diff options
Diffstat (limited to 'pipermail/pycrypto/2014q2/000794.html')
-rw-r--r-- | pipermail/pycrypto/2014q2/000794.html | 214 |
1 files changed, 214 insertions, 0 deletions
diff --git a/pipermail/pycrypto/2014q2/000794.html b/pipermail/pycrypto/2014q2/000794.html new file mode 100644 index 0000000..9458822 --- /dev/null +++ b/pipermail/pycrypto/2014q2/000794.html @@ -0,0 +1,214 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML> + <HEAD> + <TITLE> [pycrypto] Verify DSA bytestring signature + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:pycrypto%40lists.dlitz.net?Subject=Re%3A%20%5Bpycrypto%5D%20Verify%20DSA%20bytestring%20signature&In-Reply-To=%3CCAGfyce0pk6H4n-AHy4yt1_gNBb%2BxSx081LzoXEL85QhYOcSPGQ%40mail.gmail.com%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <style type="text/css"> + pre { + white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */ + } + </style> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="000793.html"> + <LINK REL="Next" HREF="000795.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[pycrypto] Verify DSA bytestring signature</H1> + <B>Legrandin</B> + <A HREF="mailto:pycrypto%40lists.dlitz.net?Subject=Re%3A%20%5Bpycrypto%5D%20Verify%20DSA%20bytestring%20signature&In-Reply-To=%3CCAGfyce0pk6H4n-AHy4yt1_gNBb%2BxSx081LzoXEL85QhYOcSPGQ%40mail.gmail.com%3E" + TITLE="[pycrypto] Verify DSA bytestring signature">helderijs at gmail.com + </A><BR> + <I>Mon Apr 7 04:50:26 PDT 2014</I> + <P><UL> + <LI>Previous message: <A HREF="000793.html">[pycrypto] Verify DSA bytestring signature +</A></li> + <LI>Next message: <A HREF="000795.html">[pycrypto] Verify DSA bytestring signature +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#794">[ date ]</a> + <a href="thread.html#794">[ thread ]</a> + <a href="subject.html#794">[ subject ]</a> + <a href="author.html#794">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>The openssl code is using SHA-1 twice: once to create the digest of the +archive (dgst -sha1) and a second time when computing the DSA signature +(dgst -dss1). + +If your goal is to sign the hash, the Python code should actually read: + +>><i> return pubkey.verify(SHA1.new(zipfile_digest).digest(), signature) +</I> +If your goal is to sign only the archive, the openssl code should be: + +>><i> | openssl dgst -dss1 -sign "$DSA_PRIVKEY" < "$RELEASE_ARCHIVE" \ +</I>>><i> | openssl enc -base64 +</I> +2014-04-07 0:49 GMT+02:00 Winston Weinert <<A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">winston at ml1.net</A>>: + +><i> The signature is created using the openssl(1) command-line tool like this: +</I>><i> +</I>><i> openssl dgst -sha1 -binary < "$RELEASE_ARCHIVE" \ +</I>><i> | openssl dgst -dss1 -sign "$DSA_PRIVKEY" \ +</I>><i> | openssl enc -base64 +</I>><i> +</I>><i> It verifies correctly using this command-line: +</I>><i> +</I>><i> echo "$SIGNATURE" | openssl enc -base64 -d > /tmp/decoded_signature +</I>><i> openssl dgst -sha1 -binary < "$RELEASE_ARCHIVE" > /tmp/release_archive_sha1 +</I>><i> openssl dgst -dss1 -verify "$DSA_PUBKEY" -signature /tmp/decoded_signature +</I>><i> /tmp/release_archive_sha1 +</I>><i> +</I>><i> After I wrote my email, I dug around for awhile. After a lot of research I +</I>><i> learned +</I>><i> about ASN.1 DER's usage in Dss-Sig-Value ( +</I>><i> <A HREF="http://www.ietf.org/rfc/rfc2459.txt">http://www.ietf.org/rfc/rfc2459.txt</A>). I +</I>><i> wrote this code that appeared to decode my Base64 encoded signature +</I>><i> correctly (I +</I>><i> checked against <A HREF="http://lapo.it/asn1js/">http://lapo.it/asn1js/</A>): +</I>><i> +</I>><i> def decode_DSA_signature(signature): +</I>><i> raw_signature = base64.b64decode(signature) +</I>><i> der = DerSequence() +</I>><i> der.decode(raw_signature) +</I>><i> return (der[0], der[1]) +</I>><i> +</I>><i> Unfortunately .verify() returns False on correctly verified signature and +</I>><i> hash +</I>><i> pairs. I am using this new function like so: +</I>><i> +</I>><i> +</I>><i> def validate(dsa_pubkey, signature, zipfile): +</I>><i> with open(dsa_pubkey, 'rb') as f: +</I>><i> pubkey = DSA.importKey(f.read()) +</I>><i> with open(zipfile, 'rb') as f: +</I>><i> h = SHA1.new() +</I>><i> h.update(f.read()) +</I>><i> zipfile_digest = h.digest() +</I>><i> signature = decode_DSA_signature(signature) +</I>><i> +</I>><i> return pubkey.verify(zipfile_digest, signature) +</I>><i> +</I>><i> Maybe there is a problem with PyCrypto DSA and my environment? +</I>><i> >>> sys.version +</I>><i> '2.7.6 (default, Feb 7 2014, 12:51:34) \n[GCC 4.2.1 Compatible Apple LLVM +</I>><i> 5.0 (clang-500.2.79)]' +</I>><i> +</I>><i> For the time being I'm invoking openssl(1) for this task. +</I>><i> +</I>><i> Thank