[pycrypto] Verifying Signatures on Data and Certifictes

Kyle Cummings kyle.cummings at forge-corp.com
Thu Sep 26 15:13:19 PDT 2013

I apologize before hand for the long e-mail, but I just wanted to be
thorough in what I was doing.

I am trying to use the PyCrypto library to achieve two similar things. The
first use is to verify that a piece of data has been signed by the private
key of a certain certificate. The other use is to verify a certificate
chain (verify that certificate A has signed B, and then that B has signed

The process is as follows:
Client generates certificate / key-pairs A, B, C and D. A signs B, and B
signs C and D. Then the certificates for A, signed B, signed C and signed D
are pushed to a server. The server responds with a randomly generated bit
of binary data for each certificate. The client uses each certificate /
key-pair to sign the respective binary data, and then pushes the (base64
encoded) signed responses back to the server. The server then takes the
responses, decodes them and tries to verify the signatures on the

Code / Attempts:
My first attempt -

#Function - verifying the signed challenges
Astr = storedcertificates["acert"]
Achallenge = storedchallenges["achallenge"]
Signedchallenge = (read in from http post request)
Acert = load_certificate(FILETYPE_PEM, Astr)

   verify (Acert, Signedchallenge, Achallenge, "sha256")
except Exception e:
   print "failed to verify for reason:"
   print e

#Repeat above for B, C and D

With this code I got the following error response from the verify function:
"must be string without null bytes, not str".

My second attempt -

Having the above code fail, I then found and tried adapting the code
but I first received that the function "get_signature_algorithm()" does not
exists for X509 certificates, and then received the same error response
back for the verify function if I commented out the signature algorithm and
just manually provided the digest.
#Function - verify the signed challenges modified example
Acert = load_certificate(FILETYPE_PEM, storedcerts["root"])
challenge = (original binary challenge sent to client)
algorithm = Acert.get_signature_algorithm()
dersigin = asn1.DerObject()
sig0 = dersigin.payload
if sig0[0] != '\x00':
print "sig0 error"
print sig0
 return False

signature = sig0[1:]
verify(Acert, signature, challenge, algorithm)
 #verify(Acert, signature, challenge, "sha256") #Alternate without the
print "verifcation failed"
 return False
print "THE VERIFICATION WORKED?!?!?!?!?!?!??!"
return True

For the chain verification stuff, I followed the example code from the
above link exactly, but received the same errors as the second example code
(algorithm and string / str).

What am I doing wrong / How am I using the library incorrectly?

Kyle Cummings
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dlitz.net/pipermail/pycrypto/attachments/20130926/822ef95a/attachment.html>

More information about the pycrypto mailing list