Pyopenssl to verify the file signature

2019-01-28 17:21发布

站内问答 / Python
505 1 6

I want to verify the downloaded file's signature and cert using pyopenssl, but the documentation is not clear and Google is of no help.

I have a root CA cert in user's machine, now when user download the file then I will send a certificate and signature along with it. First I need to verify the certificate with rootCA on machine then I need to verify the signature with file

In openssl I can use following to verify the ca cert

openssl verify -CAfile <root_pem> <cert_pem>

and following to verify the file

openssl dgst <algo> -verify <cert_pub_key> -signature <signature> <file>

I am looking for equivalent way to do it using python, most preferably pyopenssl

1条回答
Lonely孤独者°
2楼-- · 2019-01-28 17:50

I'm still learning about OpenSSL in general, let alone PyOpenSSL. Having said that, I was able to verify a file (your second command) in PyOpenSSL with the following:

from OpenSSL.crypto import load_publickey, FILETYPE_PEM, verify, X509

with open(file_to_verify, 'rb') as f:
    file_data = f.read()

with open(signature_filename, 'rb') as f:
    signature = f.read()

with open(public_key_filename) as f:
    public_key_data = f.read()

# load in the publickey file, in my case, I had a .pem file.
# If the file starts with
#     "-----BEGIN PUBLIC KEY-----"
# then it is of the PEM type. The only other FILETYPE is
# "FILETYPE_ASN1".
pkey = load_publickey(FILETYPE_PEM, public_key_data)

# the verify() function expects that the public key is
# wrapped in an X.509 certificate
x509 = X509()
x509.set_pubkey(pkey)

# perform the actual verification. We need the X509 object,
# the signature to verify, the file to verify, and the
# algorithm used when signing.
verify(x509, signature, file_data, 'sha256')

The verify() function will return None in the event that verification is successful (i.e. it does nothing) or it will raise an Exception if something went wrong.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)