I am having difficulties debugging a django/python application that requires a public key to be used to sign a certificate.
1. I created a key in PEM format from my private key using the following command
openssl rsa -pubout -in ~/.ssh/id_rsa > samplePEMKey.pub
The key is given below
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8K/LfOBi+QrINSseqWwc
JGo4uE49Dc42zF2Jwbmc6iXIln8AWX5M+yn15dYOXzbHGbopH8bpF9CsJ/DPHg87
D1At1XwAy5aR5w7pXE//5p/saW50Sm/eY6Nugs9hgAXUTcMMAEXCIG17dLoUzhwE
YdzuPm350h39bTmI7Fz95koTbsKJUi+6337GJ3cWKxMBkEmWvpGo4Nko01xtEnUZ
GweKexr1roE8jZPpzuNeUy+S5tvH5emyBIBdroBVxBtz1OUIoP0oAOrQ5RtRPAcT
TsSWjMtyF2gO5GxeMErRqnLAtWJs4QlaJacVnMMTAgRjrGkUZdsqngM/fjQXfeZV
SwIDAQAB
-----END PUBLIC KEY-----
In my python app I am using OpenSSL and trying to load the key using
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, samplePEMKey)
When running the django app I get the following error at the above line.
Request Method: POST
Request URL: http://127.0.0.1:8000/snapshotuploader/single/
Django Version: 1.3.1
Exception Type: Error
Exception Value:
[('PEM routines', 'PEM_read_bio', 'no start line')]
Here's how I read the public key from the file
file_path = '/home/XXXX/co/certserver/LicenseServer/home_folder/dldl/samplePEMKey.pub'
try:
fin = open(file_path, 'r')
except IOError:
return HttpResponse('IO Error opening uploaded file.')
try:
samplePEMKey = fin.read()
fin.close()
except IOError:
return HttpResponse('IO Error reading uploaded file.')
Appreciate any help in solving this issue. Thanks in advance.
Took a while to spot it, but you are trying to read a public key with a private key method. If you want to use load_privatekey you should use the original id_rsa as input.
I don't remember how to do the same with OpenSSL.crypto, but at least with the pycrypto toolkit's RSA implementation your sample key imports just fine:
>>> kt = open("samplePEMKey.pub").read()
>>> from Crypto.PublicKey import RSA
>>> key = RSA.import_key(kt)
>>> key
<_RSAobj #0x109916d40 n(2048),e>
Related
I try to use pyOpenSSL for signed a data, I create key pair (private and publique) and certificate.
I'm a beginner with this technology, I use OpenSSl, but if you have suggestions for generate a signed message with private and public key in python, I'm take !
I want to use RSA and DSA algorithm for my tests.
I find m2Crypto, pyCrypto and other. I do not know what is the best for this.
gnupg for python and pyOpenSSl are more recent visibly.
I used function for signed a message with my private key, and I verify the data.
But when I see the function for verify the signature, in parameters I need :
private key, signature, data and digest type.
I do not know where I am wrong in this code, I find some examples, but I do not understand how this can work because the first parameters for the verify function is a X509 object "certificate is a X509 instance corresponding to the private key which generated the signature." and the second is the signature generated with the private key..
This code work perfectly with the private key :
from OpenSSL import crypto
_k = crypto.PKey()
_cert = crypto.X509()
# Create keys
_k.generate_key(crypto.TYPE_RSA, 2048)
# Add argument for create certificate
_cert.gmtime_adj_notBefore(0)
_cert.gmtime_adj_notAfter(0*365*24*60*60) #10 years expiry date
_cert.set_pubkey(_k)
_cert.sign(_k, 'sha256')
# Create key's file
with open("public_key.pem",'w') as f:
f.write(crypto.dump_publickey(crypto.FILETYPE_PEM, _k))
with open("private_key.pem",'w') as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, _k))
with open("certificate.pem",'w') as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, _cert))
#-------------------------------------------------------------------------------
# Open key and load in var
with open("private_key.pem",'r') as f:
priv_key = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())
with open("public_key.pem",'r') as f:
pub_key = crypto.load_publickey(crypto.FILETYPE_PEM, f.read())
with open("certificate.pem",'r') as f:
cert = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
# sign message 'hello world' with private key and certificate
sign = crypto.sign(priv_key, "hello world", 'sha256')
print crypto.verify(cert, sign, "hello world", 'sha256')
So, my question is, how use the public key for verify the data ?
If Bob give a public key to alice, How it checks the message with this public key ?
You have a idea ?
