From: James C. <jam...@jv...> - 2012-08-30 17:13:20
|
Hi, I believe that as of 0.11, pyOpenSSL has started supporting the verification of signatures. I am working on a project which was started by someone else using M2Crypto. M2Crypto is really painful to include on platforms such as Heroku as it requires the use of SWIG. Consequently I am trying to remove the dependency on M2Crypto and replace with pyOpenSSL which is easy to install via Pip, and doesn't require custom buildpacks and more which SWIG-related things do. The link to the original code is [here](https://github.com/pyroven/django-pyroven) and requires a reasonably significant refactoring, as it falls a long way from 12 Factor App ideals. However, I wanted to know whether I was on the right track for replacing the M2Crypto functions, which at present consist: key = cert.get_pubkey() # Cert is an M2Crypto X509 object key = key.get_rsa() ret = key.verify(hashed, self.sig) if ret != 1: # Cert invalid ... etc. I tried to replace this with: crypto.verify(cert, self.sig, hashed, 'sha1') # cert X509 object from crypto.load_certificate() Which I had assumed was roughly equivalent to the above, but I wonder whether I got the wrong end of the stick having read through the source as to what crypto.verify was actually doing. At the present time I end up with the Exception: [('rsa routines', 'RSA_verify', 'bad signature')] Which is difficult to tell whether the code is right and the hash/verification is correctly failing, or whether I'm actually doing something which is fundamentally incorrect. Thanks for your help! J |
From: <ex...@tw...> - 2012-08-31 13:50:20
|
On 30 Aug, 04:46 pm, jam...@jv... wrote: >Hi, > >I believe that as of 0.11, pyOpenSSL has started supporting the >verification of signatures. I am working on a project which was >started by someone else using M2Crypto. M2Crypto is really painful to >include on platforms such as Heroku as it requires the use of SWIG. >Consequently I am trying to remove the dependency on M2Crypto and >replace with pyOpenSSL which is easy to install via Pip, and doesn't >require custom buildpacks and more which SWIG-related things do. > >The link to the original code is >[here](https://github.com/pyroven/django-pyroven) and requires a >reasonably significant refactoring, as it falls a long way from 12 >Factor App ideals. However, I wanted to know whether I was on the >right track for replacing the M2Crypto functions, which at present >consist: > >key = cert.get_pubkey() # Cert is an M2Crypto X509 object >key = key.get_rsa() >ret = key.verify(hashed, self.sig) >if ret != 1: > # Cert invalid ... etc. > >I tried to replace this with: > >crypto.verify(cert, self.sig, hashed, 'sha1') # cert X509 object from >crypto.load_certificate() > >Which I had assumed was roughly equivalent to the above, but I wonder >whether I got the wrong end of the stick having read through the >source as to what crypto.verify was actually doing. > >At the present time I end up with the Exception: > >[('rsa routines', 'RSA_verify', 'bad signature')] > >Which is difficult to tell whether the code is right and the >hash/verification is correctly failing, or whether I'm actually doing >something which is fundamentally incorrect. Hi James, Consider the unit test for OpenSSL.crypto.verify (which passes on my system): http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenSSL/test/test_crypto.py#L2750 (Sorry about the broken URL :/) It looks like you're doing roughly the right thing, at least as far as pyOpenSSL is concerned. Unrelatedly, I'm copying pyo...@li... on my reply, as I'd prefer to switch pyOpenSSL completely off of sourceforge at some point. >Thanks for your help! > >J > >------------------------------------------------------------------------------ >Live Security Virtual Conference >Exclusive live event will cover all the ways today's security and >threat landscape has changed and how IT managers can respond. >Discussions >will include endpoint security, mobile security and the latest in >malware >threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >_______________________________________________ >pyopenssl-list mailing list >pyo...@li... >https://lists.sourceforge.net/lists/listinfo/pyopenssl-list |
From: James C. <jam...@jv...> - 2012-09-02 06:50:18
|
