From clark_mdp at 163.com Sun Sep 8 01:01:49 2019 From: clark_mdp at 163.com (=?UTF-8?B?5byl5aSn6bmP?=) Date: Sun, 8 Sep 2019 13:01:49 +0800 (CST) Subject: [Cryptography-dev] Does cryptography support openssl smime signature verification? Message-ID: <742563c1.44de.16d0f3fe9d1.Coremail.clark_mdp@163.com> Hi Cryptography Developers, I?m a fresher for the cryptography module. Currently I?m seeking a python module to implement the same function with the following openssl commands. sha512sum clear-installer.img.xz > sha512sum.out openssl smime -verify -purpose any -in clear-installer.img.xz-SHA512SUMS.sig -inform der -content sha512sum.out -CAfile ClearLinuxRoot.pem ?The ?ClearLinuxRoot.pem? is a X509 certificate and these commands would verify if the signature SHA512SUMS.sig is valid. I refer the documents of cryptography module and try to use the cryptography to implement this function as the following script ?verify.py? shows. #!/usr/bin/env python2 import sys from cryptography import x509 from cryptography.exceptions import InvalidSignature from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import padding from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.asymmetric import utils if len(sys.argv) != 4: print('USAGE: verify.py pem message signature') sys.exit(2) pemfile = sys.argv[1] messagefile = sys.argv[2] sigfile = sys.argv[3] with open(pemfile) as f: cert = x509.load_pem_x509_certificate(f.read(), default_backend()) pubkey = cert.public_key() with open(messagefile, 'rb') as m: message = m.read() with open(sigfile, 'rb') as s: signature = s.read() try: pubkey.verify( signature, message, padding.PSS( mgf=padding.MGF1(hashes.SHA512()), salt_length=padding.PSS.MAX_LENGTH), hashes.SHA512()) print('valid!') sys.exit(0) except InvalidSignature: print('invalid!') sys.exit(1) ?I run command ?./verify.py ClearLinuxRoot.pem clear-installer.img.xz clear-installer.img.xz-SHA512SUMS.sig?, but the output of these codes are always ?invalid?. I?m not sure if I write the code correctly, or cryptography doesn?t support smime. Could you please kindly provide some information on this? Thanks a lot! Dapeng Mi? -------------- next part -------------- An HTML attachment was scrubbed... URL: From midhila.mohan1808 at gmail.com Mon Sep 16 06:02:20 2019 From: midhila.mohan1808 at gmail.com (Midhila Mohan) Date: Mon, 16 Sep 2019 12:02:20 +0200 Subject: [Cryptography-dev] Support for PARTIAL_CHAIN verify flag in pyOpenSSL 19.0.0 Message-ID: Hi, I'm using pyOpenSSL 19.0.0 which uses OpenSSL 1.1.1. For my usecase, I want to use X509_V_FLAG_PARTIAL_CHAIN flag documented in https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set_flags.html . Seems like X509StoreFlags constants in pyOpenSSL has no support for the partial_chain verify flag https://www.pyopenssl.org/en/stable/api/crypto.html#x509storeflags-constants . Please suggest an alternate way to make this work. Best Regards, Midhila -------------- next part -------------- An HTML attachment was scrubbed... URL: