English 中文(简体)
Translate Java to Python -- signing strings with PEM certificate files
原标题:

I m trying to translate the follow Java into its Python equivalent.

 // certificate is contents of https://fps.sandbox.amazonaws.com/certs/090909/PKICert.pem
 // signature is a string that I need to verify.
 CertificateFactory factory = CertificateFactory.getInstance("X.509");
 X509Certificate x509Certificate = 
            (X509Certificate) factory.generateCertificate(new ByteArrayInputStream(certificate.getBytes()));
 Signature signatureInstance = Signature.getInstance(signatureAlgorithm);
 signatureInstance.initVerify(x509Certificate.getPublicKey());
 signatureInstance.update(stringToSign.getBytes(UTF_8_Encoding));
 return signatureInstance.verify(Base64.decodeBase64(signature.getBytes()));

This is for the PKI signature verification used by AWS FPS. http://docs.amazonwebservices.com/AmazonFPS/latest/FPSAccountManagementGuide/VerifyingSignature.html

Thanks for your help!

问题回答

I looked into doing this with pyCrypto and keyczar but the problem is neither have the ability to parse X509 certificates (keyczar has keyczar.util.ParseX509() but it is limited and doesn t work for the AWS cert or I m guessing any real world cert).

I believe M2Crypto works though. See the following code snippet, which needs a real signature and plaintext filled in to really test.

from M2Crypto import X509

cert = X509.load_cert("PKICert.pem")
pub_key = cert.get_pubkey()

plaintext = "YYY"  # Put plaintext message here
signature = "XXX"  # Put signature of plaintext here

pub_key.verify_init()
pub_key.verify_update(plaintext)
if not pub_key.verify_final(signature):
    print "Signature failed"

I ve written lots of Python code dealing with X509 stuff. I ve always fallen back to calling openssl via the subprocess module. Google s keyczar library is getting some buzz although I ve never used it.

After all was said and done, I decided not to use a native library to verify the signature (because M2Crypto doesn t port easily to 64-bit Windows). I found that later versions of the Amazon FPS API includes a REST/SOAP call to verify the signature, so if a round trip to their server isn t too expensive, you can just call VerifySignature. I ve added support for this in the next version of boto as boto.fps.connection.verify_signature.





相关问题
Spring Properties File

Hi have this j2ee web application developed using spring framework. I have a problem with rendering mnessages in nihongo characters from the properties file. I tried converting the file to ascii using ...

Logging a global ID in multiple components

I have a system which contains multiple applications connected together using JMS and Spring Integration. Messages get sent along a chain of applications. [App A] -> [App B] -> [App C] We set a ...

Java Library Size

If I m given two Java Libraries in Jar format, 1 having no bells and whistles, and the other having lots of them that will mostly go unused.... my question is: How will the larger, mostly unused ...

How to get the Array Class for a given Class in Java?

I have a Class variable that holds a certain type and I need to get a variable that holds the corresponding array class. The best I could come up with is this: Class arrayOfFooClass = java.lang....

SQLite , Derby vs file system

I m working on a Java desktop application that reads and writes from/to different files. I think a better solution would be to replace the file system by a SQLite database. How hard is it to migrate ...

热门标签