Thanks for your help, consider this problem resolved. Cheers for the pointer to the unit tests! J On Fri, Aug 31, 2012 at 2:49 PM, <ex...@tw...> wrote: > On 30 Aug, 04:46 pm, jam...@jv... wrote: >>Hi, >> >>I believe that as of 0.11, pyOpenSSL has started supporting the >>verification of signatures. I am working on a project which was >>started by someone else using M2Crypto. M2Crypto is really painful to >>include on platforms such as Heroku as it requires the use of SWIG. >>Consequently I am trying to remove the dependency on M2Crypto and >>replace with pyOpenSSL which is easy to install via Pip, and doesn't >>require custom buildpacks and more which SWIG-related things do. >> >>The link to the original code is >>[here](https://github.com/pyroven/django-pyroven) and requires a >>reasonably significant refactoring, as it falls a long way from 12 >>Factor App ideals. However, I wanted to know whether I was on the >>right track for replacing the M2Crypto functions, which at present >>consist: >> >>key = cert.get_pubkey() # Cert is an M2Crypto X509 object >>key = key.get_rsa() >>ret = key.verify(hashed, self.sig) >>if ret != 1: >> # Cert invalid ... etc. >> >>I tried to replace this with: >> >>crypto.verify(cert, self.sig, hashed, 'sha1') # cert X509 object from >>crypto.load_certificate() >> >>Which I had assumed was roughly equivalent to the above, but I wonder >>whether I got the wrong end of the stick having read through the >>source as to what crypto.verify was actually doing. >> >>At the present time I end up with the Exception: >> >>[('rsa routines', 'RSA_verify', 'bad signature')] >> >>Which is difficult to tell whether the code is right and the >>hash/verification is correctly failing, or whether I'm actually doing >>something which is fundamentally incorrect. > > Hi James, > > Consider the unit test for OpenSSL.crypto.verify (which passes on my > system): > > http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenSSL/test/test_crypto.py#L2750 > > (Sorry about the broken URL :/) > > It looks like you're doing roughly the right thing, at least as far as > pyOpenSSL is concerned. > > Unrelatedly, I'm copying pyo...@li... on my > reply, as I'd prefer to switch pyOpenSSL completely off of sourceforge > at some point. >>Thanks for your help! >> >>J >> >>------------------------------------------------------------------------------ >>Live Security Virtual Conference >>Exclusive live event will cover all the ways today's security and >>threat landscape has changed and how IT managers can respond. >>Discussions >>will include endpoint security, mobile security and the latest in >>malware >>threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>_______________________________________________ >>pyopenssl-list mailing list >>pyo...@li... >>https://lists.sourceforge.net/lists/listinfo/pyopenssl-list > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > pyopenssl-list mailing list > pyo...@li... > https://lists.sourceforge.net/lists/listinfo/pyopenssl-list |
From: M.-A. L. <ma...@eg...> - 2012-12-14 10:14:54
|
Hi Jean-Paul, I find a couple of minor issues with the move you are suggesting: * The launchpad list is *very* hard to find on the project page: It's hidden away in the "Answers" tab in a small box named "Answer contacts for pyOpenSSL", which then finally let's you arrive at: https://launchpad.net/~pyopenssl-users * You have to be a team member to subscribe to the list I don't know what other implications "team member" has, but at the very least you have to sign up on Launchpad to subscribe to the mailing list, which is not required for the SF list. * The subscriber list is publicly visible, unlike for the SF list. This is not a major bummer, but certainly a privacy issue for some. This can all be fixed, I suppose (I don't know anything about LP mailing list configurations). To make the transition smooth, I'd suggest to get the SF mailing list archive imported into LP, configure the LP mailing list like the SF one (no public membership roster, no LP signup requirement) and put a link to the mailing list right on the project's overview page. Then switch off the SF list, to avoid cross postings to both lists. BTW: What benefit do you see in switching mailing list hosts ? Why not use python.org as host instead of LP or SF ? (I can help with a python.org transition) -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Dec 14 2012) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2012-12-14: Released mxODBC.Connect 2.0.2 ... http://egenix.com/go38 2012-12-05: Released eGenix pyOpenSSL 0.13 ... http://egenix.com/go37 2012-11-28: Released eGenix mx Base 3.2.5 ... http://egenix.com/go36 2013-01-22: Python Meeting Duesseldorf ... 39 days to go eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ |
From: <ex...@tw...> - 2012-12-14 17:54:34
|
On 10:14 am, ma...@eg... wrote: >Hi Jean-Paul, > >BTW: What benefit do you see in switching mailing list hosts ? >Why not use python.org as host instead of LP or SF ? (I can >help with a python.org transition) I'd like to get pyOpenSSL entirely off of sourceforge so that I no longer need to interact with sourceforge (as doing so is a perpetually unpleasant experience). I think everyone else in the community would benefit from this as well. I chose Launchpad because it was easy to set up, and because that's where the rest of pyOpenSSL's infrastructure has moved. This was meant to make things easier and reduce confusion amongst potential community members. I'm not sure this has succeeded. As you point out, there are some problems with Launchpad. If you'd like to spearhead a move of the mailing list to python.org-based hosting, that's fine with me. I can't offer much help with that move, but I'll do whatever I can to remove any roadblocks you encounter. Jean-Paul |