def mail_sign(mail, sender_private_key, sender_cert, keyring_source='file',
type='PEM', algo='sha256'):
"""
Signs the input mail data with input private key and input certificate.
@type mail: str
@param mail: mail text to sign.
@type sender_private_key: filepath or M2Crypto.BIO or M2Crypto.EVP.PKey
@param sender_private_key: recipient private key reference, could be from
file, from memory or from pkcs11 smartcard, based on keyring_source
input parameter.
@type sender_cert: filepath or M2Crypto.BIO or M2Crypto.X509.X509
@param sender_cert: recipient certificate, could be from filepath, from
memory or from pkcs11 smartcard, based on keyring_source input
parameter.
@type keyring_source: str
@keyword keyring_source: the type of the source for input certificate, used
to recall the appropriate method for decrypter settings. Ammitted
values are: file, memory, pkcs11.
@type type: str
@keyword type: specifies the type of output PKCS#7 data: PEM or DER
@type algo: str
@keyword algo: specifies message digest algorithm (micalg), e.g. sha256
@rtype: str
@return: the signed data in PEM format with MIME header.
"""
p7 = sign(BIO_from_buffer(mail), sender_private_key, sender_cert,
keyring_source, type, algo)
signed_mail = BIO_from_buffer()
SMIME.SMIME().write(signed_mail, p7, BIO_from_buffer(mail))
return signed_mail.read()
def mail_sign(mail,
sender_private_key,
sender_cert,
keyring_source='file',
type='PEM',
algo='sha256'):
"""
Signs the input mail data with input private key and input certificate.
@type mail: str
@param mail: mail text to sign.
@type sender_private_key: filepath or M2Crypto.BIO or M2Crypto.EVP.PKey
@param sender_private_key: recipient private key reference, could be from
file, from memory or from pkcs11 smartcard, based on keyring_source
input parameter.
@type sender_cert: filepath or M2Crypto.BIO or M2Crypto.X509.X509
@param sender_cert: recipient certificate, could be from filepath, from
memory or from pkcs11 smartcard, based on keyring_source input
parameter.
@type keyring_source: str
@keyword keyring_source: the type of the source for input certificate, used
to recall the appropriate method for decrypter settings. Ammitted
values are: file, memory, pkcs11.
@type type: str
@keyword type: specifies the type of output PKCS#7 data: PEM or DER
@type algo: str
@keyword algo: specifies message digest algorithm (micalg), e.g. sha256
@rtype: str
@return: the signed data in PEM format with MIME header.
"""
p7 = sign(BIO_from_buffer(mail), sender_private_key, sender_cert,
keyring_source, type, algo)
signed_mail = BIO_from_buffer()
SMIME.SMIME().write(signed_mail, p7, BIO_from_buffer(mail))
return signed_mail.read()
def mail_encrypt(mail, recipient_cert, keyring_source='file',
cypher='des_ede3_cbc'):
"""
Encrypts the input mail data with public key of input certificate.
@type mail: str
@param mail: mail text to encrypt.
@type recipient_cert: filepath or M2Crypto.BIO or M2Crypto.X509.X509
@param recipient_cert: the recipient certificate reference from filepath,
could be from file, from memory or from pkcs11 smartcard, based on
keyring_source input parameter.
@type keyring_source: str
@keyword keyring_source: the type of the source for input certificate, used
to recall the appropriate method for encrypter settings. Ammitted
values are: file, memory, pkcs11.
@type cypher: str
@keyword cypher: the cypher to use for encryption of the data, run
"openssl enc -help" for supported cyphers, you have to choose a public
key cypher from availables.
@rtype: str
@return: the encrypted data in PEM format with MIME header.
"""
p7 = encrypt(BIO_from_buffer(mail), recipient_cert, keyring_source, cypher)
encrypted_mail = BIO_from_buffer()
SMIME.SMIME().write(encrypted_mail, p7)
return encrypted_mail.read()
def mail_encrypt(mail,
recipient_cert,
keyring_source='file',
cypher='des_ede3_cbc'):
"""
Encrypts the input mail data with public key of input certificate.
@type mail: str
@param mail: mail text to encrypt.
@type recipient_cert: filepath or M2Crypto.BIO or M2Crypto.X509.X509
@param recipient_cert: the recipient certificate reference from filepath,
could be from file, from memory or from pkcs11 smartcard, based on
keyring_source input parameter.
@type keyring_source: str
@keyword keyring_source: the type of the source for input certificate, used
to recall the appropriate method for encrypter settings. Ammitted
values are: file, memory, pkcs11.
@type cypher: str
@keyword cypher: the cypher to use for encryption of the data, run
"openssl enc -help" for supported cyphers, you have to choose a public
key cypher from availables.
@rtype: str
@return: the encrypted data in PEM format with MIME header.
"""
p7 = encrypt(BIO_from_buffer(mail), recipient_cert, keyring_source, cypher)
encrypted_mail = BIO_from_buffer()
SMIME.SMIME().write(encrypted_mail, p7)
return encrypted_mail.read()
def sign(cert_file, key_file, message, flags):
"""
Returns a der encoded signed message
"""
signer = SMIME.SMIME()
signer.load_key(key_file, cert_file)
Rand.load_file('randpool.dat', -1)
p7 = signer.sign(BIO_from_buffer(message), flags=flags)
Rand.save_file('randpool.dat')
signed_message = BIO_from_buffer()
p7.write_der(signed_message)
return signed_message.read()
def file_sign(input_file_path,
sender_private_key,
sender_cert,
output_file_path=None,
keyring_source='file',
type='DER',
algo='sha512'):
"""
Signs the input file data with input private key and input certificate.
If an output file path is present, the signed data is also written to that
file.
@type input_file_path: filepath
@param input_file_path: the filepath from where retrieve the data to
sign.
@type sender_private_key: filepath or M2Crypto.BIO or M2Crypto.EVP.PKey
@param sender_private_key: recipient private key reference, could be from
file, from memory or from pkcs11 smartcard, based on keyring_source
input parameter.
@type sender_cert: filepath or M2Crypto.BIO or M2Crypto.X509.X509
@param sender_cert: recipient certificate, could be from filepath, from
memory or from pkcs11 smartcard, based on keyring_source input
parameter.
@type output_file_path: filepath
@param output_file_path: if present, the filepath where to write the
signed data.
@type keyring_source: str
@keyword keyring_source: the type of the source for input certificate, used
to recall the appropriate method for decrypter settings. Ammitted
values are: file, memory, pkcs11.
@type type: str
@keyword type: specifies the type of output PKCS#7 data: PEM or DER
@type algo: str
@keyword algo: specifies message digest algorithm, e.g. sha512
@rtype: M2Crypto.SMIME.PKCS7
@return: the PKCS#7 signed data in DER format.
"""
file_bio = BIO_from_file_path(input_file_path)
p7 = sign(file_bio, sender_private_key, sender_cert, keyring_source, type,
algo)
signed_data = BIO_from_buffer()
p7.write_der(signed_data)
if output_file_path:
try:
with open(output_file_path, 'wb') as fd:
fd.write(signed_data.read())
except IOError as e:
logging.error('IOError in writing signed files ' + str(e))
raise
return signed_data
def mail_decrypt(encrypted_mail,
recipient_private_key,
recipient_cert,
keyring_source='file',
type='PEM'):
"""
Decrypts the input mail data with input private key and input certificate.
@type encrypted_mail: str
@param encrypted_mail: encrypted mail body to decrypt.
@type recipient_private_key: filepath or M2Crypto.BIO or M2Crypto.EVP.PKey
@param recipient_private_key: recipient private key reference, could be
from file, from memory or from pkcs11 smartcard, based on
keyring_source input parameter.
@type recipient_cert: filepath or M2Crypto.BIO or M2Crypto.X509.X509
@param recipient_cert: recipient certificate, could be from filepath, from
memory or from pkcs11 smartcard, based on keyring_source input
parameter.
@type keyring_source: str
@keyword keyring_source: the type of the source for input certificate, used
to recall the appropriate method for decrypter settings. Ammitted
values are: file, memory, pkcs11.
@type type: str
@keyword type: specifies the type of input PKCS#7 data: PEM or DER
@rtype: str
@return: the decrypted data in plain form.
"""
decrypted_mail = decrypt(BIO_from_buffer(encrypted_mail),
recipient_private_key, recipient_cert,
keyring_source, type)
return decrypted_mail
def mail_verify(signed_mail,
certstore_path,
AUTO_SIGNED_CERT=False,
type='PEM'):
"""
Verifies the input mail data against the certificates stored in file at
certstore path.
