Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

verify singed data (with pkcs7 standard) #6413

Closed
gadididi opened this issue Oct 13, 2021 · 5 comments
Closed

verify singed data (with pkcs7 standard) #6413

gadididi opened this issue Oct 13, 2021 · 5 comments

Comments

@gadididi
Copy link

Hi everyone!
I have a message that i signed with pkcs7/cms format.
i read in Doc and i used:

from cryptography import x509
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.serialization import pkcs7
cert = x509.load_pem_x509_certificate(ca_cert)
key = serialization.load_pem_private_key(ca_key, None)
options = [pkcs7.PKCS7Options.DetachedSignature]
pkcs7.PKCS7SignatureBuilder().set_data(
    b"data to sign"
).add_signer(
    cert, key, hashes.SHA256()
).sign(
    serialization.Encoding.DER, options
)
b'...'

i created .cms file and i can parse it by openssl command line.

Now, i want to verify the signature. i extract the signature from the cms file (by asn1crypyo lib)
i saw this:

public_key = private_key.public_key()
public_key.verify(
    signature,
    message,
    padding.PSS(
        mgf=padding.MGF1(hashes.SHA256()),
        salt_length=padding.PSS.MAX_LENGTH
    ),
    hashes.SHA256()
)

but i cant verify .. thow exception that the signature is invalid..
i succeed to run opemssl command:
"openssl cms -verify -inform DER -in file.cms -content text.txt -certfile file.cert.pem -noverify"

someone can help me how to verify this?
@tiran
Copy link
Contributor

tiran commented Oct 13, 2021

Most legacy protocols use PKCS#1 v1.5 with RSA keys. Please try again with padding.PKCS1v15.

@gadididi
Copy link
Author

gadididi commented Oct 13, 2021
edited
Loading

Most legacy protocols use PKCS#1 v1.5 with RSA keys. Please try again with padding.PKCS1v15.

public_key = private_key.public_key()
public_key.verify(
    signature,
    message,
    padding=padding.PKCS1v15(),
    hashes.SHA256()
)

i did it but same error.. Invalid signature ..

@tiran
Copy link
Contributor

tiran commented Oct 13, 2021

Sorry, I just noticed that you are doing PKCS#7. I should have read your code more carefully.

PyCA cryptography has no public PKCS#7 verification API yet. There is only an internal helper for unit tests at

cryptography/tests/hazmat/primitives/test_pkcs7.py

Lines 81 to 84 in 1d996e5

# We have no public verification API and won't be adding one until we get
# some requirements from users so this function exists to give us basic
# verification for the signing tests.
def _pkcs7_verify(encoding, sig, msg, certs, options, backend):

@gadididi
Copy link
Author

Sorry, I just noticed that you are doing PKCS#7. I should have read your code more carefully.

PyCA cryptography has no public PKCS#7 verification API yet. There is only an internal helper for unit tests at

cryptography/tests/hazmat/primitives/test_pkcs7.py

Lines 81 to 84 in 1d996e5

# We have no public verification API and won't be adding one until we get
# some requirements from users so this function exists to give us basic
# verification for the signing tests.
def _pkcs7_verify(encoding, sig, msg, certs, options, backend):

thank you!
it verify great for me!

@reaperhulk
Copy link
Member

Be aware that is not public API. Closing in favor if #5471. We do need users to articulate exactly what they need out of a PKCS7 verification API before we can build it though.

@pirm-in pirm-in mentioned this issue Oct 26, 2021
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 17, 2022
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@reaperhulk @tiran @gadididi