hello everybody, I have to consolidate and possibly rewrite a bunch of bash scripts that verify that incoming smime messages are valid (i.e. encrypted with company's private key and signed a certain set of public keys)
This bunch of bash is going to be replaced by a small application, written possibly in Python with the help of M2Crypto.
Until now, the decryption part is really going well, but I'm having a problem with signature verification.
I need to write python code that will replace this single bash line
openssl smime -verify -in to_verify.txt -CAfile signer_pubkey.pem -out verified.txt
The content of to_verify.txt is the "usual" multipart/signed p7, that can have the signature attached or not.
The previous command exits with 0 when the verification is successfull and extract the content from the smime envelope.
now, back on python, taken from m2crypto examples:
import os
from M2Crypto import BIO, Rand, SMIME, X509
cert_dir = '/home/niphlod/certs'
doc_dir = '/home/niphlod/datastore'
signer = os.path.join(cert_dir, 'signer_pubkey.pem')
letter = os.path.join(doc_dir,'out_decrypt.txt')
# Instantiate an SMIME object.
s = SMIME.SMIME()
# Load the signer's cert.
x509 = X509.load_cert(signer)
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
# Load the signer's CA cert. They're all self-signed, hence the following
st = X509.X509_Store()
st.load_info(signer)
s.set_x509_store(st)
# Load the data, verify it.
p7, data = SMIME.smime_load_pkcs7(letter)
v = s.verify(p7)
print v
print data
print data.read()
Well.... surprise, I get
Traceback (most recent call last):
File "m2crypto_verify.py", line 28, in <module>
v = s.verify(p7)
File "/usr/lib/pymodules/python2.6/M2Crypto/SMIME.py", line 215, in verify
blob = m2.pkcs7_verify0(p7, self.x509_stack._ptr(), self.x509_store._ptr(), flags)
M2Crypto.SMIME.PKCS7_Error: no content
Openssl is reading, extracting and verifying this files correctly, but how can m2crypto report that there is no content ?
BUMP: noone interested in this ?