<div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><p class="MsoNormal">Hi Cryptography Developers,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m a fresher for the cryptography
module. Currently I’m seeking a python module to implement the same function
with the following openssl commands.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;
color:#333333">sha512sum clear-installer.img.xz > sha512sum.out<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">openssl smime -verify -purpose any -in clear-installer.img.xz-SHA512SUMS.sig -inform der -content sha512sum.out -CAfile ClearLinuxRoot.pem<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> </span></span></pre><pre><span id="_webmail_bookmark_start_5" style="display: none;"></span>The ‘ClearLinuxRoot.pem’ is a X509 certificate and these commands would verify if the signature SHA512SUMS.sig is valid.<o:p></o:p></pre><pre> I refer the documents of cryptography module and try to use the cryptography to implement this function as the following script “verify.py” shows.</pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> </span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">#!/usr/bin/env python2<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> </span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">import sys<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">from cryptography import x509<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">from cryptography.exceptions import InvalidSignature<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">from cryptography.hazmat.backends import default_backend<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">from cryptography.hazmat.primitives import hashes<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">from cryptography.hazmat.primitives.asymmetric import padding<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">from cryptography.hazmat.primitives.asymmetric import rsa<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">from cryptography.hazmat.primitives.asymmetric import utils<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> </span></span> </pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">if len(sys.argv) != 4:<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> print('USAGE: verify.py pem message signature')<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> sys.exit(2)<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> </span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">pemfile = sys.argv[1]<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">messagefile = sys.argv[2]<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">sigfile = sys.argv[3]<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> </span></span> </pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">with open(pemfile) as f:<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> cert = x509.load_pem_x509_certificate(f.read(), default_backend())<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> pubkey = cert.public_key()<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> </span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">with open(messagefile, 'rb') as m:<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> message = m.read()<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> </span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">with open(sigfile, 'rb') as s:<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> signature = s.read()<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> </span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> </span></span>try:</pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> pubkey.verify(<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> signature,<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> message,<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> padding.PSS(<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> mgf=padding.MGF1(hashes.SHA512()),<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> salt_length=padding.PSS.MAX_LENGTH),<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> hashes.SHA512())<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> print('valid!')<o:p></o:p></span></span></pre><pre><span class="go"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> sys.exit(0)<o:p></o:p></span></span></pre><pre><span style="font-size:9.0pt;font-family:Consolas;color:#404040">except InvalidSignature:</span><span style="color:#404040"><o:p></o:p></span></pre><pre><span style="font-size:9.0pt;
font-family:Consolas;color:#404040"> print('invalid!')<o:p></o:p></span></pre><pre style="text-indent:19.2pt"><span style="font-size:9.0pt;font-family:Consolas;
color:#404040">sys.exit(1)<o:p></o:p></span></pre><pre><span style="font-size:
9.0pt;font-family:Consolas;color:#404040"> </span> </pre><pre><span id="_webmail_bookmark_start_11" style="display: none;"></span>I run command “./verify.py ClearLinuxRoot.pem clear-installer.img.xz clear-installer.img.xz-SHA512SUMS.sig”, but the output of these codes are always “invalid”. I’m not sure if I write the code correctly, or cryptography doesn’t support smime. Could you please kindly provide some information on this? <o:p></o:p></pre><pre> </pre><pre>Thanks a lot!<o:p></o:p></pre><pre> </pre><pre>Dapeng Mi<span id="_webmail_bookmark_end_12" style="display: none;"></span><span style="font-size:9.0pt;font-family:Consolas;color:#404040"><o:p></o:p></span></pre></div><br><br><span title="neteasefooter"><p> </p></span>