Open larsrinn opened 4 years ago
On page https://pycryptodome.readthedocs.io/en/latest/src/future.html note "Add support for CMS/PKCS#7".
@Legrandin This looks like an enhancement request.
@larsrinn There are currently a couple of ways to do what you want within Python 3 that I know of:
1) Use the Python 3 subprocess function to run openssl cms
, carefully specifying an output file that your code can subsequently open and read. I use this in a couple of my projects (for other reasons) and found it reliable.
2) Use another s/MIME project that does perform several s/MIME functions: https://m2crypto.readthedocs.io/en/latest/howto.smime.html
@larsrinn Here is one starter kit for the subprocess case:
import subprocess
import sys
DIR = the place where the artifacts are stored
KEY_FILE = DIR + 'private.pem'
INPUT_FILE = DIR + 'message.msg'
OUTPUT_FILE = DIR + 'clear_message.msg'
CMD = ['openssl', 'cms', '-decrypt', '-inkey', KEY_FILE, '-in',
INPUT_FILE, '-out', OUTPUT_FILE]
result = subprocess.run(CMD, check=False,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
if result.returncode != 0:
print("*** Oops, subprocess.run failed, details:\n{}".format(result))
sys.exit(86)
with open(OUTPUT_FILE, "r") as fd:
cleartext = fd.readlines()
print("Cleartext message:\n{}".format(cleartext))
Stdout:
Cleartext message:
['Successfully decrypted!']
Hi @texadactyl
thanks for your answers. However, as I've mentioned in the issue, I need SHA512 hashing, wich seems to be unsupported by openssl. Currently I'm using an approach similar to the own you're proposing with subprocess.run
, but I only need to sign/verify and not encrypt/decrypt the messages.
I didn't see the Add support for CMS/PKCS#7 point on the future plans list. Actually my presumption was the body of the mail is simply the base64 encoded result of the encryption performed in this example: https://pycryptodome.readthedocs.io/en/latest/src/examples.html
I'm happy to help with the implementation of CMS, but I've no idea on how to get started, except for looking at RFC5652. Since my knowledge in cryptography is very limited, I don't know if I'd be a huge help, though.
Hey there!
My interest in pycryptodome is due to my task to en-/decrypt email messages using RSASSA-OAEP key encryption and SHA512 hashing, which seems to be unsupported in openssl (somehow SHA1 is the hard coded default without a way to change this http://openssl.6102.n7.nabble.com/RSA-OAEP-with-sha256-td16377.html ).
On the way to figure this out, I stumbled upon PKI.js which I used to create test messages by the S/MIME encryption example.
The key and encrypted message are (not yet with SHA256):
Setup
Private key (SHA-1, RSA-PSS):
Message (AES-CBC, 128 content encryption algorithm length, RSA-OAEP with SHA-1)
Decrypt using openssl
Using
openssl
, I can successfully decrypt this (because it's SHA-1)Decrypting using pycryptodome
To not mess with the MIME details for now, I just copied the actual content of the mail to a file called
encrypted_b64
. Now, I followed the approach from the Encrypt data with RSA section in the documentation (I just adopted it for the fact that my input is inbase64
).Here's all the code and data: decrypt_smime_pycryptodome.zip
Am I doing something wrong or is this an issue in
pycryptodome
? At least I think the documentation is a bit missleading. I'd be happy to help out, when this is solved.