you for the reply! +</I>><i> Winston Weinert +</I>><i> +</I>><i> +</I>><i> On Apr 6, 2014, at 4:50, Legrandin <<A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">helderijs at gmail.com</A>> wrote: +</I>><i> +</I>><i> > How was the signature created exactly? +</I>><i> > +</I>><i> > The .verify() method of a DSA object requires two integers, and there +</I>><i> are several ways to encode them into a bytestring. It's very hard to guess +</I>><i> the correct one for your case. +</I>><i> > +</I>><i> > FYI, there is a long standing pull request I created to add a saner DSA +</I>><i> API: +</I>><i> > +</I>><i> > <A HREF="https://github.com/dlitz/pycrypto/pull/53">https://github.com/dlitz/pycrypto/pull/53</A> +</I>><i> > +</I>><i> > The verification method accepts DER or big-endian encoded signatures. +</I>><i> > +</I>><i> > +</I>><i> > +</I>><i> > 2014-04-05 21:03 GMT+02:00 Winston Weinert <<A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">winston at ml1.net</A>>: +</I>><i> > Hello, +</I>><i> > +</I>><i> > I noticed in Git there is a "verify" method on Crypto.PublicKey.DSA. How +</I>><i> do +</I>><i> > I go about using this method? It wants a tuple, but unsure how to create +</I>><i> > the appropriate tuple from my bytestring (which is decoded base64 text). +</I>><i> > This is git revision 2d1aecd. The relevant code and error: +</I>><i> > +</I>><i> > Code: +</I>><i> > +</I>><i> > def validate(dsa_pubkey, signature, zipfile): +</I>><i> > with open(dsa_pubkey, 'rb') as f: +</I>><i> > pubkey = DSA.importKey(f.read()) +</I>><i> > with open(zipfile, 'rb') as f: +</I>><i> > h = SHA1.new() +</I>><i> > h.update(f.read()) +</I>><i> > zipfile_digest = h.digest() +</I>><i> > decoded_signature = base64.b64decode(signature) +</I>><i> > +</I>><i> > return pubkey.verify(zipfile_digest, decoded_signature) +</I>><i> > +</I>><i> > Error: +</I>><i> > +</I>><i> > Traceback (most recent call last): +</I>><i> > File "sparkle_tool.py", line 67, in <module> +</I>><i> > validate_files(appcast, dsa_pubkey) +</I>><i> > File "sparkle_tool.py", line 55, in validate_files +</I>><i> > if validate(dsa_pubkey, signature, local_file): +</I>><i> > File "sparkle_tool.py", line 33, in validate +</I>><i> > return pubkey.verify(zipfile_digest, decoded_signature) +</I>><i> > File +</I>><i> "/home/winston/jobber/venv/local/lib/python2.7/site-packages/Crypto/PublicKey/DSA.py", +</I>><i> line 222, in verify +</I>><i> > return pubkey.pubkey.verify(self, M, signature) +</I>><i> > File +</I>><i> "/home/winston/jobber/venv/local/lib/python2.7/site-packages/Crypto/PublicKey/pubkey.py", +</I>><i> line 126, in verify +</I>><i> > return self._verify(M, signature) +</I>><i> > File +</I>><i> "/home/winston/jobber/venv/local/lib/python2.7/site-packages/Crypto/PublicKey/DSA.py", +</I>><i> line 240, in _verify +</I>><i> > (r, s) = sig +</I>><i> > ValueError: too many values to unpack +</I>><i> > +</I>><i> > Thanks a bunch! +</I>><i> > -- +</I>><i> > Winston Weinert +</I>><i> > <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">winston at ml1.net</A> +</I>><i> > _______________________________________________ +</I>><i> > pycrypto mailing list +</I>><i> > <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">pycrypto at lists.dlitz.net</A> +</I>><i> > <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto</A> +</I>><i> > +</I>><i> > _______________________________________________ +</I>><i> > pycrypto mailing list +</I>><i> > <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">pycrypto at lists.dlitz.net</A> +</I>><i> > <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto</A> +</I>><i> +</I>><i> _______________________________________________ +</I>><i> pycrypto mailing list +</I>><i> <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">pycrypto at lists.dlitz.net</A> +</I>><i> <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto</A> +</I>><i> +</I>-------------- next part -------------- +An HTML attachment was scrubbed... +URL: <<A HREF="http://lists.dlitz.net/pipermail/pycrypto/attachments/20140407/b61f21b3/attachment.html">http://lists.dlitz.net/pipermail/pycrypto/attachments/20140407/b61f21b3/attachment.html</A>> +</PRE> + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="000793.html">[pycrypto] Verify DSA bytestring signature +</A></li> + <LI>Next message: <A HREF="000795.html">[pycrypto] Verify DSA bytestring signature +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#794">[ date ]</a> + <a href="thread.html#794">[ thread ]</a> + <a href="subject.html#794">[ subject ]</a> + <a href="author.html#794">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">More information about the pycrypto +mailing list</a><br> +</body></html> |