All geek questions in one place

Extract signature from digital certificate

I get a lot of PDF files on my system. I need to check if all these files are: -

  • digital signature
  • their integrity is maintained (by comparing the hash of the contents of the file with the message digest built into / Contents. signature dictionary .

I am using python for this. So far, I was able to get /Content from the signature dictionary using PyPDF2. Content is encoded by pkcs7-der. Is there a way to extract a signed message digest?

A similar operation was performed in C as this answer

0
source share
2 answers

DER is a binary format, its structure is called ASN.1. The PEM format is DER with Base64 encoding.

This online PEM decoder is very useful: http://lapo.it/asn1js/ After you identify the message signature in it, you can write code to extract it from any ASN.1 library.

+1
source

The subtype SignedData CADES , CMS or PKCS # 7 1.5 the signature has a collection of SignerInfo blocks specified here , it contains mainly:

  • SignerIdentifier: key to the certificate collection
  • DigestAlgorithmIdentifier: which algorithm was used to calculate the message digest
  • SignedAttributes (optional): sealed data:
  • SignatureAlgorithmIdentifier: which algorithm was used to calculate the signature (above SignedAttributes)
  • SignatureValue: Signature Value
  • UnsignedAttributes (optional)

SignedAttributes may contain, depending on the type of signature:

  • ContentType: type of signed content
  • Messagedigest
  • SigningTime
  • countersignatures

If we simplified this by using only the first signature found and using my pyx509 plug it could be some type of code like this (not tested):

 from pyx509.models import PKCS7 pkcs7 = PKCS7.from_der(here_goes_your_pks7_signature_data_der_encoded) signer_info = pkcs7.content.signerInfos[0] auth_attrs = signer_info.auth_attributes for attr in auth_attrs.attributes: if attr.type == '1.2.840.113549.1.9.4': # Message Digest OID message_digest = attr.value print "Digest: %s#%s" % (signer_info.oid2name(signer_info.digest_algorithm), messageDigest)
0
source

Source: https://habr.com/ru/post/1216073/

More articles:


All Articles