使用pyopenssl验证签名 [英] Verify signature with pyopenssl
问题描述
我相信,由于此问题,pyOpenSSL已开始支持签名验证(自 pyOpenSSL 0.11 .
I believe that since this question, pyOpenSSL has started supporting the verification of signatures (as of pyOpenSSL 0.11.
我正在研究一个由其他人使用 M2Crypto 启动的项目.将M2Crypto包含在 Heroku 之类的平台上确实很痛苦,因为它需要使用
I am working on a project which was started by someone else using M2Crypto. M2Crypto is really painful to include on platforms such as Heroku as it requires the use of SWIG. Consequently I am trying to remove the dependency on M2Crypto and replace with pyOpenSSL which is easy to install via Pip, and doesn't require custom buildpacks and more which SWIG-related things do.
我遇到的问题是替换一些代码:
The issue I'm having is replacing a bit of code:
key = cert.get_pubkey() # Cert is an M2Crypto X509 object
key = key.get_rsa()
ret = key.verify(hashed, self.sig)
if ret != 1:
# Cert invalid ... etc.
理想情况下,我想通过pyOpenSSL实现相同的功能,但感觉到我可能遇到了错误的结局-我尝试使用:
Ideally I'd like to implement the same functionality via pyOpenSSL, but feel I might have got the wrong end of the stick - I've tried using:
crypto.verify(cert, self.sig, hashed, 'sha1')
但这失败-
[('rsa routines', 'RSA_verify', 'bad signature')]
我无法弄清楚它是否失败,因为签名实际上是错误的,还是因为我提供的crypto.verify值实际上不是它应该用于的值!
I can't work out whether it is failing because the signature is actually bad, or because the values I'm providing crypto.verify are actually not what it is supposed to be used for!
我一直在使用的原始代码是此处,并且需要很多整理工作,但尝试在完全重构之前一次替换功能.任何指针将不胜感激! pyOpenSSL是否可以在此处替换M2Crypto功能,我是否正在以正确的方式进行操作?
The original code I've been playing with is here and needs quite a bit of work to tidy up, but was trying to do it one step at a time replacing functionality before a total refactoring. Any pointers would be much appreciated! Does pyOpenSSL have the capability to replace the M2Crypto functionality here, and am I going about it the right way?
推荐答案
So the answer comes from reading a bit more of the source of pyOpenSSL, with a pointer from exarkun. pyOpenSSL can indeed replace the M2Crypto dependency here, with very minor changes to the underlying code.
crypto.verify()函数的单元测试此处显示接听电话:
The unittest for the crypto.verify() function here shows the call taking:
verify(good_cert, sig, content, digest)
因此,我上面的代码有错误:
Consequently there was an error in my above code:
crypto.verify(cert, self.sig, hashed, 'sha1')
在将签名应用于原始数据字符串时,应该只采用数据"而不是哈希值:
Which should have simply taken 'data', rather than hashed, as the signature was applied to the raw data string:
# N.B. cert = X509 object (from crypto.load_certificate())
crypto.verify(cert, self.sig, data, 'sha1')
此行为似乎与M2Crypto的verify行为不同,后者使用散列数据字符串执行其验证.请注意,我还没有对M2Crypto的功能进行特别深入的研究以弄清楚发生了什么.
This behaviour appears different to that of M2Crypto's verify which takes the hashed data string to perform its verification. Note I haven't dug particularly deep into M2Crypto's functions to work out what is going on.
感谢 exarkun 对
Thanks to exarkun for his response on the pyOpenSSL mailing list which pointed me to the error being in my call to verify(), rather than my understanding of what verify() was doing.
这篇关于使用pyopenssl验证签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
