1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE> [pycrypto] Verify DSA bytestring signature
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:pycrypto%40lists.dlitz.net?Subject=Re%3A%20%5Bpycrypto%5D%20Verify%20DSA%20bytestring%20signature&In-Reply-To=%3C2C34FE60-DE8F-4F3E-B305-6397882BFC09%40ml1.net%3E">
<META NAME="robots" CONTENT="index,nofollow">
<style type="text/css">
pre {
white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */
}
</style>
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000792.html">
<LINK REL="Next" HREF="000794.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[pycrypto] Verify DSA bytestring signature</H1>
<B>Winston Weinert</B>
<A HREF="mailto:pycrypto%40lists.dlitz.net?Subject=Re%3A%20%5Bpycrypto%5D%20Verify%20DSA%20bytestring%20signature&In-Reply-To=%3C2C34FE60-DE8F-4F3E-B305-6397882BFC09%40ml1.net%3E"
TITLE="[pycrypto] Verify DSA bytestring signature">winston at ml1.net
</A><BR>
<I>Sun Apr 6 15:49:47 PDT 2014</I>
<P><UL>
<LI>Previous message: <A HREF="000792.html">[pycrypto] Verify DSA bytestring signature
</A></li>
<LI>Next message: <A HREF="000794.html">[pycrypto] Verify DSA bytestring signature
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#793">[ date ]</a>
<a href="thread.html#793">[ thread ]</a>
<a href="subject.html#793">[ subject ]</a>
<a href="author.html#793">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>The signature is created using the openssl(1) command-line tool like this:
openssl dgst -sha1 -binary < "$RELEASE_ARCHIVE" \
|<i> openssl dgst -dss1 -sign "$DSA_PRIVKEY" \
</I>|<i> openssl enc -base64
</I>
It verifies correctly using this command-line:
echo "$SIGNATURE” | openssl enc -base64 -d > /tmp/decoded_signature
openssl dgst -sha1 -binary < "$RELEASE_ARCHIVE" > /tmp/release_archive_sha1
openssl dgst -dss1 -verify "$DSA_PUBKEY" -signature /tmp/decoded_signature /tmp/release_archive_sha1
After I wrote my email, I dug around for awhile. After a lot of research I learned
about ASN.1 DER’s usage in Dss-Sig-Value (<A HREF="http://www.ietf.org/rfc/rfc2459.txt">http://www.ietf.org/rfc/rfc2459.txt</A>). I
wrote this code that appeared to decode my Base64 encoded signature correctly (I
checked against <A HREF="http://lapo.it/asn1js/">http://lapo.it/asn1js/</A>):
def decode_DSA_signature(signature):
raw_signature = base64.b64decode(signature)
der = DerSequence()
der.decode(raw_signature)
return (der[0], der[1])
Unfortunately .verify() returns False on correctly verified signature and hash
pairs. I am using this new function like so:
def validate(dsa_pubkey, signature, zipfile):
with open(dsa_pubkey, 'rb') as f:
pubkey = DSA.importKey(f.read())
with open(zipfile, 'rb') as f:
h = SHA1.new()
h.update(f.read())
zipfile_digest = h.digest()
signature = decode_DSA_signature(signature)
return pubkey.verify(zipfile_digest, signature)
Maybe there is a problem with PyCrypto DSA and my environment?
>>><i> sys.version
</I>'2.7.6 (default, Feb 7 2014, 12:51:34) \n[GCC 4.2.1 Compatible Apple LLVM 5.0 (clang-500.2.79)]'
For the time being I’m invoking openssl(1) for this task.
Thank you for the reply!
Winston Weinert
On Apr 6, 2014, at 4:50, Legrandin <<A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">helderijs at gmail.com</A>> wrote:
><i> How was the signature created exactly?
</I>><i>
</I>><i> The .verify() method of a DSA object requires two integers, and there are several ways to encode them into a bytestring. It's very hard to guess the correct one for your case.
</I>><i>
</I>><i> FYI, there is a long standing pull request I created to add a saner DSA API:
</I>><i>
</I>><i> <A HREF="https://github.com/dlitz/pycrypto/pull/53">https://github.com/dlitz/pycrypto/pull/53</A>
</I>><i>
</I>><i> The verification method accepts DER or big-endian encoded signatures.
</I>><i>
</I>><i>
</I>><i>
</I>><i> 2014-04-05 21:03 GMT+02:00 Winston Weinert <<A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">winston at ml1.net</A>>:
</I>><i> Hello,
</I>><i>
</I>><i> I noticed in Git there is a “verify” method on Crypto.PublicKey.DSA. How do
</I>><i> I go about using this method? It wants a tuple, but unsure how to create
</I>><i> the appropriate tuple from my bytestring (which is decoded base64 text).
</I>><i> This is git revision 2d1aecd. The relevant code and error:
</I>><i>
</I>><i> Code:
</I>><i>
</I>><i> def validate(dsa_pubkey, signature, zipfile):
</I>><i> with open(dsa_pubkey, 'rb') as f:
</I>><i> pubkey = DSA.importKey(f.read())
</I>><i> with open(zipfile, 'rb') as f:
</I>><i> h = SHA1.new()
</I>><i> h.update(f.read())
</I>><i> zipfile_digest = h.digest()
</I>><i> decoded_signature = base64.b64decode(signature)
</I>><i>
</I>><i> return pubkey.verify(zipfile_digest, decoded_signature)
</I>><i>
</I>><i> Error:
</I>><i>
</I>><i> Traceback (most recent call last):
</I>><i> File "sparkle_tool.py", line 67, in <module>
</I>><i> validate_files(appcast, dsa_pubkey)
</I>><i> File "sparkle_tool.py", line 55, in validate_files
</I>><i> if validate(dsa_pubkey, signature, local_file):
</I>><i> File "sparkle_tool.py", line 33, in validate
</I>><i> return pubkey.verify(zipfile_digest, decoded_signature)
</I>><i> File "/home/winston/jobber/venv/local/lib/python2.7/site-packages/Crypto/PublicKey/DSA.py", line 222, in verify
</I>><i> return pubkey.pubkey.verify(self, M, signature)
</I>><i> File "/home/winston/jobber/venv/local/lib/python2.7/site-packages/Crypto/PublicKey/pubkey.py", line 126, in verify
</I>><i> return self._verify(M, signature)
</I>><i> File "/home/winston/jobber/venv/local/lib/python2.7/site-packages/Crypto/PublicKey/DSA.py", line 240, in _verify
</I>><i> (r, s) = sig
</I>><i> ValueError: too many values to unpack
</I>><i>
</I>><i> Thanks a bunch!
</I>><i> —
</I>><i> Winston Weinert
</I>><i> <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">winston at ml1.net</A>
</I>><i> _______________________________________________
</I>><i> pycrypto mailing list
</I>><i> <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">pycrypto at lists.dlitz.net</A>
</I>><i> <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto</A>
</I>><i>
</I>><i> _______________________________________________
</I>><i> pycrypto mailing list
</I>><i> <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">pycrypto at lists.dlitz.net</A>
</I>><i> <A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto</A>
</I>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000792.html">[pycrypto] Verify DSA bytestring signature
</A></li>
<LI>Next message: <A HREF="000794.html">[pycrypto] Verify DSA bytestring signature
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#793">[ date ]</a>
<a href="thread.html#793">[ thread ]</a>
<a href="subject.html#793">[ subject ]</a>
<a href="author.html#793">[ author ]</a>
</LI>
</UL>
<hr>
<a href="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">More information about the pycrypto
mailing list</a><br>
</body></html>
|
