无法根据 m2crypto 中的 DSA 公钥验证 dsawithSha1 签名消息

发布于 2024-11-19 15:12:44 字数 5044 浏览 1 评论 0原文

我正在尝试使用持有 dsa 公钥的 x509 证书来验证签名消息。 x509 证书由 SAP 系统以 PKCS7 编码提供,在使用 openssl 转换为 PEM 后,我可以读取内容(openssl x509 -in sapcert.pem -inform pem -text) 它在 dsaEncryption 中保存一个公钥,向我显示 DSA 参数 y(pub)、p、q 和 g。

因为我在 M2Crypto x509 类中没有找到 DSA 实现,所以我尝试自己构建 DSA 公钥。因此,我修补了 MyCrypto,(请参阅:如何在给定参数和键值的情况下创建 M2Crypto DSA 对象?),对其进行编译并获得新函数DSA.pub_key_from_params(p,q,g,y) 使用证书中的参数构建我的 DSA 公钥。 到目前为止,一切正常。 (单元测试虽然运行没有错误)。

在第二步中,我收到签名消息(名为 seckey)作为 URL 参数,并在对其进行解码(base64)后,我得到了一个正确的 DER 字符串,我可以使用 openssl 读取(openssl ans1parse -in seckey -inform der)。 在 openssl 的输出中,我可以看到签名的 messageDigest,它正是我尝试验证的 SHA1 编码的 messagedigest(因此我可以确保正确提供了signedMessage)。虽然我可以看到 dsaWithSHA1 签名字符串,它似乎包含验证 dsa 签名消息所需的 r 和 s 值(请参阅:M2Crypto:验证 DSA 签名

此时,我尝试验证签名消息已经好几天了,我希望有一个密码学专家可以帮助我。我尝试并用谷歌搜索了很多,尝试了 pyCrypto lib,但都没有成功。

我尝试将 SHA1 MessageDigest 以及 r 和 s 值传递给 M2Crypto.DSA.verify 函数,但由于失败,我认为我必须传递signedMessage 或其部分内容。 (在 Java 论坛中,我发现了一些关于验证 SAP 提供的签名消息的帖子,其中有一些关于通过“DER 编码”计算签名的帖子 签名属性。”?)

这是我的示例代码:

# -*- coding: iso-8859-1 -*-

import M2Crypto
import urllib
import base64
from Crypto.Util import asn1
from M2Crypto import m2
import sha

# the certificate
cert = """subject=/C=DE/O=SAP Trust Community/OU=SAP Web AS/OU=I0020154766/CN=RE2
issuer=/C=DE/O=SAP Trust Community/OU=SAP Web AS/OU=I0020154766/CN=RE2
-----BEGIN CERTIFICATE-----
MIICMDCCAe8CAQAwCQYHKoZIzjgEAzBkMQswCQYDVQQGEwJERTEcMBoGA1UEChMT
U0FQIFRydXN0IENvbW11bml0eTETMBEGA1UECxMKU0FQIFdlYiBBUzEUMBIGA1UE
CxMLSTAwMjAxNTQ3NjYxDDAKBgNVBAMTA1JFMjAeFw05NzEwMDEwMDAwMDBaFw0z
ODAxMDEwMDAwMDBaMGQxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3Qg
Q29tbXVuaXR5MRMwEQYDVQQLEwpTQVAgV2ViIEFTMRQwEgYDVQQLEwtJMDAyMDE1
NDc2NjEMMAoGA1UEAxMDUkUyMIHyMIGpBgcqhkjOOAQBMIGdAkEA//8x1Bqn4a00
FKr9CTwPPskxy0yrx7iU6T4vza4wW93Mo2d/IYTZNAxFqhrm+fIUrEp5fxIpYRmJ
rKL2qRCUmQIVANrcsXlFvrXH455gM69vKZebhQZfAkEAmYzXTzHYwvqKEM46FvQX
yC5O+JInwgk7Dac7gqGAkkhCS1aII4Vkc9kIEx3GFLD2mx4+yJuMQ8pQ4wz4FkfB
JANEAAJBAI1em/0owxMTEP+akz56BovQ7Q6LiqUmVLLxJcjDozjI+5z6IrAPtub2
veLXPdghDHcHB5jHKoqT4JHpqRc+uhIwCQYHKoZIzjgEAwMwADAtAhRm2jqiMWL+
26mA7HdKfZdkawMuYQIVAMekXdAT4wbyrb5/yFtuIPjCBfpr
-----END CERTIFICATE-----

"""
f = open('sapcert.pem', 'w')
f.write(cert)
f.close()

# now you can see it content with openssl
# openssl x509 -in sapcert.pem -inform pem -text


# this is the signedMessage
secKey = "MIIBSwYJKoZIhvcNAQcCoIIBPDCCATgCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGCARcwggETAgEBMGkwZDELMAkGA1UEBhMCREUxHDAaBgNVBAoTE1NBUCBUcnVzdCBDb21tdW5pdHkxEzARBgNVBAsTClNBUCBXZWIgQVMxFDASBgNVBAsTC0kwMDIwMTU0NzY2MQwwCgYDVQQDEwNSRTICAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDUyNjE1MzAyNVowIwYJKoZIhvcNAQkEMRYEFPelg4iVtaKORpuFxUvgo23Du7%2BtMAkGByqGSM44BAMELjAsAhQ46oCNmzZArb5yOFSYGY0hWu8dZwIUT35hPccJ6B9HIsOE0u8LwYZaFNk%3D"
secKey = urllib.unquote(secKey)
secKey64 = base64.b64decode(secKey)
# now you can save it as a DER encoded file
f = open('seckey.der', 'wb')
f.write(secKey64)
f.close()
# you can pass it to openssl to see the the content
# openssl asn1parse -in seckey.der -inform der


# here is the sha1 encoded messagedigest I had to verify
hashstr = "ZS4DDB9616BA031C40E1008003AC100097dCN%3DRE2,OU%3DI0020154766,OU%3DSAPWebAS,O%3DSAPTrustCommunity,C%3DDE20110526173025"
osha1=M2Crypto.EVP.MessageDigest('sha1')
osha1.update(hashstr)
sha1_md = osha1.digest()
print sha1_md.encode('hex')

# now i build a DSA key with the params found in the certificate

pub="8d5e9bfd28c3131310ff9a933e7a068bd0ed0e8b8aa52654b2f125c8c3a338c8fb9cfa22b00fb6e6f6bde2d73dd8210c77070798c72a8a93e091e9a9173eba12"
p="ffff31d41aa7e1ad3414aafd093c0f3ec931cb4cabc7b894e93e2fcdae305bddcca3677f2184d9340c45aa1ae6f9f214ac4a797f1229611989aca2f6a9109499"
q="dadcb17945beb5c7e39e6033af6f29979b85065f"
g="998cd74f31d8c2fa8a10ce3a16f417c82e4ef89227c2093b0da73b82a1809248424b568823856473d908131dc614b0f69b1e3ec89b8c43ca50e30cf81647c124"


pub1 = M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(pub))
p1 = M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(p))
q1 = M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(q))
g1 = M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(g))

# this function is available after patching und compiling M2Crypto
# https://bugzilla.osafoundation.org/attachment.cgi?id=5700
dsa1 = M2Crypto.DSA.pub_key_from_params(p1, q1, g1, pub1)
print dsa1.check_key()

# this seems to be the signature-values r and s in seckey.der
asn_hex = "302C021438EA808D9B3640ADBE72385498198D215AEF1D6702144F7E613DC709E81F4722C384D2EF0BC1865A14D9"

r = asn_hex[8:48]
s = asn_hex[52:]
r1 = M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(r))
s1 = M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(s))

# but this fails
v = dsa1.verify(sha1_md, r1, s1)
print v

# this too
sk = M2Crypto.m2.bn_to_mpi(M2Crypto.m2.bin_to_bn(secKey64))
v = dsa1.verify(sk, r1, s1)
print v

有谁知道如何进行正确的 dsawithsha1 签名验证吗?请帮忙! 此致, 法尔科

I'm trying to verify a signed message using a x509 certificate holding a dsa public key.
The x509 certificate was provided by an SAP System in PKCS7 encoding and after converting in PEM with openssl I'm able to read the contents (openssl x509 -in sapcert.pem -inform pem -text)
It holds a public key in dsaEncryption, showing me the DSA parameters y(pub), p, q and g.

Because I did not found a DSA implementation in M2Crypto x509 class, I tried to build the DSA public key by myself. Therefor I patched MyCrypto, (see: How do I create a M2Crypto DSA object given parameters and key values?), compilied it and got a new function DSA.pub_key_from_params(p,q,g,y) to build my DSA public-key using the parameters found in the certificate.
Until this point everything works fine. (The unittest although ran without errors).

In the second step I recieve the signedMessage (named seckey) as an URL parameter and after decoding it (base64) I got an proper DER string I'm able to read with openssl (openssl ans1parse -in seckey -inform der).
In the output from openssl I can see the signed messageDigest, which is exactly the SHA1 encoded messagedigest I try to verify (so I can be sure the signedMessage was provided properly). Although I can see a dsaWithSHA1 signature string which seems to hold the r and s values needing for verify an dsa signed message (see: M2Crypto: verifying DSA signatures)

At this point I stuck in my attempts to verify the signedMessage for a couple of days now and I hope there is a crytographic-expert out there who can help me. I tried and googled a lot, tried the pyCrypto lib instead, all without success.

I tried to pass the SHA1 MessageDigest and the r and s values to the M2Crypto.DSA.verify function but due it fails I think I either had to pass the signedMessage or parts of it.
(in a Java forum I found some posts about verifying signedMessages provided by SAP and theres somewhat about calculating the signature over "the DER encoding
of the signed attributes." ?)

Here's my sample code:

# -*- coding: iso-8859-1 -*-

import M2Crypto
import urllib
import base64
from Crypto.Util import asn1
from M2Crypto import m2
import sha

# the certificate
cert = """subject=/C=DE/O=SAP Trust Community/OU=SAP Web AS/OU=I0020154766/CN=RE2
issuer=/C=DE/O=SAP Trust Community/OU=SAP Web AS/OU=I0020154766/CN=RE2
-----BEGIN CERTIFICATE-----
MIICMDCCAe8CAQAwCQYHKoZIzjgEAzBkMQswCQYDVQQGEwJERTEcMBoGA1UEChMT
U0FQIFRydXN0IENvbW11bml0eTETMBEGA1UECxMKU0FQIFdlYiBBUzEUMBIGA1UE
CxMLSTAwMjAxNTQ3NjYxDDAKBgNVBAMTA1JFMjAeFw05NzEwMDEwMDAwMDBaFw0z
ODAxMDEwMDAwMDBaMGQxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3Qg
Q29tbXVuaXR5MRMwEQYDVQQLEwpTQVAgV2ViIEFTMRQwEgYDVQQLEwtJMDAyMDE1
NDc2NjEMMAoGA1UEAxMDUkUyMIHyMIGpBgcqhkjOOAQBMIGdAkEA//8x1Bqn4a00
FKr9CTwPPskxy0yrx7iU6T4vza4wW93Mo2d/IYTZNAxFqhrm+fIUrEp5fxIpYRmJ
rKL2qRCUmQIVANrcsXlFvrXH455gM69vKZebhQZfAkEAmYzXTzHYwvqKEM46FvQX
yC5O+JInwgk7Dac7gqGAkkhCS1aII4Vkc9kIEx3GFLD2mx4+yJuMQ8pQ4wz4FkfB
JANEAAJBAI1em/0owxMTEP+akz56BovQ7Q6LiqUmVLLxJcjDozjI+5z6IrAPtub2
veLXPdghDHcHB5jHKoqT4JHpqRc+uhIwCQYHKoZIzjgEAwMwADAtAhRm2jqiMWL+
26mA7HdKfZdkawMuYQIVAMekXdAT4wbyrb5/yFtuIPjCBfpr
-----END CERTIFICATE-----

"""
f = open('sapcert.pem', 'w')
f.write(cert)
f.close()

# now you can see it content with openssl
# openssl x509 -in sapcert.pem -inform pem -text


# this is the signedMessage
secKey = "MIIBSwYJKoZIhvcNAQcCoIIBPDCCATgCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGCARcwggETAgEBMGkwZDELMAkGA1UEBhMCREUxHDAaBgNVBAoTE1NBUCBUcnVzdCBDb21tdW5pdHkxEzARBgNVBAsTClNBUCBXZWIgQVMxFDASBgNVBAsTC0kwMDIwMTU0NzY2MQwwCgYDVQQDEwNSRTICAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDUyNjE1MzAyNVowIwYJKoZIhvcNAQkEMRYEFPelg4iVtaKORpuFxUvgo23Du7%2BtMAkGByqGSM44BAMELjAsAhQ46oCNmzZArb5yOFSYGY0hWu8dZwIUT35hPccJ6B9HIsOE0u8LwYZaFNk%3D"
secKey = urllib.unquote(secKey)
secKey64 = base64.b64decode(secKey)
# now you can save it as a DER encoded file
f = open('seckey.der', 'wb')
f.write(secKey64)
f.close()
# you can pass it to openssl to see the the content
# openssl asn1parse -in seckey.der -inform der


# here is the sha1 encoded messagedigest I had to verify
hashstr = "ZS4DDB9616BA031C40E1008003AC100097dCN%3DRE2,OU%3DI0020154766,OU%3DSAPWebAS,O%3DSAPTrustCommunity,C%3DDE20110526173025"
osha1=M2Crypto.EVP.MessageDigest('sha1')
osha1.update(hashstr)
sha1_md = osha1.digest()
print sha1_md.encode('hex')

# now i build a DSA key with the params found in the certificate

pub="8d5e9bfd28c3131310ff9a933e7a068bd0ed0e8b8aa52654b2f125c8c3a338c8fb9cfa22b00fb6e6f6bde2d73dd8210c77070798c72a8a93e091e9a9173eba12"
p="ffff31d41aa7e1ad3414aafd093c0f3ec931cb4cabc7b894e93e2fcdae305bddcca3677f2184d9340c45aa1ae6f9f214ac4a797f1229611989aca2f6a9109499"
q="dadcb17945beb5c7e39e6033af6f29979b85065f"
g="998cd74f31d8c2fa8a10ce3a16f417c82e4ef89227c2093b0da73b82a1809248424b568823856473d908131dc614b0f69b1e3ec89b8c43ca50e30cf81647c124"


pub1 = M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(pub))
p1 = M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(p))
q1 = M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(q))
g1 = M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(g))

# this function is available after patching und compiling M2Crypto
# https://bugzilla.osafoundation.org/attachment.cgi?id=5700
dsa1 = M2Crypto.DSA.pub_key_from_params(p1, q1, g1, pub1)
print dsa1.check_key()

# this seems to be the signature-values r and s in seckey.der
asn_hex = "302C021438EA808D9B3640ADBE72385498198D215AEF1D6702144F7E613DC709E81F4722C384D2EF0BC1865A14D9"

r = asn_hex[8:48]
s = asn_hex[52:]
r1 = M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(r))
s1 = M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(s))

# but this fails
v = dsa1.verify(sha1_md, r1, s1)
print v

# this too
sk = M2Crypto.m2.bn_to_mpi(M2Crypto.m2.bin_to_bn(secKey64))
v = dsa1.verify(sk, r1, s1)
print v

Is there anybody who knows how to do a proper dsawithsha1 signature verification? Please help!
best Regards,
Falko

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

走过海棠暮 2024-11-26 15:12:44

您在示例代码中命名的 seckey64 实际上是来自 CMS 的 SignedData 结构

它包含两个“签名属性”,签名时间和消息摘要。为了将其验证为签名,您需要遵循在至少存在一个签名属性时适用的 RFC 规则。

在您的情况下,原始数据的消息摘要包含在消息摘要属性中,因此您需要首先将您的计算与属性的每个字节的值字节进行比较。

如果它们相等,则您可以从 SignerInfo 结构的相应字段中提取签名值。最后,作为 DSA 签名验证的其他输入的 SHA-1 消息摘要将通过 SignerInfo 签名属性的原始编码进行计算。我不确定 M2Crypto 是否内置对 SignedData 的支持(它仍然经常被称为 PKCS#7),但我猜 pyOpenSSL 应该支持它,所以如果 M2Crypto 把你引向死胡同,你可以尝试一下。

What you named seckey64 in your sample code is actually a SignedData structure from CMS.

It contains two "signed attributes", signing-time and message-digest. In order to verify this as a signature you need to follow the rules of the RFC that apply when at least one signed attribute is present.

In your case the message digest of the original data is contained in the message-digest attribute, so you would need to compare your computation with the attribute's value byte per byte first.

If these are equal, then you'd extract the signature value from the appropriate field of the SignerInfo structure. Finally your SHA-1 message digest that serves as the other input to the DSA signature verification will be computed over the raw encoding of the signed attributes of the SignerInfo. I'm not sure if M2Crypto has built-in support for SignedData (it's still often referred to as PKCS#7), but I guess pyOpenSSL should support it, so you could give it a try if M2Crypto leads you to a dead end.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文