2

我正在尝试将以下 Java 翻译成它的 Python 等价物。

 // certificate is contents of https://fps.sandbox.amazonaws.com/certs/090909/PKICert.pem
 // signature is a string that I need to verify.
 CertificateFactory factory = CertificateFactory.getInstance("X.509");
 X509Certificate x509Certificate = 
            (X509Certificate) factory.generateCertificate(new ByteArrayInputStream(certificate.getBytes()));
 Signature signatureInstance = Signature.getInstance(signatureAlgorithm);
 signatureInstance.initVerify(x509Certificate.getPublicKey());
 signatureInstance.update(stringToSign.getBytes(UTF_8_Encoding));
 return signatureInstance.verify(Base64.decodeBase64(signature.getBytes()));

这适用于 AWS FPS 使用的 PKI 签名验证。http://docs.amazonwebservices.com/AmazonFPS/latest/FPSAccountManagementGuide/VerifyingSignature.html

谢谢你的帮助!

4

3 回答 3

2

我研究过用 pyCrypto 和 keyczar 来做这件事,但问题是两者都没有解析 X509 证书的能力(keyczar 有 keyczar.util.ParseX509() 但它是有限的并且不适用于 AWS 证书或者我猜任何真实世界证书)。

我相信 M2Crypto 虽然有效。看下面的代码片段,需要一个真实的签名和填写明文才能真正测试。

from M2Crypto import X509

cert = X509.load_cert("PKICert.pem")
pub_key = cert.get_pubkey()

plaintext = "YYY"  # Put plaintext message here
signature = "XXX"  # Put signature of plaintext here

pub_key.verify_init()
pub_key.verify_update(plaintext)
if not pub_key.verify_final(signature):
    print "Signature failed"
于 2010-09-23T02:23:32.540 回答
0

我写了很多处理 X509 的 Python 代码。我总是回退到通过 subprocess 模块调用 openssl。尽管我从未使用过 Google 的 keyczar 库,但它正在引起轰动。

于 2010-04-16T17:02:46.427 回答
0

After all was said and done, I decided not to use a native library to verify the signature (because M2Crypto doesn't port easily to 64-bit Windows). I found that later versions of the Amazon FPS API includes a REST/SOAP call to verify the signature, so if a round trip to their server isn't too expensive, you can just call VerifySignature. I've added support for this in the next version of boto as boto.fps.connection.verify_signature.

于 2010-10-20T12:13:12.143 回答