gpt4 book ai didi

python-3.x - 如何在python中验证签名文件

转载 作者:太空宇宙 更新时间:2023-11-03 12:44:17 24 4
gpt4 key购买 nike

背景

我已经使用 openssl SHA256 和私钥签署了一个文件,如下所示:

with subprocess.Popen(
# Pipe the signature to openssl to convert it from raw binary encoding to base64 encoding.
# This will prevent any potential corruption due to line ending conversions, and also allows
# a human to read and copy the signature (e.g. for manual verification).
'openssl dgst -sha256 -sign private.key sign_me.zip | openssl base64 > signature.sha256',
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
shell=True,
) as proc:
out, _ = proc.communicate()

要求

  1. 我需要使用 signature.sha256public_key.crt验证 sign_me.zip没有被修改。
  2. 兼容 Python 3.2 - 3.4
  3. 需要在 Windows 和 Redhat 上工作,并且不能保证 OpenSSL 会在路径上或在已知位置。理想情况下,我想使用核心 Python 模块,但如果可以降低复杂性,我会考虑使用第 3 方模块。

我尝试过的

我进行了大量搜索,试图弄清楚如何执行此操作,但一直未能找到令人满意的答案。以下是我尝试过和/或研究过的事情的列表:

  • 我可以通过以下 shell 命令手动验证签名。由于要求 3,这不能作为永久解决方案。

    openssl dgst -sha256 -verify <(openssl x509 -in public_key.crt -pubkey -noout) -signature signature.sha256 sign_me.zip

  • 我找到了 this question ,这几乎正是我想要做的。将近 2 年没有得到答复甚至评论。它提到了 ssl python library ,主要处理客户端/服务器证书和套接字。

  • > This question似乎使用加密库来验证“SHA256withRSA 和 PKCS1 填充”签名。不幸的是它以 Python 2.7 为目标,另外我无法找到 verify() Python 2.7 中的方法文档 crypto问题引用的模块。
  • 我还发现了一个名为 cryptography 的第三方模块. Stack Overflow 上的共识似乎是这是最新/最好的加密模块,但我找不到符合我要求的文档。

也许我遗漏了一些明显的东西?我在安全/加密/散列方面没有做过太多工作,因此欢迎提供反馈。

最佳答案

感谢 Patrick Mevzek 为我指明了正确的方向。我最终使用 Cryptography 找到了我的问题的以下解决方案模块。我最终更改了对文件进行签名的方式,以匹配我稍后验证它的方式。

key 生成:

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa

# Generate the public/private key pair.
private_key = rsa.generate_private_key(
public_exponent = 65537,
key_size = 4096,
backend = default_backend(),
)

# Save the private key to a file.
with open('private.key', 'wb') as f:
f.write(
private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
)

# Save the public key to a file.
with open('public.pem', 'wb') as f:
f.write(
private_key.public_key().public_bytes(
encoding = serialization.Encoding.PEM,
format = serialization.PublicFormat.SubjectPublicKeyInfo,
)
)

签名:

import base64
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding

# Load the private key.
with open('private.key', 'rb') as key_file:
private_key = serialization.load_pem_private_key(
key_file.read(),
password = None,
backend = default_backend(),
)

# Load the contents of the file to be signed.
with open('payload.dat', 'rb') as f:
payload = f.read()

# Sign the payload file.
signature = base64.b64encode(
private_key.sign(
payload,
padding.PSS(
mgf = padding.MGF1(hashes.SHA256()),
salt_length = padding.PSS.MAX_LENGTH,
),
hashes.SHA256(),
)
)
with open('signature.sig', 'wb') as f:
f.write(signature)

验证:

import base64
import cryptography.exceptions
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.serialization import load_pem_public_key

# Load the public key.
with open('public.pem', 'rb') as f:
public_key = load_pem_public_key(f.read(), default_backend())

# Load the payload contents and the signature.
with open('payload.dat', 'rb') as f:
payload_contents = f.read()
with open('signature.sig', 'rb') as f:
signature = base64.b64decode(f.read())

# Perform the verification.
try:
public_key.verify(
signature,
payload_contents,
padding.PSS(
mgf = padding.MGF1(hashes.SHA256()),
salt_length = padding.PSS.MAX_LENGTH,
),
hashes.SHA256(),
)
except cryptography.exceptions.InvalidSignature as e:
print('ERROR: Payload and/or signature files failed verification!')

关于python-3.x - 如何在python中验证签名文件,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50608010/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com