Cms class

class cryptosyspki.Cms

Create, read and analyze Cryptographic Message Syntax (CMS) objects.

class ComprDataOpts

Advanced options for CMS compressed-data objects.

DEFAULT = 0

Use default options

NO_INFLATE = 16777216

Extract the compressed data as is without inflation

class ContentEncrAlg

Content encryption algorithm.

AES128 = 32

AES-128

AES192 = 48

AES-192

AES256 = 64

AES-256

AES_128_GCM = 1312

AES-128-GCM authenticated encryption algorithm from RFC 5116.

AES_192_GCM = 1328

AES-192-GCM authenticated encryption algorithm in the same manner as RFC 5116.

AES_256_GCM = 1344

AES-256-GCM authenticated encryption algorithm from RFC 5116.

CHACHA20_POLY1305 = 1360

AEAD_CHACHA20_POLY1305 authenticated encryption algorithm from RFC 8439.

DEFAULT = 0

Default (AES-128) NOTE changed from Triple DES in [v23.0]

TDEA = 16

Triple DES (3DES, des-ede3)

class EnvDataOpts

Advanced options for CMS enveloped-data objects.

ALT_ALGID = 67108864

Use alternative (non-standard) encryption algorithm identifiers

BIGFILE = 134217728

Use to speed up the processing of large files.

DEFAULT = 0

Use default options

FORMAT_BASE64 = 65536

Format output in base64 [default=binary]

MGF1SHA1 = 8388608

RSA-OAEP only. Force the MGF hash function to be SHA-1 [default = same as signature hash algorithm]

USE_SKI = 16777216

Use subjectKeyIdentifier (SKI) instead of issuerAndSerialNumber for RecipientIdentifier.

class KeyEncrAlg

Key encryption algorithm.

DEFAULT = 0

Default (rsaEncryption)

RSA_KEM = 262144

RSA-KEM

RSA_OAEP = 524288

RSAES-OAEP (NB Changed in v23.0 from 0x8000)

RSA_PKCS1V1_5 = 0

RSAES-PKCS-v1_5 (rsaEncryption)

class SigAlg

Signature algorithm for CMS signed-data objects.

DEFAULT = 0

Use default signature algorithm (rsa-sha1/sha1WithRSAEncryption)

ECDSA_SHA1 = 16

Sign with ecdsaWithSHA1

ECDSA_SHA224 = 32

Sign with ecdsaWithSHA224

ECDSA_SHA256 = 48

Sign with ecdsaWithSHA256

ECDSA_SHA384 = 64

Sign with ecdsaWithSHA384

ECDSA_SHA512 = 80

Sign with ecdsaWithSHA512

ED25519 = 192

Sign with Ed25519

ED448 = 193

sign with Ed448

RSA_MD5 = 1

Sign with md5WithRSAEncryption (rsa-md5) signature algorithm [legacy applications only]

RSA_PSS_SHA1 = 176

Sign with RSA-PSS using SHA-1

RSA_PSS_SHA224 = 182

Sign with RSA-PSS using SHA-224

RSA_PSS_SHA256 = 179

Sign with RSA-PSS using SHA-256

RSA_PSS_SHA384 = 180

Sign with RSA-PSS using SHA-384

RSA_PSS_SHA512 = 181

Sign with RSA-PSS using SHA-512

RSA_SHA1 = 0

Sign with sha1WithRSAEncryption (rsa-sha1) [default]

RSA_SHA224 = 6

Sign with sha224WithRSAEncryption (rsa-sha224)

RSA_SHA256 = 3

Sign with sha256WithRSAEncryption (rsa-sha256) [minimum recommended]

RSA_SHA384 = 4

Sign with sha384WithRSAEncryption (rsa-sha384)

RSA_SHA512 = 5

Sign with sha512WithRSAEncryption (rsa-sha512) signature algorithm

class SigDataOpts

Advanced options for CMS signed-data objects.

