python - xml签名验证失败

【问题标题】:python - xml signature validation is getting failspython - xml签名验证失败
【发布时间】:2021-04-05 04:00:36
【问题描述】:

我已经使用 openssl 命令生成了私钥和公共证书:

openssl req -x509 -newkey rsa:4096 -keyout private_key.pem -out public_cert.pem -nodes -days 1460 -subj "/C=YOURCOUNTRY/O=YOURCOMPANYNAME/CN=COMMONNAME

使用上面生成的私钥对xml进行签名并尝试验证相同,但验证失败,示例代码如下:

from lxml import etree
import os
from signxml import XMLSigner, XMLVerifier


current_path = os.path.dirname(os.path.abspath(__file__))
ca_cert_file = os.path.join(current_path, "public_cert.pem")
cert = open(ca_cert_file).read()
key = open(os.path.join(current_path, "private_key.pem")).read()

data_to_sign = "<Test/>"
root = etree.fromstring(data_to_sign)
signer = XMLSigner(c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
signed_root = signer.sign(root, key=key, cert=cert)
verified_data = XMLVerifier().verify(signed_root, ca_pem_file=ca_cert_file)

执行上述代码导致以下异常:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Programs\Python\Python38-32\lib\site-packages\signxml\__init__.py", line 864, in verify
    verify(signing_cert, raw_signature, signed_info_c14n, signature_digest_method)
  File "C:\Users\<username>\AppData\Local\Programs\Python\Python38-32\lib\site-packages\OpenSSL\crypto.py", line 2869, in verify
    _raise_current_error()
  File "C:\Users\<username>\AppData\Local\Programs\Python\Python38-32\lib\site-packages\OpenSSL\_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.crypto.Error: [('rsa routines', 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines', 'rsa_ossl_public_decrypt', 'padding check failed')]

【问题讨论】:

  • 这原本是一个赏金问题,所以我的回答解决了你的问题吗?如果是,请accept my answer. 如果不是,请具体跟进,以便解决任何未解决的问题。谢谢

标签: python openssl lxml x509 xml-signature


【解决方案1】:

invalid padding 警告通常表示按键有问题。例如:“公钥与解密的私钥不匹配。”

当我故意不匹配我的键时,我能够抛出这个错误。此错误与您在问题中提到的相同。

OpenSSL.crypto.Error: [('rsa routines', 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines', 'rsa_ossl_public_decrypt', 'padding check failed')]

我建议重新创建密钥,确认您在代码中使用了正确的密钥对,然后重新测试。

我以这种方式生成了我的密钥。

openssl req -x509 -newkey rsa:4096 -keyout private_key.pem -out public_cert.pem -nodes -days 1460 -subj "/C=US/O=mycompanyname/CN=domainname.com"

下面的代码没有产生错误。

import os
from lxml import etree
from signxml import XMLSigner, XMLVerifier, InvalidCertificate

current_path = os.path.dirname(os.path.abspath(__file__))
ca_cert_file = os.path.join(current_path, "public_cert.pem")
cert = open(ca_cert_file).read()
key = open(os.path.join(current_path, "private_key.pem")).read()

data_to_sign = "<Test/>"
root = etree.fromstring(data_to_sign)
signer = XMLSigner(c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
signed_root = signer.sign(root, key=key, cert=cert)
try:
    verified_data = XMLVerifier().verify(signed_root, ca_pem_file=ca_cert_file)
except InvalidCertificate as e:
    print(e)
else:
    print('verified signature')

----------------------------------------
 System information
----------------------------------------
Platform:    macOS
Python:      3.8.0
lxml:        4.6.2
signxml:     2.8.1
LibreSSL:    2.8.3 (openssl)
----------------------------------------

【讨论】:

  • 这是正确的分析和解决方案。帮助我解决了确切的问题。谢谢。
猜你喜欢
  • 1970-01-01
  • 1970-01-01
  • 2021-09-07
  • 1970-01-01
  • 2017-11-28
  • 2013-10-28
  • 2020-11-02
  • 2016-01-13
  • 2011-07-09
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode