Search code examples
python-3.xcryptographysignaturem2crypto

M2Crypto.SMIME.PKCS7_Error: no content

verify_data = b'MIIEEwYJKoZIhvcNAQcCoIIEBDCCBAACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3\nDQEHAaCCAgcwggIDMIIBbAIJAKBFD8eF/nAAMA0GCSqGSIb3DQEBCwUAMEYxCzAJ\nBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRAwDgYDVQQLDAdtaXRzb2dv\nMRAwDgYDVQQDDAdoZXhub2RlMB4XDTIxMDgyMDEzNTExMVoXDTIyMDgyMDEzNTEx\nMVowRjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAsM\nB21pdHNvZ28xEDAOBgNVBAMMB2hleG5vZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A\nMIGJAoGBAM/ID0YIWOtgokdkFI+DO0AAtHiN+Q+LIvBI8yD3wn/IpFIBo0erDiU+\n9NQDoeMgzphjVB2hW2iN9X6P9WtcFpk4jPtemUnDys8/d+xkwEFijayQ8slURWrE\nAZFzgdDg2a0b0SGZswuvHieWrTBl4btlMIAKU8ou8GNa4/U5q2jRAgMBAAEwDQYJ\nKoZIhvcNAQELBQADgYEAxzXFTxuk9CZajH77QjzsoYfOFiRLnjaoIohU+EMausw8\nmr5hPyDI5LsupzJmcZqAPQF8g8lSKS3p8xhqNC/FheH6WRZY2xTsn8CJ0/aMI7NF\n/dJ3FBnAXXDKa+/aJs53DbBqzLPNY/doADIOgWjzNwWHWmGLLsqylCkLdTc+Z7cx\nggHUMIIB0AIBATBTMEYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh\nMRAwDgYDVQQLDAdtaXRzb2dvMRAwDgYDVQQDDAdoZXhub2RlAgkAoEUPx4X+cAAw\nCQYFKw4DAhoFAKCB2DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3\nDQEJBTEPFw0yMTA4MjQwODEzNTNaMCMGCSqGSIb3DQEJBDEWBBRiGrGGHTSM6iOJ\nxg0H89PGLgTRKjB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgB\nZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN\nBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0B\nAQEFAASBgLQbhQ0BiI48ng75tDc4sc7lblj9cNwG0sUUbONF07olqgfO3FHt3It6\nhIu6UBoqj4cis3TYEkDglkvr0PCql5XUabvcrERwQvz9Ou987Fp4PvBK3b3gHebK\nKhWAgLyDMCKYf16bDvpAJTtqr/jG6sH7NK0a4wxiLu8yb2ZFnijs'

This is the data I'm gonna deserialise. I'm trying to get the data out of the signed content.

from M2Crypto import SMIME, X509, BIO

s = SMIME.SMIME()
sig = b"""
-----BEGIN PKCS7-----
%s
-----END PKCS7-----
    """ % verify_data

buf = BIO.MemoryBuffer(sig)
p7 = SMIME.load_pkcs7_bio(buf)
sk = X509.X509_Stack()
signers = p7.get0_signers(sk)
signer = signers[0]
sk.push(signer)
s.set_x509_stack(sk)
stor = X509.X509_Store()
stor.add_cert(signer)
s.set_x509_store(stor)
v = s.verify(p7, flags=SMIME.PKCS7_NOVERIFY)

I'm getting this error

M2Crypto.SMIME.PKCS7_Error: no content

Solution

  • There is indeed no content.

    $ openssl asn1parse <68904580.p7 -i
    0:d=0  hl=4 l=1043 cons: SEQUENCE
    4:d=1  hl=2 l=   9 prim:  OBJECT            :pkcs7-signedData
   15:d=1  hl=4 l=1028 cons:  cont [ 0 ]
   19:d=2  hl=4 l=1024 cons:   SEQUENCE
   23:d=3  hl=2 l=   1 prim:    INTEGER           :01
   26:d=3  hl=2 l=  11 cons:    SET
   28:d=4  hl=2 l=   9 cons:     SEQUENCE
   30:d=5  hl=2 l=   5 prim:      OBJECT            :sha1
   37:d=5  hl=2 l=   0 prim:      NULL
   39:d=3  hl=2 l=  11 cons:    SEQUENCE
   41:d=4  hl=2 l=   9 prim:     OBJECT            :pkcs7-data
   52:d=3  hl=4 l= 519 cons:    cont [ 0 ]
[snip cert]
  575:d=3  hl=4 l= 468 cons:    SET
  579:d=4  hl=4 l= 464 cons:     SEQUENCE
[snip signerinfo]

    As you can see, the ContentInfo at 39 contains only the contentType OID and not the ASN.1-ly OPTIONAL content. This is what PKCS7 called an external signature and nowadays is usually called a detached signature -- that is, one which is transmitted and/or stored separately from the data to which it applies. Since the data is not in the message with the signature, to verify the signature the data must be supplied from somewhere else, and in OpenSSL that is a BIO.

    You need to supply a data_BIO that contains/reads the data