如何使用OpenSSL C庫創建退化的PKCS7文件？

Question

如何使用OpenSSL C庫在給定單個X509證書的情況下創建簡並的PKCS＃7文件？

細節：

我通過添加一個名為pkcs7_create_deg的新函數在M2Crypto中擴展了_pkcs7.i SWIG接口文件。

在SWIG接口文件中使用以下C代碼時，出現分段錯誤。 為什么？

/* _pkcs7.i */
//
// Following 2 lines are part of the SWIG interface definition. Uncommented in _pkcs7.i file.
// %threadallow pkcs7_create_deg;
// %inline %{
//

PKCS7 *pkcs7_create_deg(X509 *x509) {
    PKCS7 *p7 = NULL;
    PKCS7_SIGNED *p7s = NULL;
    STACK_OF(X509_CRL) *crl_stack = NULL;
    STACK_OF(X509) *cert_stack = NULL;

    int ret = 1;

    if ((p7=PKCS7_new()) == NULL) goto end;
    if ((p7s=PKCS7_SIGNED_new()) == NULL) goto end;  
    p7->type=OBJ_nid2obj(NID_pkcs7_signed);
    p7->d.sign=p7s;
    p7s->contents->type=OBJ_nid2obj(NID_pkcs7_data);

    if (!ASN1_INTEGER_set(p7s->version,1)) goto end;
    if ((crl_stack=sk_X509_CRL_new_null()) == NULL) goto end;
    p7s->crl=crl_stack;
    if ((cert_stack=sk_X509_new_null()) == NULL) goto end;
    p7s->cert=cert_stack;

    sk_X509_push(cert_stack, x509);
    // Shouldn't this mean take cert struct pointed to by x509
    // and push it on to cert_stack?  
    // I think this is WHY I am getting the segfault

end:
    if (p7 != NULL) PKCS7_free(p7);

    return (p7);    /* need to return a PKCS7* */

}

// Next line part of SWIG interface definition
// %}

# deg.py
#
from M2Crypto import *

cert = X509.load_cert('ra.crt')
print (cert)

p7_ptr = m2.pkcs7_create_deg(cert._ptr())
# Here I pass the X509 pointer to my cert object
# to the SWIG interface function I created above
# that is supposed to return a pointer to a PKCS#7 object

print (p7_ptr)
p7 = SMIME.PKCS7(p7_ptr)
print (p7)

bio = BIO.MemoryBuffer()
print (bio)

p7.write_der(bio)
# This is WHEN I get the segfault

f = open('deg.p7s', 'w')
f.write(bio.read())
f.close()

(venv)x-wing-air13:.test hansooloo$ python deg.py
<M2Crypto.X509.X509 instance at 0x106275710>
<Swig Object of type 'PKCS7 *' at 0x10625ea80>
<M2Crypto.SMIME.PKCS7 instance at 0x1062577e8>
<M2Crypto.BIO.MemoryBuffer instance at 0x1062757e8>
Segmentation fault: 11

Answer 1

最終派生了M2Crypto來添加一個新功能，該功能將創建退化的PKCS7對象。 https://github.com/HanSooloo/M2Crypto-martinpaljak

涉及的步驟如下：

1. 從Martin Paljak的倉庫到新的Fork M2Crypto。
2. 修改_pkcs7.i SWIG接口文件以添加以下功能。

_pkcs7.i修改

// Adding X.509 related header files to be able to use their data types.
#include <openssl/x509.h>
#include <openssl/x509v3.h>

// Adding PKCS7_SIGNED data type to help create the degenerate data structure.
%apply Pointer NONNULL { PKCS7_SIGNED * };

// Additional interface definitions for degenerate PKCS#7 object creation.
// Inspired by the crl2p7.c file from OpenSSL.  Will need to clean up a bit for function returns.
%threadallow pkcs7_create_degenerate;
%inline %{
int pkcs7_create_degenerate(STACK_OF(X509) *cert_stack, BIO *bio) {
    int ret=1;
    PKCS7 *p7=NULL;
    PKCS7_SIGNED *p7s=NULL;
    X509_CRL *crl=NULL;
    STACK_OF(X509_CRL) *crl_stack=NULL;

    if ((p7=PKCS7_new()) == NULL) goto end;
    if ((p7s=PKCS7_SIGNED_new()) == NULL) goto end;  

    p7->type=OBJ_nid2obj(NID_pkcs7_signed);
    p7->d.sign=p7s;
    p7s->contents->type=OBJ_nid2obj(NID_pkcs7_data);

    if (!ASN1_INTEGER_set(p7s->version,1)) goto end;
    if ((crl_stack=sk_X509_CRL_new_null()) == NULL) goto end;
    p7s->crl=crl_stack;
    p7s->cert=cert_stack;

    ret=i2d_PKCS7_bio(bio, p7);

end:
    p7s->cert=NULL;

    if (p7 != NULL) {
//      printf("about to free p7: ");
        PKCS7_free(p7);
//      printf("freed.\n");
    }

    return ret;

}
%}

功能細節

該函數將X509堆棧指針和BIO指針作為輸入，並返回表示成功的整數。

X509堆棧指針需要指向一個堆棧，該堆棧包含一個希望放置在退化的PKCS＃7對象中的證書。

BIO指針需要指向一個空的BIO結構，該結構以后將用PKCS＃7對象填充。

使用上述功能的Python代碼示例：

from M2Crypto import X509, BIO, m2

sk = X509.X509_Stack()

cert = X509.load_cert('ra.crt')
num = sk.push(cert)
cert = X509.load_cert('ca.crt')
num = sk.push(cert)

# At this point, the X509 stack contains 2 certificates.
print('num: %d' %num)

# Create the BIO that will hold the PKCS#7 object.    
bio = BIO.MemoryBuffer()

# Request to create the degenerate PCKS#7 object.
ret = m2.pkcs7_create_degenerate(sk._ptr(), bio._ptr())

# Open the file for writing.
f = open('deg.p7s', 'w')

# Read from BIO and write to file.
b = bio.read()
f.write(b)

# Close the file.
f.close()