September 27th, 2013, 02:01 PM
PyCrypto - Verifying Signatures on Data and Certifictes
I apologize before hand for the long post, but I just wanted to be thorough in what I was doing.
I am trying to use the PyCrypto library to achieve two similar things. The first use is to verify that a piece of data has been signed by the private key of a certain certificate. The other use is to verify a certificate chain (verify that certificate A has signed B, and then that B has signed C).
The process is as follows:
Client generates certificate / key-pairs A, B, C and D. A signs B, and B signs C and D. Then the certificates for A, signed B, signed C and signed D are pushed to a server. The server responds with a randomly generated bit of binary or string data (exact type is still being worked out, but both types have been tried) for each certificate. The client then signs the respective data, and then pushes the (base64 encoded) signed responses back to the server. The server then takes the responses, decodes them and tries to verify the signatures.
Code / Attempts:
My first attempt (semi-pseudo) -
With this code I got the following error response from the verify function: "must be string without null bytes, not str".
Astr = storedcertificates["acert"]
Achallenge = storedchallenges["achallenge"]
Signedchallenge = (read in from http post request)
Acert = load_certificate(FILETYPE_PEM, Astr)
verify (Acert, Signedchallenge, Achallenge, "sha256")
except Exception e:
print "failed to verify for reason:"
#Repeat above for B, C and D
My second attempt -
Having the above code fail, I then found and tried adapting the code http://www.v13.gr/blog/?p=303 , but I first received that the function "get_signature_algorithm()" does not exists for X509 certificates, and then received the same error response back for the verify function if I commented out the signature algorithm and just manually provided the digest.
For the chain verification stuff, I followed the example code from the above link exactly, but received the same errors as the second example code (algorithm and string / str).
Acert = load_certificate(FILETYPE_PEM, storedcerts["root"])
challenge = (original binary challenge sent to client)
algorithm = Acert.get_signature_algorithm()
dersigin = asn1.DerObject()
sig0 = dersigin.payload
if sig0 != '\x00':
print "sig0 error"
signature = sig0[1:]
verify(Acert, signature, challenge, algorithm)
#verify(Acert, signature, challenge, "sha256") #Alternate without the get_sig_alg()
print "verifcation failed"
print "THE VERIFICATION WORKED?!?!?!?!?!?!??!"
What am I doing wrong / How am I using the library incorrectly?