All geek questions in one place

Verify signature with pyopenssl

I believe that with this question pyOpenSSL started supporting signature verification (from pyOpenSSL 0.11 .

I am working on a project that was launched by someone else using M2Crypto . It really hurts to enable M2Crypto on platforms like Heroku , since it requires the use of SWIG . Therefore, I am trying to remove the dependency on M2Crypto and replace pyOpenSSL, which is easy to install via Pip, and does not require custom buildpacks and more than that associated with SWIG.

The problem I ran into is replacing the code:

key = cert.get_pubkey() # Cert is an M2Crypto X509 object key = key.get_rsa() ret = key.verify(hashed, self.sig) if ret != 1: # Cert invalid ... etc.

Ideally, I would like to implement the same functionality through pyOpenSSL, but I feel that I may have had the wrong end of the stick - I tried using:

 crypto.verify(cert, self.sig, hashed, 'sha1')

But it fails -

 [('rsa routines', 'RSA_verify', 'bad signature')]

I canโ€™t understand if this is due to a failure, because the signature is really bad, or because the values โ€‹โ€‹I provide crypto.verify are not really for use!

The source code that I played with here is quite a bit of work to tidy up, but I tried to do it step by step, replacing the functionality to complete refactoring. Any pointers would be much appreciated! Does pyOpenSSL have the ability to replace the M2Crypto functionality here, and will I do it right?

+6
source share
1 answer

So the answer comes from reading a little more source pyOpenSSL with an exarkun pointer. pyOpenSSL can indeed replace the M2Crypto dependency here, with very minor changes to the base code.

Unittest for the crypto.verify () function here shows the call:

 verify(good_cert, sig, content, digest)

Therefore, there was an error in my code above:

 crypto.verify(cert, self.sig, hashed, 'sha1')

Which should have just taken the โ€œdataโ€ and not hashed it, since the signature was applied to the original data string:

 # NB cert = X509 object (from crypto.load_certificate()) crypto.verify(cert, self.sig, data, 'sha1')

This behavior is different from the M2Crypto behavior, which executes a hashed data string to perform validation. Note. I didnโ€™t dig very deep into the M2Crypto functions to work out what was going on.

Thanks to exarkun for his tip on the pyOpenSSL mailing list , which pointed me to an error being in my verify () call, and not in my understanding of what check () does.

+7
source

Source: https://habr.com/ru/post/923893/

More articles:


All Articles