我正在尝试在python3上创建一个非分离的签名.我目前有代码在python2上用m2crypto执行此操作,但m2crypto不适用于python3.

我一直在尝试rsa,pycrypto和openssl,但还没有看到如何找到.

这是等效的OpenSSL命令：

openssl smime -sign -signer $CRTFILE -inkey $KEYFILE -outformDER -nodetach

这是我无法用rsa,pyopenssl或pycrypto模仿的nodetach选项.

有谁在python3上这样做？我想尽可能避免使用Popen openssl.

解决方法:

我实际上最终用OpenSSL.crypto解决了这个问题,尽管有一些内部方法：

from OpenSSL import crypto

PKCS7_NOSIGS = 0x4  # defined in pkcs7.h


def create_embeded_pkcs7_signature(data, cert, key):
    """
    Creates an embeded ("nodetached") pkcs7 signature.

    This is equivalent to the output of::

        openssl smime -sign -signer cert -inkey key -outform DER -nodetach < data

    :type data: bytes
    :type cert: str
    :type key: str
    """  # noqa: E501

    assert isinstance(data, bytes)
    assert isinstance(cert, str)

    try:
        pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
        signcert = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
    except crypto.Error as e:
        raise ValueError('Certificates files are invalid') from e

    bio_in = crypto._new_mem_buf(data)
    pkcs7 = crypto._lib.PKCS7_sign(
        signcert._x509, pkey._pkey, crypto._ffi.NULL, bio_in, PKCS7_NOSIGS
    )
    bio_out = crypto._new_mem_buf()
    crypto._lib.i2d_PKCS7_bio(bio_out, pkcs7)
    signed_data = crypto._bio_to_string(bio_out)

    return signed_data