delta/python-packages/pycrypto.git - github.com: dlitz/pycrypto.git

diff options


context:
space:
mode:

Diffstat (limited to 'pipermail/pycrypto/2014q2/000794.html')

-rw-r--r--

pipermail/pycrypto/2014q2/000794.html

214

1 files changed, 214 insertions, 0 deletions

diff --git a/pipermail/pycrypto/2014q2/000794.html b/pipermail/pycrypto/2014q2/000794.html
new file mode 100644
index 0000000..9458822
--- /dev/null
+++ b/pipermail/pycrypto/2014q2/000794.html

@@ -0,0 +1,214 @@

+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

+<HTML>

+ <HEAD>

+ <TITLE> [pycrypto] Verify DSA bytestring signature

+ </TITLE>

+ <LINK REL="Index" HREF="index.html" >

+ <LINK REL="made" HREF="mailto:pycrypto%40lists.dlitz.net?Subject=Re%3A%20%5Bpycrypto%5D%20Verify%20DSA%20bytestring%20signature&In-Reply-To=%3CCAGfyce0pk6H4n-AHy4yt1_gNBb%2BxSx081LzoXEL85QhYOcSPGQ%40mail.gmail.com%3E">

+ <META NAME="robots" CONTENT="index,nofollow">

+ <style type="text/css">

+ pre {

+ white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */

+ }

+ </style>

+ <META http-equiv="Content-Type" content="text/html; charset=us-ascii">

+ <LINK REL="Previous" HREF="000793.html">

+ <LINK REL="Next" HREF="000795.html">

+ </HEAD>

+ <BODY BGCOLOR="#ffffff">

+ <H1>[pycrypto] Verify DSA bytestring signature</H1>

+ Legrandin

+ <A HREF="mailto:pycrypto%40lists.dlitz.net?Subject=Re%3A%20%5Bpycrypto%5D%20Verify%20DSA%20bytestring%20signature&In-Reply-To=%3CCAGfyce0pk6H4n-AHy4yt1_gNBb%2BxSx081LzoXEL85QhYOcSPGQ%40mail.gmail.com%3E"

+ TITLE="[pycrypto] Verify DSA bytestring signature">helderijs at gmail.com

+ </A>

+ Mon Apr 7 04:50:26 PDT 2014

+ <UL>

+ <LI>Previous message: <A HREF="000793.html">[pycrypto] Verify DSA bytestring signature

+</A></li>

+ <LI>Next message: <A HREF="000795.html">[pycrypto] Verify DSA bytestring signature

+</A></li>

+ <LI> Messages sorted by:

+ <a href="date.html#794">[ date ]</a>

+ <a href="thread.html#794">[ thread ]</a>

+ <a href="subject.html#794">[ subject ]</a>

+ <a href="author.html#794">[ author ]</a>

+ </LI>

+ </UL>

+ <HR>

+

+<PRE>The openssl code is using SHA-1 twice: once to create the digest of the

+archive (dgst -sha1) and a second time when computing the DSA signature

+(dgst -dss1).

+If your goal is to sign the hash, the Python code should actually read:

+>> return pubkey.verify(SHA1.new(zipfile_digest).digest(), signature)

+

+If your goal is to sign only the archive, the openssl code should be:

+>> | openssl dgst -dss1 -sign "$DSA_PRIVKEY" < "$RELEASE_ARCHIVE" \

+>> | openssl enc -base64

+

+2014-04-07 0:49 GMT+02:00 Winston Weinert <<A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">winston at ml1.net</A>>:

+> The signature is created using the openssl(1) command-line tool like this:

+>

+> openssl dgst -sha1 -binary < "$RELEASE_ARCHIVE" \

+> | openssl dgst -dss1 -sign "$DSA_PRIVKEY" \

+> | openssl enc -base64

+>

+> It verifies correctly using this command-line:

+>

+> echo "$SIGNATURE" | openssl enc -base64 -d > /tmp/decoded_signature

+> openssl dgst -sha1 -binary < "$RELEASE_ARCHIVE" > /tmp/release_archive_sha1

+> openssl dgst -dss1 -verify "$DSA_PUBKEY" -signature /tmp/decoded_signature

+> /tmp/release_archive_sha1

+>

+> After I wrote my email, I dug around for awhile. After a lot of research I

+> learned

+> about ASN.1 DER's usage in Dss-Sig-Value (

+> <A HREF="http://www.ietf.org/rfc/rfc2459.txt">http://www.ietf.org/rfc/rfc2459.txt</A>). I

+> wrote this code that appeared to decode my Base64 encoded signature

+> correctly (I

+> checked against <A HREF="http://lapo.it/asn1js/">http://lapo.it/asn1js/</A>):

+>

+> def decode_DSA_signature(signature):

+> raw_signature = base64.b64decode(signature)

+> der = DerSequence()

+> der.decode(raw_signature)

+> return (der[0], der[1])

+>

+> Unfortunately .verify() returns False on correctly verified signature and

+> hash

+> pairs. I am using this new function like so:

+>

+> def validate(dsa_pubkey, signature, zipfile):

+> with open(dsa_pubkey, 'rb') as f:

+> pubkey = DSA.importKey(f.read())

+> with open(zipfile, 'rb') as f:

+> h = SHA1.new()

+> h.update(f.read())

+> zipfile_digest = h.digest()

+> signature = decode_DSA_signature(signature)

+>

+> return pubkey.verify(zipfile_digest, signature)

+>

+> Maybe there is a problem with PyCrypto DSA and my environment?