@type signed_mail: str
@parameter signed_mail: the signed mail text to verify.
@type certstore_path: filepath
@parameter certstore_path: path to the file of the trusted certificates,
for example /etc/ssl/certs/ca-certificats.crt.
@type AUTO_SIGNED_CERT: boolean
@parameter AUTO_SIGNED_CERT: to accept or not auto signed certificates as
valid for verification.
@type type: str
@keyword type: specifies the type of input PKCS#7 data: PEM or DER
@rtype: list
@return: list of the certificate of the signers verified.
"""
signed_certs = []
signed_certs = verify(BIO_from_buffer(signed_mail), certstore_path,
AUTO_SIGNED_CERT, type)
if signed_certs:
return signed_certs
else:
return False
def file_sign(input_file_path, sender_private_key, sender_cert,
output_file_path=None, keyring_source='file', type='DER',
algo='sha512'):
"""
Signs the input file data with input private key and input certificate.
If an output file path is present, the signed data is also written to that
file.
@type input_file_path: filepath
@param input_file_path: the filepath from where retrieve the data to
sign.
@type sender_private_key: filepath or M2Crypto.BIO or M2Crypto.EVP.PKey
@param sender_private_key: recipient private key reference, could be from
file, from memory or from pkcs11 smartcard, based on keyring_source
input parameter.
@type sender_cert: filepath or M2Crypto.BIO or M2Crypto.X509.X509
@param sender_cert: recipient certificate, could be from filepath, from
memory or from pkcs11 smartcard, based on keyring_source input
parameter.
@type output_file_path: filepath
@param output_file_path: if present, the filepath where to write the
signed data.
@type keyring_source: str
@keyword keyring_source: the type of the source for input certificate, used
to recall the appropriate method for decrypter settings. Ammitted
values are: file, memory, pkcs11.
@type type: str
@keyword type: specifies the type of output PKCS#7 data: PEM or DER
@type algo: str
@keyword algo: specifies message digest algorithm, e.g. sha512
@rtype: M2Crypto.SMIME.PKCS7
@return: the PKCS#7 signed data in DER format.
"""
file_bio = BIO_from_file_path(input_file_path)
p7 = sign(file_bio, sender_private_key, sender_cert, keyring_source, type,
algo)
signed_data = BIO_from_buffer()
p7.write_der(signed_data)
if output_file_path:
try:
with open(output_file_path, 'wb') as fd:
fd.write(signed_data.read())
except IOError as e:
logging.error('IOError in writing signed files ' + str(e))
raise
return signed_data
def file_encrypt(input_file_path,
recipient_cert,
output_file_path=None,
keyring_source='file',
cypher='des_ede3_cbc'):
"""
Encrypts the input file data with public key of input certificate. If an
output file path is present, the encrypted data is also written to that
file.
@type input_file_path: filepath
@param input_file_path: the filepath from where retrieve the data to
encrypt
@type recipient_cert: filepath or M2Crypto.BIO or M2Crypto.X509.X509
@param recipient_cert: the recipient certificate reference from filepath,
could be from file, from memory or from pkcs11 smartcard, based on
keyring_source input parameter.
@type output_file_path: filepath
@param output_file_path: if present, the filepath where to write the
encrypted data.
@type keyring_source: str
@keyword keyring_source: the type of the source for input certificate, used
to recall the appropriate method for encrypter settings. Ammitted
values are: file, memory, pkcs11.
@type cypher: str
@keyword cypher: the cypher to use for encryption of the data, run
"openssl enc -help" for supported cyphers, you have to choose a public
key cypher from availables.
@rtype: M2Crypto.SMIME.PKCS7
@return: the PKCS#7 encrypted data in DER format.
"""
file_bio = BIO_from_file_path(input_file_path)
p7 = encrypt(file_bio, recipient_cert, keyring_source, cypher)
encrypted_data = BIO_from_buffer()
p7.write_der(encrypted_data)
if output_file_path:
try:
with open(output_file_path, 'wb') as fd:
fd.write(encrypted_data.read())
except IOError as e:
logging.error('IOError in writing encrypted file ' + str(e))
raise
return encrypted_data
def file_encrypt(input_file_path, recipient_cert, output_file_path=None,
keyring_source='file', cypher='des_ede3_cbc'):
"""
Encrypts the input file data with public key of input certificate. If an
output file path is present, the encrypted data is also written to that
file.