Thanks a lot,
Romain
I found a answer in this post.
from OpenSSL.crypto import load_publickey, FILETYPE_PEM, verify, X509
# ... code ...
x509 = X509()
x509.set_pubkey(pub_key)
# ... code ...
print verify(x509, sign, sha, 'sha256')
I'm wondering.. When I get a message, I use the public key for authenticating the transmitter, but why I have to use the signature to do the verification ? To generate the signature, I need the private key ..
Is there something I did not understand in the use of the library ?
ok I understood my mistake : Cryptography Digital signatures
source
I have a method as below that sign provided data:
def sign_data(self, private_key_loc, data):
"""
param: private_key_loc Path to your private key
param: package Data to be signed
return: base64 encoded signature
"""
key = open(private_key_loc, "r").read()
print(key)
rsakey = RSA.importKey(key) # This raise an error!!!!
print(rsakey)
signer = PKCS1_v1_5.new(rsakey)
digest = SHA256.new()
# It's being assumed the data is base64 encoded, so it's decoded before updating the digest
digest.update(data)
sign = signer.sign(digest)
return b64encode(sign)
The format of the private key is as below:
<RSAKeyValue><Modulus>nEWZmLeK0zgEWysFFcpcT6lnYpzYcXFf+r43wD73ko+CjR5EmwDsmlKqKS5y3rpIHQrj+xE+yiNGlcPFNwFl3cCcHPkeI0hqaPPYxE2XeP6Wa0keegny2AWWK2Cuv61YHVz4XgxTPBX7B/19ClN4wzI5CoNc9jkx0PIXEo5iWLk=</Modulus><Exponent>AQAB</Exponent><P>0b5D6oI3mOKKIHgfCrl03vfUTo91UeJyvpZ1l6F6NzUzPDhCG3Sin5dXtxEFejPayLsgLOIMMuqobOzI9wJpBQ==</P><Q>vrxvorDFE3g1cj2kWWWZc2BS7UMf+xxnPhtBR3x3T/DyTEnkEXvGLdRBuUGWKhxUpRcBkcBfAadJjhYUqYBvJQ==</Q><DP>SKYKiDPKZh4xkcWJmwFZxdE5rGxsSoyRCgq7eGXqGy1GLdmerDveCEE3lKVErGtBoL2QC3vQleJJrFDn2wbusQ==</DP><DQ>sIoTPd8lmd6ygVnCq6fZPywRtV9i03a3rIlng3YVrN1UNv5RZUlN5g9HAeRNzA5K3j8MCc6nYQ1ojGWtnDGvLQ==</DQ><InverseQ>rQzqbkXZ9Tmno3ElcliX57Xv4AXyF6yFO1kH4LHwkc8jN5dB9XYEdBIgm43yHFIznvOdc2L9Nkl2nHbFCeAKmg==</InverseQ><D>XA7IN+XP2zPBpS9HlJmcHbWO2NHK07FVODH8R70QPP9bieRNx/4YY6TU5uOc+cZFGw7CVLHJCm0TdMBaGlgxeC/GTwMrCJigxUgaxbvDmxuSpqYqkjoZhgoZAuUct8RaZUN8zNdEsXCqRhbU61U2Ey587RyPQ7varg9hkPicVHE=</D></RSAKeyValue>
NOTE: PRIVATE KEY IS FOR TEST NOTHING VALUEABLE
It seems that it is created in XML format.
In the line RSA.importKey(key) the error is raised as below:
ValueError: RSA key format is not supported
How should I feed that private key to sign data?
I even tried to form RSA key by parsing the XML and do something as the following:
rsakey = Crypto.PublicKey.RSA.construct((root.find('Modulus').text, root.find('Exponent').text,root.find('D').text))
It gives an error like:
assert isinstance(n, long)
AssertionError
RSA needs PEM file format in order to sign data. As my private key was not important! I used an online site to convert XML to PEM (DON'T DO THIS ON REAL PRIVATE KEYS :|). It now works.
My PEM file is now as below:
-----BEGIN RSA PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAJxFmZi3itM4BFsr
BRXKXE+pZ2Kc2HFxX/q+N8A+95KPgo0eRJsA7JpSqikuct66SB0K4/sRPsojRpXD
xTcBZd3AnBz5HiNIamjz2MRNl3j+lmtJHnoJ8tgFlitgrr+tWB1c+F4MUzwV+wf9
fQpTeMMyOQqDXPY5MdDyFxKOYli5AgMBAAECgYBcDsg35c/bM8GlL0eUmZwdtY7Y
0crTsVU4MfxHvRA8/1uJ5E3H/hhjpNTm45z5xkUbDsJUsckKbRN0wFoaWDF4L8ZP
AysImKDFSBrFu8ObG5KmpiqSOhmGChkC5Ry3xFplQ3zM10SxcKpGFtTrVTYTLnzt
HI9Du9quD2GQ+JxUcQJBANG+Q+qCN5jiiiB4Hwq5dN731E6PdVHicr6WdZehejc1
Mzw4Qht0op+XV7cRBXoz2si7ICziDDLqqGzsyPcCaQUCQQC+vG+isMUTeDVyPaRZ
ZZlzYFLtQx/7HGc+G0FHfHdP8PJMSeQRe8Yt1EG5QZYqHFSlFwGRwF8Bp0mOFhSp
gG8lAkBIpgqIM8pmHjGRxYmbAVnF0TmsbGxKjJEKCrt4ZeobLUYt2Z6sO94IQTeU
pUSsa0GgvZALe9CV4kmsUOfbBu6xAkEAsIoTPd8lmd6ygVnCq6fZPywRtV9i03a3
rIlng3YVrN1UNv5RZUlN5g9HAeRNzA5K3j8MCc6nYQ1ojGWtnDGvLQJBAK0M6m5F
2fU5p6NxJXJYl+e17+AF8heshTtZB+Cx8JHPIzeXQfV2BHQSIJuN8hxSM57znXNi
/TZJdpx2xQngCpo=
-----END RSA PRIVATE KEY-----
I'm tring to create python script, that would take PKCS#12 package and print some information contained in x509 certificate and using for this purpouses PyOpenSSL module. So far i want to fetch from certificate public key. But PKey object doesn't have appropriate method. Where can I move out of here ? Any ideas how to get public key ?
pfx=open('./1.p12','rb').read()
PKCS=crypto.load_pkcs12(pfx)
cert=PKCS.get_certificate()
PKey=cert.get_pubkey()
print PKey
<OpenSSL.crypto.PKey object at 0x012432D8>
Thanks.
First you can load the certificate like this
from OpenSSL import crypto
#cert is the encrypted certificate int this format -----BEGIN -----END
crtObj = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
pubKeyObject = crtObj.get_pubkey()
pubKeyString = crypto.dump_publickey(crypto.FILETYPE_PEM,pubKeyObject)
print pubKeyString
you will see something like
-----BEGIN PUBLIC KEY-----
....
....
-----END PUBLIC KEY-----
I am assuming you want to read the public key from the file.
First install pyopenssl
pip install pyopenssl
from OpenSSL import crypto
import os
file_path = os.path.join(os.getcwd(), '/certificates/test.crt')
with open(file_path, "r") as f:
cert = f.read()
pub_key_obj = crypto.load_certificate(crypto.FILETYPE_PEM, cert).get_pubkey()
pub_key = crypto.dump_publickey(crypto.FILETYPE_PEM, pub_key_obj)
print(pub_key)
or
file_path = '~/.ssh/private_key'
with open(file_path, "rb") as f:
raw = f.read()
private_key_obj = crypto.load_privatekey(crypto.FILETYPE_PEM, raw)
pub_key = crypto.dump_publickey(crypto.FILETYPE_PEM, private_key_obj)
print(pub_key)
You will get output as:
-----BEGIN PUBLIC KEY-----
....
-----END PUBLIC KEY-----
Would this work?
print PKey
<OpenSSL.crypto.PKey object at 0x012432D8>
from OpenSSL import crypto
crypto.dump_privatekey(PKey)
Instead use:
c.dump_privatekey(c.FILETYPE_TEXT,pubkey)
This is for a homework assignment!
I get the server's certificate using get_peer_certificate()
and the calling dump_certificate to dump the certificate in a variable. The format is PEM and looks right to me.
-----BEGIN CERTIFICATE-----
GIBBERISH................
......................
........................
-----END CERTIFICATE-----
How do I extract the server's public key from this file ('server.pubkey') and encrypt plaintext using RSA algorithm and any python library. At the time of writing this, I am using pyOpenSSL
I'd recommend using a more broad crypto library such as M2Crypto which has the X509 certificate functions as well as RSA encryption:
from M2Crypto import RSA, X509
data = ssl_sock.getpeercert(1)
# load the certificate into M2Crypto to manipulate it
cert = X509.load_cert_string(data, X509.FORMAT_DER)
pub_key = cert.get_pubkey()
rsa_key = pub_key.get_rsa()
cipher = rsa_key.public_encrypt('plaintext', RSA.pkcs1_padding)
from OpenSSL import crypto
crtObj = crypto.load_certificate(crypto.FILETYPE_ASN1, config.x509_certificate)
pubKeyObject = crtObj.get_pubkey()
pubKeyString = crypto.dump_publickey(crypto.FILETYPE_PEM, pubKeyObject)
from cryptography.x509 import load_pem_x509_certificate
cert_str = b"-----BEGIN CERTIFICATE-----MIIDETCCAfm..."
cert_obj = load_pem_x509_certificate(cert_str)
public_key = cert_obj.public_key()
private_key = cert_obj.private_key()
Source: https://pyjwt.readthedocs.io/en/stable/faq.html
Note that OpenSSL library is not recommended to be used for those purposes. Instead, cryptography library is pointed. It is maintained and regularly updated.
Assuming you have the certificate in Pem format, the following code block will give you public key in string.
from cryptography import x509
from cryptography.hazmat.primitives import serialization
def read_pub_key_from_cert()
# Read certificate file.
with open("tls.crt") as certificate:
cert = certificate.read()
# Convert it into bytes.
cert_in_bytes = bytes(cert, 'utf-8')
# Create x509 certificate object.
cert_obj = x509.load_pem_x509_certificate(cert_in_bytes)
# Create Public key object.
public_key_obj = cert_obj.public_key()
# Convert Public key object into Pem format in bytes.
public_pem = public_key_obj.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo
)
# Convert Public key into string.
pub_key_string = public_pem.decode("utf-8")
return(pub_key_string)
I have not found a way to load an RSA private key from a PEM file to use it in python-crypto (signature).
python-openssl can load a PEM file but the PKey object can't be used to retrieved key information (p, q, ...) to use with Crypto.PublicKey.construct().
I recommend M2Crypto instead of python-crypto. You will need M2Crypto to parse PEM anyway and its EVP api frees your code from depending on a particular algorithm.
private = """
-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBANQNY7RD9BarYRsmMazM1hd7a+u3QeMPFZQ7Ic+BmmeWHvvVP4Yj
yu1t6vAut7mKkaDeKbT3yiGVUgAEUaWMXqECAwEAAQJAIHCz8h37N4ScZHThYJgt
oIYHKpZsg/oIyRaKw54GKxZq5f7YivcWoZ8j7IQ65lHVH3gmaqKOvqdAVVt5imKZ
KQIhAPPsr9i3FxU+Mac0pvQKhFVJUzAFfKiG3ulVUdHgAaw/AiEA3ozHKzfZWKxH
gs8v8ZQ/FnfI7DwYYhJC0YsXb6NSvR8CIHymwLo73mTxsogjBQqDcVrwLL3GoAyz
V6jf+/8HvXMbAiEAj1b3FVQEboOQD6WoyJ1mQO9n/xf50HjYhqRitOnp6ZsCIQDS
AvkvYKc6LG8IANmVv93g1dyKZvU/OQkAZepqHZB2MQ==
-----END RSA PRIVATE KEY-----
"""
message = "python-crypto sucks"
# Grab RSA parameters e, n
from M2Crypto import RSA, BIO
bio = BIO.MemoryBuffer(private)
rsa = RSA.load_key_bio(bio)
n, e = rsa.n, rsa.e
# In Python-crypto:
import Crypto.PublicKey.RSA
pycrypto_key = Crypto.PublicKey.RSA.construct((n, e))
# Use EVP api to sign message
from M2Crypto import EVP
key = EVP.load_key_string(private)
# if you need a different digest than the default 'sha1':
key.reset_context(md='sha256')
key.sign_init()
key.sign_update(message)
signature = key.sign_final()
# Use EVP api to verify signature
public = """
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANQNY7RD9BarYRsmMazM1hd7a+u3QeMP
FZQ7Ic+BmmeWHvvVP4Yjyu1t6vAut7mKkaDeKbT3yiGVUgAEUaWMXqECAwEAAQ==
-----END PUBLIC KEY-----
"""
from M2Crypto import BIO, RSA, EVP
bio = BIO.MemoryBuffer(public)
rsa = RSA.load_pub_key_bio(bio)
pubkey = EVP.PKey()
pubkey.assign_rsa(rsa)
pubkey.reset_context(md="sha256")
pubkey.verify_init()
pubkey.verify_update(message)
assert pubkey.verify_final(signature) == 1
See http://svn.osafoundation.org/m2crypto/trunk/tests/test_rsa.py, but I prefer using the algorithm-independent EVP API http://svn.osafoundation.org/m2crypto/trunk/tests/test_evp.py.
How do you verify an RSA SHA1 signature in Python? addresses a similar issue.
is this (close to) what you tried doing?
public_key_filename = 'public_key.pem'
rsa = M2Crypto.RSA.load_pub_key(pk)
That should work. The issue might be with openssl too, does it work when you just use openssl (not in Python)?
Link to Me Too Crypto