+> >>> sys.version

+> '2.7.6 (default, Feb 7 2014, 12:51:34) \n[GCC 4.2.1 Compatible Apple LLVM

+> 5.0 (clang-500.2.79)]'

+>

+> For the time being I'm invoking openssl(1) for this task.

+>

+> Thank you for the reply!

+> Winston Weinert

+>

+> On Apr 6, 2014, at 4:50, Legrandin <<A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">helderijs at gmail.com</A>> wrote:

+>

+> > How was the signature created exactly?

+> >

+> > The .verify() method of a DSA object requires two integers, and there

+> are several ways to encode them into a bytestring. It's very hard to guess

+> the correct one for your case.

+> >

+> > FYI, there is a long standing pull request I created to add a saner DSA

+> API:

+> >

+> > <A HREF="https://github.com/dlitz/pycrypto/pull/53">https://github.com/dlitz/pycrypto/pull/53</A>

+> >

+> > The verification method accepts DER or big-endian encoded signatures.

+> >

+> > 2014-04-05 21:03 GMT+02:00 Winston Weinert <<A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">winston at ml1.net</A>>:

+> > Hello,

+> >

+> > I noticed in Git there is a "verify" method on Crypto.PublicKey.DSA. How

+> do

+> > I go about using this method? It wants a tuple, but unsure how to create

+> > the appropriate tuple from my bytestring (which is decoded base64 text).

+> > This is git revision 2d1aecd. The relevant code and error:

+> >

+> > Code:

+> >

+> > def validate(dsa_pubkey, signature, zipfile):

+> > with open(dsa_pubkey, 'rb') as f:

+> > pubkey = DSA.importKey(f.read())

+> > with open(zipfile, 'rb') as f:

+> > h = SHA1.new()

+> > h.update(f.read())

+> > zipfile_digest = h.digest()

+> > decoded_signature = base64.b64decode(signature)

+> >

+> > return pubkey.verify(zipfile_digest, decoded_signature)

+> >

+> > Error:

+> >

+> > Traceback (most recent call last):

+> > File "sparkle_tool.py", line 67, in <module>

+> > validate_files(appcast, dsa_pubkey)

+> > File "sparkle_tool.py", line 55, in validate_files

+> > if validate(dsa_pubkey, signature, local_file):

+> > File "sparkle_tool.py", line 33, in validate

+> > return pubkey.verify(zipfile_digest, decoded_signature)

+> > File

+> "/home/winston/jobber/venv/local/lib/python2.7/site-packages/Crypto/PublicKey/DSA.py",

+> line 222, in verify

+> > return pubkey.pubkey.verify(self, M, signature)

+> > File

+> "/home/winston/jobber/venv/local/lib/python2.7/site-packages/Crypto/PublicKey/pubkey.py",

+> line 126, in verify

+> > return self._verify(M, signature)

+> > File

+> "/home/winston/jobber/venv/local/lib/python2.7/site-packages/Crypto/PublicKey/DSA.py",

+> line 240, in _verify

+> > (r, s) = sig

+> > ValueError: too many values to unpack

+> >

+> > Thanks a bunch!

+> > --

+> > Winston Weinert

+> > <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">winston at ml1.net</A>

+> > _______________________________________________

+> > pycrypto mailing list

+> > <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">pycrypto at lists.dlitz.net</A>

+> > <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto</A>

+> >

+> > _______________________________________________

+> > pycrypto mailing list

+> > <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">pycrypto at lists.dlitz.net</A>

+> > <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto</A>

+>

+> _______________________________________________

+> pycrypto mailing list

+> <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">pycrypto at lists.dlitz.net</A>

+> <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto</A>

+>

+-------------- next part --------------

+An HTML attachment was scrubbed...

+URL: <<A HREF="http://lists.dlitz.net/pipermail/pycrypto/attachments/20140407/b61f21b3/attachment.html">http://lists.dlitz.net/pipermail/pycrypto/attachments/20140407/b61f21b3/attachment.html</A>>

+</PRE>

+

+ <HR>

+ <UL>

+

+ <LI>Previous message: <A HREF="000793.html">[pycrypto] Verify DSA bytestring signature

+</A></li>

+ <LI>Next message: <A HREF="000795.html">[pycrypto] Verify DSA bytestring signature

+</A></li>

+ <LI> Messages sorted by:

+ <a href="date.html#794">[ date ]</a>

+ <a href="thread.html#794">[ thread ]</a>

+ <a href="subject.html#794">[ subject ]</a>

+ <a href="author.html#794">[ author ]</a>

+ </LI>

+ </UL>

+<hr>

+<a href="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">More information about the pycrypto

+mailing list</a>

+</body></html>