ADD_ALGPROTECT = 32768

Add an Algorithm Identifier Protection Attribute to the signed attributes (requires INCLUDE_ATTRS).

ADD_SIGNER = 131072

Add a new signer to an existing SignedData object.

ADD_SIGNINGCERT = 16384

Add ESS Signing Certificate Attribute to the signed attributes (requires INCLUDE_ATTRS).

ADD_SIGNTIME = 4096

Add signing time to signed attributes (requires INCLUDE_ATTRS).

ADD_SMIMECAP = 8192

Add S/MIME capabilities to signed attributes (requires INCLUDE_ATTRS).

ALT_ALGID = 67108864

Use alternative (non-standard) signature algorithm identifiers

BIGFILE = 134217728

Use to speed up the processing of large files.

CERTS_ONLY = 1024

Create a "certs-only" PKCS#7 certficate chain.

DEFAULT = 0

Use default options

EXCLUDE_CERTS = 256

Exclude X.509 certs from output.

EXCLUDE_DATA = 512

Exclude data from output.

FORMAT_BASE64 = 65536

Format output in base64 [default=binary]

INCLUDE_ATTRS = 2048

Include Signed Attributes content-type and message-digest plus any more added using the ADD_ options.

MGF1SHA1 = 8388608

RSA-PSS only. Force the MGF hash function to be SHA-1 [default = same as signature hash algorithm]

NO_OUTER = 33554432

Create a "naked" SignedData object with no outerContentInfo as per PKCS#7 v1.6

PSEUDOSIG = 1048576

Create/sign a "pseudo" SignedData object with dummy placeholder signature.

SALTLEN_ZERO = 4194304

RSA-PSS only. Set the salt length to be zero [default = same length as the output of the hash function]

USE_SKI = 16777216

Use subjectKeyIdentifier (SKI) instead of issuerAndSerialNumber for SignerIdentifier.

static make_comprdata(outputfile, inputfile)

Create a new CMS compressed-data file (.p7z) from an existing input file. [binary file --> binary file]

Parameters:

  • outputfile (str) -- Output file to be created

  • inputfile (str) -- Input data file

Returns:

Zero if successful.

Return type:

int

static make_detached_sig(outputfile, hexdigest, certlist, prikeystr, sigalg=0, opts=0)

Create a "detached signature" CMS signed-data object from a message digest of the content [hexdigest --> file].

Parameters:

  • outputfile (str) -- name of output file to be created

  • hexdigest (str) -- string containing message digest in hex format

  • certlist (str) -- containing the filename of the signer's certificate and (optionally) a list of other certificates to be included in the output, separated by semi-colons(;)

  • prikeystr (str) -- Internal representation of private key for the sender

  • sigalg (Cms.SigAlg) -- Signature algorithm [default=rsa-sha1]

  • opts (Cms.SigDataOpts) -- Advanced option flags.

Returns:

Zero if successful.

Return type:

int

static make_envdata(outputfile, inputfile, certlist, cipheralg=0, keyencralg=0, hashalg=0, opts=0, bigfile=False, kdfalg=0, keywrapalg=0, keyString='', count=0)

Create a CMS enveloped-data object [file --> file].

Parameters:

  • outputfile (str) -- Output file to be created.

  • inputfile (str) -- Input data file.

  • certlist (str) -- List of X509 certificate filename(s), separated by semicolons, or a single PKCS#7 certificate chain file (.p7c/.p7b). Special cases: Set as "type=@pwri" to create a single recipientInfo of type PasswordRecipientInfo (pwri); or set as "type=@kekri,keyid=<string>" to create a single recipientInfo of type KEKRecipientInfo (kekri).

  • cipheralg (Cms.ContentEncrAlg) -- Content encryption algorithm [default=AES-128] (was Triple DES, changed in v23.0)

  • keyencralg (Cms.KeyEncrAlg) -- Key encryption algorithm (where applicable) [default=rsaEncryption]

  • hashalg (Hash.Alg) -- Hash algorithm where applicable [default=SHA-1 (SHA-256 for RSA-KEM)]

  • opts (Cms.EnvDataOpts) -- Advanced options. Set as zero for defaults.

  • bigfile (bool) -- Set True for faster handling of a large input file (binary-to-binary only).

  • kdfalg (Kdf.KdfAlg) -- Key derivation function (KDF) for ECDH key agreement scheme [default=X9.63] or RSA-KEM [default=KDF3].

  • keywrapalg (Kdf.KeyWrapAlg) -- Key wrap algorithm for ECDH key agreement scheme or RSA-KEM or the kekri key encryption algorithm [default=match content encryption].

  • keyString (str) -- Use to pass optional user key material (ukm) for ECDH key agreement scheme or RSA-KEM, or the key encryption key (KEK) for a kekri type, or the password for a pwri type. Either pass a plain ASCII string, e.g. "abc"; or use the format "#x<hex-digits>" to pass a string of arbitrary octet values, e.g. "#xdeadbeef" to pass the 4 bytes 0xde, 0xad, 0xbe, 0xef. Required for kekri and pwri types.

  • count (int) -- Optional iteration count for KDF in pwri type (default=4096) or tag length for authEnvelopedData (in range 12-16, default=16), otherwise ignored.

Returns:

Number of successful recipients or a negative error code.

Return type:

int

Note

The recipientInfo type is set automatically depending on the public key found in each certificate. If the public key is RSA (rsaEncryption) then the key transport technique will be used to create that particular recipientInfo. If the public key is a supported ECC key, then the standard ECDH ephemeral-static key agreement technique will be used as per [RFC5753] and [RFC8418].

The default content encryption algorithm was changed in [v23.0] to AES-128 (was Triple DES).

Examples

>>> import cryptosyspki as pki
>>> # Create an enveloped CMS object (ktri type) to Bob using Bob's RSA key
>>> pki.Cms.make_envdata("cms2bob_aes128.p7m", "excontent.txt", "BobRSASignByCarl.cer", keyencralg=pki.Cms.KeyEncrAlg.RSA_OAEP)
1
>>> # Same but using authenticated encryption and creating an authEnvelopedData object
>>> pki.Cms.make_envdata("cms2bob_aes128auth.p7m", "excontent.txt", "BobRSASignByCarl.cer", pki.Cms.ContentEncrAlg.AES_128_GCM, pki.Cms.KeyEncrAlg.RSA_OAEP)
1
>>> # Create an enveloped CMS object (kari type) to Dana using Dana's ECC key
>>> pki.Cms.make_envdata("cms2dana_hkdf.p7m", "excontent.txt", "lamps-dana.encrypt.crt", pki.Cms.ContentEncrAlg.AES256, hashalg=pki.Hash.Alg.SHA256, kdfalg=pki.Kdf.KdfAlg.HKDF, keywrapalg=pki.Kdf.KeyWrapAlg.AES256_WRAP)
1
>>> # Create an enveloped CMS object (kekri type) using a previously distributed symmetric key-encryption key (KEK)
>>> pki.Cms.make_envdata("cms_envdata_kekri.p7m", "excontent.txt", "type=@kekri,keyid=ourcommonkey", pki.Cms.ContentEncrAlg.AES256, hashalg=pki.Hash.Alg.SHA256, keywrapalg=pki.Kdf.KeyWrapAlg.AES128_WRAP, keyString="#x0123456789ABCDEFF0E1D2C3B4A59687")
1
>>> # Create an enveloped CMS object (pwri type) using password-based key management
>>> pki.Cms.make_envdata("cms_envdata_pwri.p7m", "excontent.txt", "type=@pwri",  pki.Cms.ContentEncrAlg.AES192, keyString="password12345")
1
static make_envdata_from_bytes(outputfile, inputdata, certlist, cipheralg=0, keyencralg=0, hashalg=0, opts=0, kdfalg=0, keywrapalg=0, keyString='', count=0)

Create a CMS enveloped-data object [bytes --> file].

