I want to verify the downloaded file's signature and cert using pyopenssl, but the documentation is not clear and Google is of no help.
我想使用pyopenssl验证下载文件的签名和证书,但文档不清楚,谷歌没有帮助。
I have a root CA cert in user's machine, now when user download the file then I will send a certificate and signature along with it. First I need to verify the certificate with rootCA on machine then I need to verify the signature with file
我在用户的计算机上有一个根CA证书,现在当用户下载文件时,我将随之发送证书和签名。首先,我需要在机器上使用rootCA验证证书然后我需要用文件验证签名
In openssl I can use following to verify the ca cert
在openssl中,我可以使用以下来验证ca证书
openssl verify -CAfile <root_pem> <cert_pem>
and following to verify the file
以及以下验证文件
openssl dgst <algo> -verify <cert_pub_key> -signature <signature> <file>
I am looking for equivalent way to do it using python, most preferably pyopenssl
我正在寻找使用python进行相同的方式,最好是pyopenssl
1 个解决方案
#1
7
I'm still learning about OpenSSL in general, let alone PyOpenSSL. Having said that, I was able to verify a file (your second command) in PyOpenSSL with the following:
我一般都在学习OpenSSL,更不用说PyOpenSSL了。话虽如此,我能够使用以下内容验证PyOpenSSL中的文件(第二个命令):
from OpenSSL.crypto import load_publickey, FILETYPE_PEM, verify, X509
with open(file_to_verify, 'rb') as f:
file_data = f.read()
with open(signature_filename, 'rb') as f:
signature = f.read()
with open(public_key_filename) as f:
public_key_data = f.read()
# load in the publickey file, in my case, I had a .pem file.
# If the file starts with
# "-----BEGIN PUBLIC KEY-----"
# then it is of the PEM type. The only other FILETYPE is
# "FILETYPE_ASN1".
pkey = load_publickey(FILETYPE_PEM, public_key_data)
# the verify() function expects that the public key is
# wrapped in an X.509 certificate
x509 = X509()
x509.set_pubkey(pkey)
# perform the actual verification. We need the X509 object,
# the signature to verify, the file to verify, and the
# algorithm used when signing.
verify(x509, signature, file_data, 'sha256')
The verify() function will return None in the event that verification is successful (i.e. it does nothing) or it will raise an Exception if something went wrong.
验证成功的情况下,verify()函数将返回None(即它什么也不做),如果出现问题,它将引发异常。
#1
7
I'm still learning about OpenSSL in general, let alone PyOpenSSL. Having said that, I was able to verify a file (your second command) in PyOpenSSL with the following:
我一般都在学习OpenSSL,更不用说PyOpenSSL了。话虽如此,我能够使用以下内容验证PyOpenSSL中的文件(第二个命令):
from OpenSSL.crypto import load_publickey, FILETYPE_PEM, verify, X509
with open(file_to_verify, 'rb') as f:
file_data = f.read()
with open(signature_filename, 'rb') as f:
signature = f.read()
with open(public_key_filename) as f:
public_key_data = f.read()
# load in the publickey file, in my case, I had a .pem file.
# If the file starts with
# "-----BEGIN PUBLIC KEY-----"
# then it is of the PEM type. The only other FILETYPE is
# "FILETYPE_ASN1".
pkey = load_publickey(FILETYPE_PEM, public_key_data)
# the verify() function expects that the public key is
# wrapped in an X.509 certificate
x509 = X509()
x509.set_pubkey(pkey)
# perform the actual verification. We need the X509 object,
# the signature to verify, the file to verify, and the
# algorithm used when signing.
verify(x509, signature, file_data, 'sha256')
The verify() function will return None in the event that verification is successful (i.e. it does nothing) or it will raise an Exception if something went wrong.
验证成功的情况下,verify()函数将返回None(即它什么也不做),如果出现问题,它将引发异常。