I have PKCS7 message which is signed. It contains a data and a signing certificate (with the whole chain of trust).
I have a code which uses m2crypto to get a certificate out of it.
bio = BIO.MemoryBuffer(pkcs7message)
p7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(bio._ptr()))
sk = X509.X509_Stack()
certStack = p7.get0_signers(sk)
It works. However, certStack returns only one certificate (instead of returning the whole chain of certificates.
Two questions:
I guess you are making a confusion between signers and certificate chain of a signer. PKCS7_get0_signers return the list of signers.
In order to building a PKCS7 message with 2 signers, you can use following steps:
Build key and certificate for first signer:
openssl genrsa -out key1.pem
openssl req -new -key key1.pem -subj "/CN=key1" | openssl x509 -req -signkey key1.pem -out cert1.pem
Build key and certificate for second signer:
openssl genrsa -out key2.pem
openssl req -new -key key2.pem -subj "/CN=key2" | openssl x509 -req -signkey key2.pem -out cert2.pem
Create an PKCS7 message using both signers :
echo "Hello" | openssl smime -sign -nodetach \
-out signature.der -outform DER \
-inkey key1.pem -signer cert1.pem -inkey key2.pem -signer cert2.pem
Then signers could be printed running your python script:
from M2Crypto import *
bio=BIO.File(open('signature.der'))
smime_object = SMIME.PKCS7(m2.pkcs7_read_bio_der(bio._ptr()))
signers = smime_object.get0_signers(X509.X509_Stack())
for cert in signers:
print(cert.get_issuer().as_text())
It give the signers' issuer:
CN=key1
CN=key2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With