0

I have a signed PKCS#7 structure data-signed.pem:

$ openssl smime -sign -binary -in data.txt -inkey key.pem -outform pem -out p7.pem -signer cert.pem

It verifies successfully via OpenSSL command line:

$ openssl smime -verify -CAfile cert.pem -content data.txt -in p7.pem -inform pem
[...]
Verification successful

But the same operation (IMO) fails with M2Crypto:

$ python
>>> from M2Crypto import SMIME, X509, BIO
>>> sm_obj = SMIME.SMIME()
# The certificate is self-signed, so I add it to both
# trusted CA store and certificate stack:
>>> x509 = X509.load_cert('cert.pem')
>>> sk = X509.X509_Stack()
>>> sk.push(x509)
>>> sm_obj.set_x509_stack(sk)
>>> st = X509.X509_Store()
>>> st.load_info('cert.pem')
>>> sm_obj.set_x509_store(st)
# Now the actual verification:
>>> p7 = SMIME.load_pkcs7('p7.pem')
>>> data_bio = BIO.MemoryBuffer('data.txt')
>>> sm_obj.verify(p7, data_bio)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/dist-packages/M2Crypto-0.22.3-py2.7-linux-i686.egg/M2Crypto/SMIME.py", line 217, in verify
    blob = m2.pkcs7_verify1(p7, self.x509_stack._ptr(), self.x509_store._ptr(), data_bio._ptr(), flags)
M2Crypto.SMIME.PKCS7_Error: digest failure

If I create a non-detached signature, it verifies successfully:

$ openssl smime -sign -nodetach -binary -in data.txt -inkey key.pem -outform pem -out data-nodetach-signed.pem -signer cert.pem
$ python
[...]
>>> p7 = SMIME.load_pkcs7('data-nodetach-signed.pem')
>>> content = sm_obj.verify(p7)
>>>

How to use M2Crypto verification with detached signature?

Konstantin Shemyak
  • 2,369
  • 5
  • 21
  • 41

1 Answers1

1

There was a silly mistake in what I was doing with M2Crypto: 

>>> data_bio = BIO.MemoryBuffer('data.txt')

This, of course, does not read file 'data.txt', but reads the string 'data.txt', which does not verify. The correct line is

>>> data_bio = BIO.openfile('data.txt')
Konstantin Shemyak
  • 2,369
  • 5
  • 21
  • 41