jnewbigin / pkcs7_detached Goto Github PK
View Code? Open in Web Editor NEWPython pkcs7 detached signature verify
License: MIT License
Python pkcs7 detached signature verify
License: MIT License
Hi. I used your library as a guide on how to do a pkcs7 verification, but didn't directly use your lib. Instead I derived this function, that uses bytes
and cryptography.x509.Certificate
parameters instead. I did this because I already have the things like that in memory, so serializing it just to deserializing it seemed a bit roundabout to me. Also passing the document as str
instead of bytes
seems fragile to me anyway. Who knows how the document was encoded (UTF-8? ISO-8859-1?) or if it even was string data or something random binary.
I use this derived function in another MIT licensed Python script (verify_ehc.py), but maybe you want to include this (or something similar) in your library:
from cryptography import x509
from cryptography.hazmat.backends.openssl.backend import backend # type: ignore
from cryptography.hazmat.bindings._openssl import ffi, lib # type: ignore
from cryptography.hazmat.bindings.openssl import binding
def verify_detached_signature_binary(document: bytes, signature: bytes, certificate: x509.Certificate) -> bool:
# Load the string into a bio
bio = backend._bytes_to_bio(signature) # pylint: disable=W0212
# Create the pkcs7 object
pkcs7_object = lib.d2i_PKCS7_bio(bio.bio, ffi.NULL)
if pkcs7_object == ffi.NULL:
binding._consume_errors(lib)
raise ValueError("Unable to parse PKCS7 data")
# Load the specified certificate
stack = lib.sk_X509_new_null()
res = lib.sk_X509_push(stack, certificate._x509) # type: ignore
binding._openssl_assert(lib, res >= 1)
# We need a CA store, even though we don't use it
store = lib.X509_STORE_new()
binding._openssl_assert(lib, store != ffi.NULL)
# Load the document into a bio
content = backend._bytes_to_bio(document) # pylint: disable=W0212
# If PKCS7_NOVERIFY is set the signer's certificates are not chain verified.
flags = lib.PKCS7_NOVERIFY
# https://www.openssl.org/docs/man1.0.2/crypto/PKCS7_verify.html
return lib.PKCS7_verify(pkcs7_object, stack, store, content.bio, ffi.NULL, flags) == 1
I don't know how to use OpenSSL via ffi (or at all). Are you sure this isn't leaking memory and there is no manual free required after lib.X509_STORE_new()
?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.