Menu
▾
▴
Re: [pyOpenSSL] Verification of SSL Signature
|
From: <ex...@tw...> - 2012-08-31 13:50:20
|
On 30 Aug, 04:46 pm, jam...@jv... wrote: >Hi, > >I believe that as of 0.11, pyOpenSSL has started supporting the >verification of signatures. I am working on a project which was >started by someone else using M2Crypto. M2Crypto is really painful to >include on platforms such as Heroku as it requires the use of SWIG. >Consequently I am trying to remove the dependency on M2Crypto and >replace with pyOpenSSL which is easy to install via Pip, and doesn't >require custom buildpacks and more which SWIG-related things do. > >The link to the original code is >[here](https://github.com/pyroven/django-pyroven) and requires a >reasonably significant refactoring, as it falls a long way from 12 >Factor App ideals. However, I wanted to know whether I was on the >right track for replacing the M2Crypto functions, which at present >consist: > >key = cert.get_pubkey() # Cert is an M2Crypto X509 object >key = key.get_rsa() >ret = key.verify(hashed, self.sig) >if ret != 1: > # Cert invalid ... etc. > >I tried to replace this with: > >crypto.verify(cert, self.sig, hashed, 'sha1') # cert X509 object from >crypto.load_certificate() > >Which I had assumed was roughly equivalent to the above, but I wonder >whether I got the wrong end of the stick having read through the >source as to what crypto.verify was actually doing. > >At the present time I end up with the Exception: > >[('rsa routines', 'RSA_verify', 'bad signature')] > >Which is difficult to tell whether the code is right and the >hash/verification is correctly failing, or whether I'm actually doing >something which is fundamentally incorrect. Hi James, Consider the unit test for OpenSSL.crypto.verify (which passes on my system): http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenSSL/test/test_crypto.py#L2750 (Sorry about the broken URL :/) It looks like you're doing roughly the right thing, at least as far as pyOpenSSL is concerned. Unrelatedly, I'm copying pyo...@li... on my reply, as I'd prefer to switch pyOpenSSL completely off of sourceforge at some point. >Thanks for your help! > >J > >------------------------------------------------------------------------------ >Live Security Virtual Conference >Exclusive live event will cover all the ways today's security and >threat landscape has changed and how IT managers can respond. >Discussions >will include endpoint security, mobile security and the latest in >malware >threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >_______________________________________________ >pyopenssl-list mailing list >pyo...@li... >https://lists.sourceforge.net/lists/listinfo/pyopenssl-list |
