This is the rough equivalent of
openssl smime -sign
-signer cert.crt
-inkey cert.key
-certfile intermediate.pem
-nodetach
-outform der
-in mdm.mobileconfig
-out mdm-signed.mobileconfig
sign(
data=b'abc123',
certificate=cryptography.x509.load_pem_x509_certificate(...)
ca=[
cryptography.x509.load_pem_x509_certificate(...) for .. in ...
]
key=cryptography.hazmat.primitives.serialization.load_pem_private_key(...)
)| # -*- coding: utf-8 -*- | |
| import typing | |
| import cryptography | |
| def sign( | |
| data: bytes, | |
| certificate: cryptography.x509.Certificate, | |
| key: cryptography.hazmat.primitives.serialization.base._PRIVATE_KEY_TYPES, | |
| certificate_authorities: list[cryptography.x509.Certificate]=None, | |
| hash_algorithm: cryptography.hazmat.primitives.serialization.pkcs7._ALLOWED_PKCS7_HASH_TYPES=cryptography.hazmat.primitives.hashes.SHA512(), | |
| encoding: cryptography.hazmat.primitives.serialization.Encoding=cryptography.hazmat.primitives.serialization.Encoding.DER, | |
| ) -> bytes: | |
| return cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder( | |
| data=data, | |
| signers=[ | |
| (certificate, key, hash_algorithm), | |
| ], | |
| additional_certs=certificate_authorities or [], | |
| ).sign( | |
| encoding, [], | |
| ) |