Re: [pyOpenSSL] Verification of SSL Signature

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thanks for your help, consider this problem resolved. Cheers for the
pointer to the unit tests!

J

On Fri, Aug 31, 2012 at 2:49 PM,  <ex...@tw...> wrote:
> On 30 Aug, 04:46 pm, jam...@jv... wrote:
>>Hi,
>>
>>I believe that as of 0.11, pyOpenSSL has started supporting the
>>verification of signatures. I am working on a project which was
>>started by someone else using M2Crypto. M2Crypto is really painful to
>>include on platforms such as Heroku as it requires the use of SWIG.
>>Consequently I am trying to remove the dependency on M2Crypto and
>>replace with pyOpenSSL which is easy to install via Pip, and doesn't
>>require custom buildpacks and more which SWIG-related things do.
>>
>>The link to the original code is
>>[here](https://github.com/pyroven/django-pyroven) and requires a
>>reasonably significant refactoring, as it falls a long way from 12
>>Factor App ideals. However, I wanted to know whether I was on the
>>right track for replacing the M2Crypto functions, which at present
>>consist:
>>
>>key = cert.get_pubkey() # Cert is an M2Crypto X509 object
>>key = key.get_rsa()
>>ret = key.verify(hashed, self.sig)
>>if ret != 1:
>>    # Cert invalid ... etc.
>>
>>I tried to replace this with:
>>
>>crypto.verify(cert, self.sig, hashed, 'sha1') # cert X509 object from
>>crypto.load_certificate()
>>
>>Which I had assumed was roughly equivalent to the above, but I wonder
>>whether I got the wrong end of the stick having read through the
>>source as to what crypto.verify was actually doing.
>>
>>At the present time I end up with the Exception:
>>
>>[('rsa routines', 'RSA_verify', 'bad signature')]
>>
>>Which is difficult to tell whether the code is right and the
>>hash/verification is correctly failing, or whether I'm actually doing
>>something which is fundamentally incorrect.
>
> Hi James,
>
> Consider the unit test for OpenSSL.crypto.verify (which passes on my
> system):
>
> http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenSSL/test/test_crypto.py#L2750
>
> (Sorry about the broken URL :/)
>
> It looks like you're doing roughly the right thing, at least as far as
> pyOpenSSL is concerned.
>
> Unrelatedly, I'm copying pyo...@li... on my
> reply, as I'd prefer to switch pyOpenSSL completely off of sourceforge
> at some point.
>>Thanks for your help!
>>
>>J
>>
>>------------------------------------------------------------------------------
>>Live Security Virtual Conference
>>Exclusive live event will cover all the ways today's security and
>>threat landscape has changed and how IT managers can respond.
>>Discussions
>>will include endpoint security, mobile security and the latest in
>>malware
>>threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>_______________________________________________
>>pyopenssl-list mailing list
>>pyo...@li...
>>https://lists.sourceforge.net/lists/listinfo/pyopenssl-list
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> pyopenssl-list mailing list
> pyo...@li...
> https://lists.sourceforge.net/lists/listinfo/pyopenssl-list