python - python - xml签名验证失败
问题描述
我使用 openssl 命令生成了私钥和公共证书:
openssl req -x509 -newkey rsa:4096 -keyout private_key.pem -out public_cert.pem -nodes -days 1460 -subj "/C=YOURCOUNTRY/O=YOURCOMPANYNAME/CN=COMMONNAME
使用上面生成的私钥对xml进行签名并尝试验证相同,但验证失败,示例代码如下:
from lxml import etree
import os
from signxml import XMLSigner, XMLVerifier
current_path = os.path.dirname(os.path.abspath(__file__))
ca_cert_file = os.path.join(current_path, "public_cert.pem")
cert = open(ca_cert_file).read()
key = open(os.path.join(current_path, "private_key.pem")).read()
data_to_sign = "<Test/>"
root = etree.fromstring(data_to_sign)
signer = XMLSigner(c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
signed_root = signer.sign(root, key=key, cert=cert)
verified_data = XMLVerifier().verify(signed_root, ca_pem_file=ca_cert_file)
执行上述代码导致以下异常:
Traceback (most recent call last):
File "C:\Users\<username>\AppData\Local\Programs\Python\Python38-32\lib\site-packages\signxml\__init__.py", line 864, in verify
verify(signing_cert, raw_signature, signed_info_c14n, signature_digest_method)
File "C:\Users\<username>\AppData\Local\Programs\Python\Python38-32\lib\site-packages\OpenSSL\crypto.py", line 2869, in verify
_raise_current_error()
File "C:\Users\<username>\AppData\Local\Programs\Python\Python38-32\lib\site-packages\OpenSSL\_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [('rsa routines', 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines', 'rsa_ossl_public_decrypt', 'padding check failed')]
解决方案
无效填充警告通常表示键有问题。例如:“公钥与解密的私钥不匹配。”
当我故意不匹配我的键时,我能够抛出这个错误。此错误与您在问题中提到的错误相同。
OpenSSL.crypto.Error: [('rsa routines', 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines', 'rsa_ossl_public_decrypt', 'padding check failed')]
我建议重新创建密钥,确认您在代码中使用了正确的密钥对,然后重新测试。
我以这种方式生成了我的密钥。
openssl req -x509 -newkey rsa:4096 -keyout private_key.pem -out public_cert.pem -nodes -days 1460 -subj "/C=US/O=mycompanyname/CN=domainname.com"
下面的代码没有产生错误。
import os
from lxml import etree
from signxml import XMLSigner, XMLVerifier, InvalidCertificate
current_path = os.path.dirname(os.path.abspath(__file__))
ca_cert_file = os.path.join(current_path, "public_cert.pem")
cert = open(ca_cert_file).read()
key = open(os.path.join(current_path, "private_key.pem")).read()
data_to_sign = "<Test/>"
root = etree.fromstring(data_to_sign)
signer = XMLSigner(c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
signed_root = signer.sign(root, key=key, cert=cert)
try:
verified_data = XMLVerifier().verify(signed_root, ca_pem_file=ca_cert_file)
except InvalidCertificate as e:
print(e)
else:
print('verified signature')
----------------------------------------
System information
----------------------------------------
Platform: macOS
Python: 3.8.0
lxml: 4.6.2
signxml: 2.8.1
LibreSSL: 2.8.3 (openssl)
----------------------------------------
推荐阅读
- vb.net - Visual Studio 指定的 DSN 包含驱动程序和应用程序之间的体系结构不匹配
- java - Java 反射动态路径:ClassNotFoundException
- javascript - JSON解析和显示
- vba - 将每 3 个单元格中的值向右移动 2 个单元格
- gitlab - 群主如何在 gitlab 中 fork 一个项目?
- python - Python:如何计算两个网络之间的杰卡德指数?
- geoserver - 地理服务器内存问题
- android - 测试以我的项目中的错误结束
- mod-rewrite - 设置 apache2 以转发到 Glassfish 4
- python - Groupby Pandas 中的条件计数