Eri*_*mus 6 ssl openssl cryptography sha256 python-3.x
我已经使用openssl SHA256和私钥对文件进行了签名,如下所示:
with subprocess.Popen(
# Pipe the signature to openssl to convert it from raw binary encoding to base64 encoding.
# This will prevent any potential corruption due to line ending conversions, and also allows
# a human to read and copy the signature (e.g. for manual verification).
'openssl dgst -sha256 -sign private.key sign_me.zip | openssl base64 > signature.sha256',
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
shell=True,
) as proc:
out, _ = proc.communicate()
signature.sha256并public_key.crt确认sign_me.zip尚未修改。我已经做了很多搜索,试图弄清楚该如何做,但是我一直没有找到满意的答案。这是我尝试和/或研究过的东西的列表:
我可以通过以下shell命令手动验证签名。由于要求3,这不能作为永久解决方案。
openssl dgst -sha256 -verify <(openssl x509 -in public_key.crt -pubkey -noout) -signature signature.sha256 sign_me.zip
我发现了这个问题,这几乎就是我想要做的。近两年没有得到答复,甚至没有发表评论。它提到了ssl python库,该库主要处理客户端/服务器证书和套接字。
verify()的Python 2.7 加密模块中找到方法文档。也许我缺少明显的东西?我在安全性/加密/散列方面还没有做很多工作,因此欢迎您提供反馈。
感谢Patrick Mevzek为我指出正确的方向。我最终使用密码模块找到了以下解决方案。我最终改变了我对文件签名的方式,以匹配以后将对其进行验证的方式。
密钥生成:
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
# Generate the public/private key pair.
private_key = rsa.generate_private_key(
public_exponent = 65537,
key_size = 4096,
backend = default_backend(),
)
# Save the private key to a file.
with open('private.key', 'wb') as f:
f.write(
private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
)
# Save the public key to a file.
with open('public.pem', 'wb') as f:
f.write(
private_key.public_key().public_bytes(
encoding = serialization.Encoding.PEM,
format = serialization.PublicFormat.SubjectPublicKeyInfo,
)
)
签名:
import base64
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding
# Load the private key.
with open('private.key', 'rb') as key_file:
private_key = serialization.load_pem_private_key(
key_file.read(),
password = None,
backend = default_backend(),
)
# Load the contents of the file to be signed.
with open('payload.dat', 'rb') as f:
payload = f.read()
# Sign the payload file.
signature = base64.b64encode(
private_key.sign(
payload,
padding.PSS(
mgf = padding.MGF1(hashes.SHA256()),
salt_length = padding.PSS.MAX_LENGTH,
),
hashes.SHA256(),
)
)
with open('signature.sig', 'wb') as f:
f.write(signature)
验证:
import base64
import cryptography.exceptions
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.serialization import load_pem_public_key
# Load the public key.
with open('public.pem', 'rb') as f:
public_key = load_pem_public_key(f.read(), default_backend())
# Load the payload contents and the signature.
with open('payload.dat', 'rb') as f:
payload_contents = f.read()
with open('signature.sig', 'rb') as f:
signature = base64.b64decode(f.read())
# Perform the verification.
try:
public_key.verify(
signature,
payload_contents,
padding.PSS(
mgf = padding.MGF1(hashes.SHA256()),
salt_length = padding.PSS.MAX_LENGTH,
),
hashes.SHA256(),
)
except cryptography.exceptions.InvalidSignature as e:
print('ERROR: Payload and/or signature files failed verification!')
| 归档时间: |
|
| 查看次数: |
3476 次 |
| 最近记录: |