I need to get the digest of a PKCS#7 envelop to manually check it.
Usually when you want to validate the signature of a pkcs#7 envelop you do that:
from M2Crypto import SMIME, X509, BIO
sm_obj = SMIME.SMIME()
x509 = X509.load_cert(join(PATH, 'QualifiedChain.crt'))
sk = X509.X509_Stack()
sk.push(x509)
sm_obj.set_x509_stack(sk)
st = X509.X509_Store()
st.load_info(join(PATH, 'QualifiedChain.crt'))
sm_obj.set_x509_store(st)
# re-wrap signature so that it fits base64 standards
cooked_sig = '
'.join(raw_sig[pos:pos + 76] for pos in
xrange(0, len(raw_sig), 76))
# now, wrap the signature in a PKCS7 block
sig = "-----BEGIN PKCS7-----
%s
-----END PKCS7-----
" % cooked_sig
# and load it into an SMIME p7 object through the BIO I/O buffer:
buf = BIO.MemoryBuffer(sig)
p7 = SMIME.load_pkcs7_bio(buf)
signers = p7.get0_signers(sk)
certificat = signers[0]
data_bio = BIO.MemoryBuffer(MSG)
sm_obj.verify(p7, data_bio) # This is the line that count.
But in my case, the digest type is md5sha1 that is not recognized by openssl:
$ openssl list-message-digest-commands
md4
md5
rmd160
sha
sha1
What I need to do I to get the pkcs#7 signedContent and to manually check it.
What I need is a Python equivalent to org.bouncycastle.cms.CMSSignedDataParser
.
How can I get the digest to be able to validate it manually without having to use sm_obj.verify
?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…