verify singed data (with pkcs7 standard)

[gadididi]

Hi everyone!
I have a message that i signed with pkcs7/cms format.
i read in Doc and i used:

from cryptography import x509
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.serialization import pkcs7
cert = x509.load_pem_x509_certificate(ca_cert)
key = serialization.load_pem_private_key(ca_key, None)
options = [pkcs7.PKCS7Options.DetachedSignature]
pkcs7.PKCS7SignatureBuilder().set_data(
    b"data to sign"
).add_signer(
    cert, key, hashes.SHA256()
).sign(
    serialization.Encoding.DER, options
)
b'...'

i created .cms file and i can parse it by openssl command line.

Now, i want to verify the signature. i extract the signature from the cms file (by asn1crypyo lib)
i saw this:

public_key = private_key.public_key()
public_key.verify(
    signature,
    message,
    padding.PSS(
        mgf=padding.MGF1(hashes.SHA256()),
        salt_length=padding.PSS.MAX_LENGTH
    ),
    hashes.SHA256()
)

but i cant verify .. thow exception that the signature is invalid..
i succeed to run opemssl command:
"openssl cms -verify -inform DER -in file.cms -content text.txt -certfile file.cert.pem -noverify"

someone can help me how to verify this?

[tiran]

Most legacy protocols use PKCS#1 v1.5 with RSA keys. Please try again with padding.PKCS1v15.

[gadididi]

Most legacy protocols use PKCS#1 v1.5 with RSA keys. Please try again with padding.PKCS1v15.

public_key = private_key.public_key()
public_key.verify(
    signature,
    message,
    padding=padding.PKCS1v15(),
    hashes.SHA256()
)

i did it but same error.. Invalid signature ..

[tiran]

Sorry, I just noticed that you are doing PKCS#7. I should have read your code more carefully.

PyCA cryptography has no public PKCS#7 verification API yet. There is only an internal helper for unit tests at

cryptography/tests/hazmat/primitives/test_pkcs7.py

Lines 81 to 84 in 1d996e5

	# We have no public verification API and won't be adding one until we get
	# some requirements from users so this function exists to give us basic
	# verification for the signing tests.
	def _pkcs7_verify(encoding, sig, msg, certs, options, backend):

[gadididi]

Sorry, I just noticed that you are doing PKCS#7. I should have read your code more carefully.

PyCA cryptography has no public PKCS#7 verification API yet. There is only an internal helper for unit tests at

cryptography/tests/hazmat/primitives/test_pkcs7.py

Lines 81 to 84 in 1d996e5

	# We have no public verification API and won't be adding one until we get
	# some requirements from users so this function exists to give us basic
	# verification for the signing tests.
	def _pkcs7_verify(encoding, sig, msg, certs, options, backend):

thank you!
it verify great for me!

[reaperhulk]

Be aware that is not public API. Closing in favor if #5471. We do need users to articulate exactly what they need out of a PKCS7 verification API before we can build it though.