Python:用.cer文件打开获取公钥然后进行验证

Question

我有一个包含公钥的 .cer 文件。我需要使用这个文件来验证相应私钥签名的签名。我有签名和公钥。我需要验证签名。我得到的结果是假的。下面是代码:

def verify_sign(public_key_loc, signature, data):
    '''
    Verifies with a public key from whom the data came that it was indeed
    signed by their private key
    param: public_key_loc Path to public key
    param: signature String signature to be verified
    return: Boolean. True if the signature is valid; False otherwise.
    '''
    #pdb.set_trace()
    from Crypto.PublicKey import RSA
    from Crypto.Signature import PKCS1_v1_5
    from Crypto.Hash import SHA256
    from base64 import b64decode
    try:
        pub_key = open(public_key_loc, "r").read()
        rsakey = RSA.importKey(pub_key)
        signer = PKCS1_v1_5.new(rsakey)
        digest = SHA256.new()
        # Assumes the data is base64 encoded to begin with
        digest.update(b64decode(data))
        if signer.verify(digest, b64decode(signature)):
            return True
        return False 
    except Exception as e:
        print e

我尝试使用此处的方法将.cer 文件转换为.pem。 How do I use a X509 certificate with PyCrypto?

这里使用的方法是否正确？还是 python 有更好的库。因为据我所知，python 不支持 X.509Certificate。忍受我的英语。感谢任何帮助。

谢谢。

编辑:

截至目前，我正在尝试使用 Pycrypto。我是否需要在同一个 pycrypto 中使用任何其他库或方法？

Answer 1

您应该能够使用 openssl x509 命令从 X509 证书中提取公钥组件。你说你的证书文件有一个 .cer 扩展名，这通常意味着二进制 DER 格式，所以这个命令应该以 pycrypto 可以使用的形式提取公钥:

openssl x509 -inform der -pubkey -noout -in certificate.cer >public_key.pem

虽然，您的 .cer 文件可能已经是 PEM 格式(我怀疑这是因为在 C# 中您需要 base64 解码此证书)，在这种情况下，此命令应该获得公钥:

openssl x509 -pubkey -noout -in certificate.cer >public_key.pem

无论哪种方式，您最终都会得到一个类似于此 PEM 格式 key 的文件 public_key.pem:

-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8ZtNvMVc3iDc850hdWu7LLw4CQfE4O4IKy7mv6Iu6uhHQsfRQCqSbc1Nwxq70dMudG+41cSBI2Sx7bsAby22seBOCCtcoXmDvyBbAetaHY4xUTXzMZKxZc+ZPRR5vB+suxW9yWCTUmYyxaY3SPxiZHRF5dAmSbW4qIrXt+9ifIbGlMtzFBBetA9KgxVcBQB6VhJEHoLk4KL4R7tOoAQgs6WijTwzNfTubRQh1VUCbidQihVAOWMNVS/3SWRRrcN5V2DqOWL+4TkPK522sRDK1t0C/i+XWjxeFu1zn3xXZlA2sruOIFQvpihbLgkrfOvjA/XESgshBhMfbXZjzC1GwIDAQAB-----END PUBLIC KEY-----

Now you can load this using Crypto.PublicKey.RSA.importKey().

You also should double check the encoding of data and signature; make sure that these are base64 encoded as you assume, although this is probably correct since you have it working in C#.

Other options exist:

1. Use good old pyOpenSSL - see module OpenSSL.crypto:

   import OpenSSL
   
   cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
                                          open('certificate.cer').read())
   try:
       OpenSSL.crypto.verify(cert, signature, data, 'sha256')
       print "Signature verified OK"
   except Exception as e:
       print "Signature verification failed: {}".format(e)
   

2. 使用 M2Crypto (不支持 Python 3 ):

   import M2Crypto
   
   cert = M2Crypto.X509.load_cert('certificate.cer', M2Crypto.X509.FORMAT_DER)
   pubkey = cert.get_pubkey()
   pubkey.reset_context('sha256')
   pubkey.verify_init()
   pubkey.verify_update(content)
   verified = pubkey.verify_final(signature)