Same as Cms.make_envdata() except the input is from a byte array instead of a file.

Parameters:

  • outputfile (str) -- Output file to be created.

  • inputdata (bytes) -- Input data.

  • certlist (str) -- List of X509 certificate filename(s), separated by semicolons.

  • cipheralg (Cms.ContentEncrAlg) -- Content encryption algorithm [default=AES-128]

  • keyencralg (Cms.KeyEncrAlg) -- Key encryption algorithm [default=rsaEncryption]

  • hashalg (Hash.Alg) -- RSA-OAEP only: Encoding hash algorithm [default=SHA-1]

  • opts (Cms.EnvDataOpts) -- Option flags. Set as zero for defaults.

  • kdfalg (Kdf.KdfAlg) -- Key derivation function (KDF) for ECDH key agreement scheme [default=X9.63] or RSA-KEM [default=KDF3].

  • keywrapalg (Kdf.KeyWrapAlg) -- Key wrap algorithm for ECDH key agreement scheme [default=match content encryption]

  • keyString (str) -- Use to pass optional user key material (ukm) for ECDH key agreement scheme or RSA-KEM, or the key encryption key (KEK) for a kekri type, or the password for a pwri type. Either pass a plain ASCII string, e.g. "abc"; or use the format "#x<hex-digits>" to pass a string of arbitrary octet values, e.g. "#deadbeef" to pass the 4 bytes 0xde, 0xad, 0xbe, 0xef. Required for kekri and pwri types.

  • count (int) -- Use to pass the iteration count for a pwri type (default=4096) or tag length for AuthEnvelopedData (in range 12-16, default=16); otherwise ignored.

Returns:

Number of successful recipients or negative error code.

Return type:

int

static make_envdata_from_string(outputfile, inputdata, certlist, cipheralg=0, keyencralg=0, hashalg=0, opts=0, kdfalg=0, keywrapalg=0, keyString='', count=0)

Create a CMS enveloped-data object [string --> file].

Same as Cms.make_envdata() except the input is from a UTF-8 string instead of a file.

Parameters:

  • outputfile (str) -- Output file to be created

  • inputdata (str) -- Input data text

  • certlist (str) -- List of X509 certificate filename(s), separated by semicolons

  • cipheralg (Cms.ContentEncrAlg) -- Content encryption algorithm [default=AES-128]

  • keyencralg (Cms.KeyEncrAlg) -- Key encryption algorithm for key transport scheme (where applicable) [default=rsaEncryption]

  • hashalg (Hash.Alg) -- Hash algorithm where applicable [default=SHA-1; SHA-256 for RSA-KEM]

  • opts (Cms.EnvDataOpts) -- Advanced options. Set as zero for defaults.

  • kdfalg (Kdf.KdfAlg) -- Key derivation function (KDF) for ECDH key agreement scheme [default=X9.63] or RSA-KEM [default=KDF3].

  • keywrapalg (Kdf.KeyWrapAlg) -- Key wrap algorithm for ECDH key agreement scheme [default=match content encryption].

  • keyString (str) -- Use to pass optional user key material (ukm) for ECDH key agreement scheme or RSA-KEM, or the key encryption key (KEK) for a kekri type, or the password for a pwri type. Either pass a plain ASCII string, e.g. "abc"; or use the format "#x<hex-digits>" to pass a string of arbitrary octet values, e.g. "#deadbeef" to pass the 4 bytes 0xde, 0xad, 0xbe, 0xef. Required for kekri and pwri types.

  • count (int) -- Use to pass the iteration count for a pwri type (default=4096) or tag length for AuthEnvelopedData (in range 12-16, default=16); otherwise ignored.

Returns:

Number of successful recipients or negative error code.

Return type:

int

static make_sigdata(outputfile, inputfile, certlist, prikeystr, sigalg=0, opts=0, bigfile=False)

Create a CMS signed-data object from a data file using user's private key [file --> file].

Parameters:

  • outputfile (str) -- name of output file to be created

  • inputfile (str) -- name of file containing message data to be signed

  • certlist (str) -- containing the filename of the signer's certificate and (optionally) a list of other certificates to be included in the output, separated by semicolons ";"

  • prikeystr (str) -- Internal representation of private key for the sender

  • sigalg (Cms.SigAlg) -- Signature algorithm [default=rsa-sha1]

  • opts (Cms.SigDataOpts) -- Advanced option flags.

  • bigfile (bool) -- Set True for faster handling of a large input file (binary-to-binary only).

Returns:

Zero if successful.

Return type:

int

static make_sigdata_from_bytes(outputfile, inputdata, certlist, prikeystr, sigalg=0, opts=0)

Create a CMS signed-data object from data using user's private key [bytes --> file].

Parameters:

  • outputfile (str) -- name of output file to be created

  • inputdata (bytes) -- message data to be signed

  • certlist (str) -- containing the filename of the signer's certificate and (optionally) a list of other certificates to be included in the output, separated by semi-colons(;)

  • prikeystr (str) -- Internal representation of private key for the sender

  • sigalg (Cms.SigAlg) -- Signature algorithm [default=rsa-sha1]

  • opts (Cms.SigDataOpts) -- Advanced option flags.

Returns:

Zero if successful.

Return type:

int

static make_sigdata_from_pseudo(outputfile, inputfile, sigvalue, opts=0)

Create a SignedData object from a "pseudo" object.

Parameters:

  • outputfile (str) -- name of output file to be created

  • inputfile (str) -- input "pseudo" file with dummy placeholder.

  • sigvalue (bytes) -- Signature value computed by external service.

  • opts (Cms.SigDataOpts) -- Advanced option flags.

Returns:

Zero if successful.

Return type:

int

Remarks:

RSASSA-PKCS1V1_5 only.

static make_sigdata_from_sigvalue(outputfile, sigvalue, data, certlist, sigalg=0, opts=0)

Create a CMS object of type SignedData using a pre-computed signature value [bytes --> file].

Parameters:

  • outputfile (str) -- name of output file to be created

  • sigvalue (bytes) -- signature value

  • data (bytes) -- string containing content data that has been signed

  • certlist (str) -- containing the filename of the signer's certificate and (optionally) a list of other certificates to be included in the output, separated by semi-colons(;)

  • sigalg (Cms.SigAlg) -- Signature algorithm [default=rsa-sha1]. RSA-PKCS1V1_5 only.

  • opts (Cms.SigDataOpts) -- Advanced option flags.

Returns:

Zero if successful.

Return type:

int

Remarks:

Only RSASSA-PKCS1V1_5 is supported. Using RSA-PSS will raise an exception.

static make_sigdata_from_string(outputfile, inputstr, certlist, prikeystr, sigalg=0, opts=0)

Create a CMS signed-data object from a string using user's private key [string --> file].

Parameters:

  • outputfile (str) -- name of output file to be created

  • inputstr (str) -- string containing message data to be signed

  • certlist (str) -- containing the filename of the signer's certificate and (optionally) a list of other certificates to be included in the output, separated by semicolons ";"

  • prikeystr (str) -- Internal representation of private key for the sender

  • sigalg (Cms.SigAlg) -- Signature algorithm [default=rsa-sha1]

  • opts (Cms.SigDataOpts) -- Advanced option flags.

Returns:

Zero if successful.

Return type:

int

static query_envdata(cmsfile, query)

Query a CMS enveloped-data object file for selected information. May return an integer or a string.

Parameters:

  • cmsfile (str) -- file containing CMS enveloped-data object (or its base64 or PEM representation)

  • query (str) --

    Query string (case-insensitive). Valid queries are:

    • "version" -- envelopedData CMSVersion value, e.g. 0.

    • "recipientInfoVersion" -- recipientInfo version (riVer) value.

    • "recipientInfoType" -- Type of recipientInfo, e.g. ktri, kari, etc.

    • "CountOfRecipientInfos" -- Number of RecipientInfos included in the data.

