[pyOpenSSL] Verification of SSL Signature
exarkun at twistedmatrix.com
exarkun at twistedmatrix.com
Fri Aug 31 15:49:57 CEST 2012
On 30 Aug, 04:46 pm, james+pyopenssl at jvc26.org wrote:
>Hi,
>
>I believe that as of 0.11, pyOpenSSL has started supporting the
>verification of signatures. I am working on a project which was
>started by someone else using M2Crypto. M2Crypto is really painful to
>include on platforms such as Heroku as it requires the use of SWIG.
>Consequently I am trying to remove the dependency on M2Crypto and
>replace with pyOpenSSL which is easy to install via Pip, and doesn't
>require custom buildpacks and more which SWIG-related things do.
>
>The link to the original code is
>[here](https://github.com/pyroven/django-pyroven) and requires a
>reasonably significant refactoring, as it falls a long way from 12
>Factor App ideals. However, I wanted to know whether I was on the
>right track for replacing the M2Crypto functions, which at present
>consist:
>
>key = cert.get_pubkey() # Cert is an M2Crypto X509 object
>key = key.get_rsa()
>ret = key.verify(hashed, self.sig)
>if ret != 1:
> # Cert invalid ... etc.
>
>I tried to replace this with:
>
>crypto.verify(cert, self.sig, hashed, 'sha1') # cert X509 object from
>crypto.load_certificate()
>
>Which I had assumed was roughly equivalent to the above, but I wonder
>whether I got the wrong end of the stick having read through the
>source as to what crypto.verify was actually doing.
>
>At the present time I end up with the Exception:
>
>[('rsa routines', 'RSA_verify', 'bad signature')]
>
>Which is difficult to tell whether the code is right and the
>hash/verification is correctly failing, or whether I'm actually doing
>something which is fundamentally incorrect.
Hi James,
Consider the unit test for OpenSSL.crypto.verify (which passes on my
system):
http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenSSL/test/test_crypto.py#L2750
(Sorry about the broken URL :/)
It looks like you're doing roughly the right thing, at least as far as
pyOpenSSL is concerned.
Unrelatedly, I'm copying pyopenssl-users at lists.launchpad.net on my
reply, as I'd prefer to switch pyOpenSSL completely off of sourceforge
at some point.
>Thanks for your help!
>
>J
>
>------------------------------------------------------------------------------
>Live Security Virtual Conference
>Exclusive live event will cover all the ways today's security and
>threat landscape has changed and how IT managers can respond.
>Discussions
>will include endpoint security, mobile security and the latest in
>malware
>threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>_______________________________________________
>pyopenssl-list mailing list
>pyopenssl-list at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/pyopenssl-list
More information about the pyopenssl-users
mailing list