的方法:
from OpenSSL import crypto
PKCS7_NOSIGS = 0x4 # defined in pkcs7.h
def create_embeded_pkcs7_signature(data, cert, key):
"""
Creates an embeded ("nodetached") pkcs7 signature.
This is equivalent to the output of::
openssl smime -sign -signer cert -inkey key -outform DER -nodetach < data
:type data: bytes
:type cert: str
:type key: str
""" # noqa: E501
assert isinstance(data, bytes)
assert isinstance(cert, str)
try:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
signcert = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
except crypto.Error as e:
raise ValueError('Certificates files are invalid') from e
bio_in = crypto._new_mem_buf(data)
pkcs7 = crypto._lib.PKCS7_sign(
signcert._x509, pkey._pkey, crypto._ffi.NULL, bio_in, PKCS7_NOSIGS
)
bio_out = crypto._new_mem_buf()
crypto._lib.i2d_PKCS7_bio(bio_out, pkcs7)
signed_data = crypto._bio_to_string(bio_out)
return signed_data