    • "recipientIssuerName" -- Distinguished Name of recipient's certificate issuer.

    • "recipientSerialNumber" -- serialNumber of recipient's certificate in hex format

    • "keyEncryptionAlgorithm" -- keyEncryptionAlgorithm, e.g. "rsaEncryption".

    • "keyEncryptionFlags" -- Bit flags used for the key encryption algorithm.

    • "SizeOfEncryptedKey" -- Size (in bytes) of the EncryptedKey.

    • "encryptedKey" -- EncryptedKey value encoded in hex.

    • "oaepParams" -- Parameters used for RSA-OAEP (if applicable).

    • "kemParams" -- Parameters used for RSA-KEM (if applicable).

    • "keyWrapAlgorithm" -- Key wrap algorithm, e.g. "aes128-wrap" (kari and kekri only).

    • "originatorKeyAlgorithm" -- OriginatorPublicKey algorithm, e.g. "ecPublicKey" (kari only).

    • "originatorPublicKey" -- OriginatorPublicKey publicKey value encoded in hex (kari only).

    • "keyid" -- keyIdentifier for KEKRecipientInfo (kekri) type.

    • "ukm" -- User Keying Material (if applicable).

    • "contentEncryptionAlgorithm" -- contentEncryptionAlgorithm, e.g. "des-EDE3-CBC".

    • "SizeOfEncryptedContent" -- Size (in bytes) of the EncryptedContent.

    • "encryptedContent" -- EncryptedContent encoded in hex.

    • "iv" -- Initialization vector encoded in hex.

    • "HASsubjectKeyIdentifier" -- 1 if signerIdentifier is the CHOICE subjectKeyIdentifier; 0 if issuerAndSerialNumber.

    • "recipientIdentifier" -- recipientIdentifier value encoded in hex.

    By default, the function queries the first recipientInfo in the file. To query the Nth recipientInfo append "/N" to the query string, e.g. "recipientInfoVersion/2" to find the version number of the second recipientInfo in the file.

Returns:

Result of query if found or an empty string if not found.

static query_sigdata(cmsfile, query)

Query a CMS signed-data object file for selected information. May return an integer or a string.

Parameters:

  • cmsfile (str) -- file containing CMS signed-data object

  • query (str) --

    Query string (case-insensitive). Valid queries are:

    • "version" -- signedData version (sdVer) value, e.g. 1.

    • "eContentType" -- ContentType of the EncapsulatedContentInfo, e.g. "data".

    • "HASeContent" -- 1 if eContent is present; 0 if not.

    • "CountOfCertificates" -- Number of certificates included in the data.

    • "CountOfSignerInfos" -- Number of SignerInfos included in the data.

    • "CountOfDigestAlgs" -- Number of DigestAlgorithmIdentifiers in the SignedData.

    • "certificate/N" -- Nth certificate encoded in base64.

    • "signerInfoVersion" -- signerInfo version (siVer) value.

    • "digestAlgorithm" -- digestAlgorithm, e.g. "sha1".

    • "signatureAlgorithm" -- signatureAlgorithm, e.g. "rsaEncryption".

    • "signatureValue" -- Signature value encoded in hex.

    • "HASsignedAttributes" -- 1 if signedAttributes (authenticatedAttributes) are present; 0 if not.

    • "DigestOfSignedAttrs" -- Computed digest over signed attributes, if present, using digestAlgorithm.

    • "DigestOfeContent" -- Computed digest over eContent, if present, using digestAlgorithm.

    • "signingTime" -- signingTime attribute in format "2005-12-31 23:30:59".

    • "messageDigest" -- messageDigest attribute in hexadecimal format, if present.

    • "pssParams" -- parameters used for RSA-PSS (if applicable).

    • "HASsigningCertificate" -- 1 if an ESS signingCertificate is present; 0 if not.

    • "signingCertHash" -- certHash value of ESS signing certificate, if present, encoded in hex.

    • "HASalgorithmProtection" -- 1 if a cmsAlgorithmProtection attribute is present; 0 if not.