@type input_file_path: filepath
@param input_file_path: the filepath from where retrieve the data to
encrypt
@type recipient_cert: filepath or M2Crypto.BIO or M2Crypto.X509.X509
@param recipient_cert: the recipient certificate reference from filepath,
could be from file, from memory or from pkcs11 smartcard, based on
keyring_source input parameter.
@type output_file_path: filepath
@param output_file_path: if present, the filepath where to write the
encrypted data.
@type keyring_source: str
@keyword keyring_source: the type of the source for input certificate, used
to recall the appropriate method for encrypter settings. Ammitted
values are: file, memory, pkcs11.
@type cypher: str
@keyword cypher: the cypher to use for encryption of the data, run
"openssl enc -help" for supported cyphers, you have to choose a public
key cypher from availables.
@rtype: M2Crypto.SMIME.PKCS7
@return: the PKCS#7 encrypted data in DER format.
"""
file_bio = BIO_from_file_path(input_file_path)
p7 = encrypt(file_bio, recipient_cert, keyring_source, cypher)
encrypted_data = BIO_from_buffer()
p7.write_der(encrypted_data)
if output_file_path:
try:
with open(output_file_path, 'wb') as fd:
fd.write(encrypted_data.read())
except IOError as e:
logging.error('IOError in writing encrypted file ' + str(e))
raise
return encrypted_data
def verify(input_bio, certstore_path, AUTO_SIGNED_CERT, type):
"""
Retrieves X.509 certificate from input data and verifies signed message
using as certificate store input certstore, inspired by:
U{http://code.activestate.com/recipes/285211/}.
@type input_bio: M2Crypto.BIO
@param input_bio: input data to verify
@type certstore_path: filepath
@param certstore_path: path to the file of the trusted certificates,
for example /etc/ssl/certs/ca-certificats.crt.
@type type: str
@keyword type: specifies the type of input PKCS#7 data: PEM or DER
@type AUTO_SIGNED_CERT: boolean
@keyword AUTOSIGNED_CERT: to accept or not auto signed certificates as
valid for verification.
@rtype: list or None
@return: a list of verified certificates retrieved from the original data
if verification success, else None.
@raise CertStoreNotAvailable: the reference certstore for verification is
not available.
@raise MissingSignerCertificate: the input PKCS#7 is not a signed PKCS#7.
"""
signer = SMIME.SMIME()
cert_store = X509.X509_Store()
if not os.access(certstore_path, os.R_OK):
logging.error('certstore not available for verify')
raise CertStoreNotAvailable('certstore not available %' %
(certstore_path))
cert_store.load_info(certstore_path)
signer.set_x509_store(cert_store)
data_bio = None
try:
if type == 'PEM':
p7, data_bio = SMIME.smime_load_pkcs7_bio(input_bio)
elif type == 'DER':
p7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(input_bio._ptr()), 1)
else:
logging.error('pkcs7 type error: unknown type')
raise BadPKCS7Type('unknown type: ' + type +
'; possible values: PEM, DER')
except SMIME.SMIME_Error as e:
logging.error('load pkcs7 error: ' + str(e))
raise
if data_bio is not None:
data = data_bio.read()
data_bio = BIO_from_buffer(data)
sk3 = p7.get0_signers(X509.X509_Stack())
if len(sk3) == 0:
logging.error('missing certificate')
raise MissingSignerCertificate('missing certificate')
signer_certs = []
for cert in sk3:
signer_certs.append(
"-----BEGIN CERTIFICATE-----\n{}-----END CERTIFICATE-----\n".
format(base64.encodestring(cert.as_der()).decode('ascii')))
signer.set_x509_stack(sk3)
v = None
try:
if AUTO_SIGNED_CERT:
v = signer.verify(p7, data_bio, flags=SMIME.PKCS7_NOVERIFY)
else:
v = signer.verify(p7, data_bio)
except SMIME.SMIME_Error as e:
logging.error('smime error: ' + str(e))
raise
except SMIME.PKCS7_Error as e:
logging.error('pkcs7 error: ' + str(e))
raise
if data_bio is not None and data != v and v is not None:
return
return signer_certs