[Cryptography-dev] Does cryptography support openssl smime signature verification?

弥大鹏 clark_mdp at 163.com
Sun Sep 8 01:01:49 EDT 2019 

Hi Cryptography Developers,

 

I’m a fresher for the cryptography module. Currently I’m seeking a python module to implement the same function with the following openssl commands.

 

sha512sum clear-installer.img.xz > sha512sum.out
openssl smime -verify -purpose any -in clear-installer.img.xz-SHA512SUMS.sig -inform der -content sha512sum.out -CAfile ClearLinuxRoot.pem
 
‍The ‘ClearLinuxRoot.pem’ is a X509 certificate and these commands would verify if the signature SHA512SUMS.sig is valid.
 I refer the documents of cryptography module and try to use the cryptography to implement this function as the following script “verify.py” shows.
 
#!/usr/bin/env python2
 
import sys
from cryptography import x509
from cryptography.exceptions import InvalidSignature
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.asymmetric import utils
  
if len(sys.argv) != 4:
    print('USAGE: verify.py pem message signature')
    sys.exit(2)
 
pemfile = sys.argv[1]
messagefile = sys.argv[2]
sigfile = sys.argv[3]
  
with open(pemfile) as f:
    cert = x509.load_pem_x509_certificate(f.read(), default_backend())
    pubkey = cert.public_key()
 
with open(messagefile, 'rb') as m:
    message = m.read()
 
with open(sigfile, 'rb') as s:
    signature = s.read()
 
 try:
    pubkey.verify(
        signature,
        message,
        padding.PSS(
            mgf=padding.MGF1(hashes.SHA512()),
            salt_length=padding.PSS.MAX_LENGTH),
        hashes.SHA512())
    print('valid!')
    sys.exit(0)
except InvalidSignature:
    print('invalid!')
sys.exit(1)
  
‍I run command “./verify.py ClearLinuxRoot.pem clear-installer.img.xz clear-installer.img.xz-SHA512SUMS.sig”, but the output of these codes are always “invalid”. I’m not sure if I write the code correctly, or cryptography doesn’t support smime. Could you please kindly provide some information on this? 
 
Thanks a lot!
 
Dapeng Mi‍
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20190908/ad423a2a/attachment.html>

More information about the Cryptography-dev mailing list