    • "HASsubjectKeyIdentifier" -- 1 if signerIdentifier is the CHOICE subjectKeyIdentifier; 0 if issuerAndSerialNumber.

    • "signerIdentifier" -- signerIdentifier value encoded in hex.

    By default, the function queries the first signerInfo in the file. To query the Nth signerInfo append "/N" to the query string, e.g. "signerInfoVersion/2" to find the version number of the second signerInfo in the file.

Returns:

Result of query or an empty string if not found.

static read_comprdata(outputfile, inputfile, opts=0)

Read and extract the decompressed contents of a CMS compressed-data file [binary file --> binary file].

Parameters:

  • outputfile (str) -- Output file to be created

  • inputfile (str) -- Input data file

  • opts (Cms.ComprDataOpts) -- Options [default=inflate contents]

Returns:

If successful the return value is the number of bytes in the output file.

Return type:

int

static read_envdata_to_bytes(inputfile, prikeystr, certfile='')

Read and decrypt CMS enveloped-data object using the recipient's private key [file --> bytes].

Parameters:

  • inputfile (str) -- File that contains the CMS-enveloped data

  • prikeystr (str) -- Internal representation of private key

  • certfile (str) -- (optional) specifies the filename of the recipient's X.509 certificate

Returns:

Message data.

Return type:

bytes

static read_envdata_to_file(outputfile, inputfile, prikeystr, certfile='', bigfile=False)

Read and decrypt CMS enveloped-data object using the recipient's private key. [file --> file]

Parameters:

  • outputfile (str) -- Name of output file to be created

  • inputfile (str) -- File that contains the CMS-enveloped data

  • prikeystr (str) -- Internal representation of private key

  • certfile (str) -- (optional) specifies the filename of the recipient's X.509 certificate

  • bigfile (bool) -- Set True for faster handling of a large input file (binary-to-binary only).

Returns:

Zero if successful.

Return type:

int

static read_envdata_to_string(inputfile, prikeystr, certfile='')

Read and decrypt CMS enveloped-data object using the recipient's private key [file --> string] (expects output to be UTF-8-encoded text).

Parameters:

  • inputfile (str) -- File that contains the CMS-enveloped data

  • prikeystr (str) -- Internal representation of private key

  • certfile (str) -- (optional) specifies the filename of the recipient's X.509 certificate

Returns:

Message text.

Return type:

str

static read_sigdata_to_bytes(inputfile)

Read the content from a CMS signed-data object file into bytes. [file --> bytes]

Parameters:

inputfile (str) -- file containing CMS signed-data object.

Returns:

Content data.

Return type:

bytes

static read_sigdata_to_file(outputfile, inputfile, bigfile=False)

Read the content from a CMS signed-data object file [file --> file].

Parameters:

  • outputfile (str) -- file to receive content

  • inputfile (str) -- file containing CMS signed-data object

  • bigfile (bool) -- Set True for faster handling of a large input file (binary-to-binary only).

Returns:

If successful, a positive number indicating the number of bytes in the content.

Return type:

int

static read_sigdata_to_string(inputfile)

Read the content from a CMS signed-data object file directly into a string [file --> string] (expects output to be UTF-8-encoded text).

Parameters:

inputfile (str) -- file containing CMS signed-data object.

Returns:

String containing the content.

Return type:

str

static verify_sigdata(sigdatafile, certfile='', hexdigest='', bigfile=False)

Verify the signature and content of a signed-data CMS object file.

Parameters:

  • sigdatafile (str) -- file containing CMS signed-data object

  • certfile (str) -- an (optional) X.509 certificate file of the signer

  • hexdigest (str) -- (optional) digest of eContent to be verified (use for "detached-signature" form)

  • bigfile (bool) -- Set True for faster handling of a large input file.

Returns:

True if successfully verified or False if signature is invalid.

Return type:

bool

Raises:

PKIError -- If file is missing or corrupt, or parameters are bad, etc.