用pyOpenSSL签名大文件

Question

I need to create SSL signatures for large *.tar.gz files (gigabytes of data) using Python 3 and pyopenssl module.

Below is simplified excerpt of my code (that works). The problematic line is the following one:

 bytes_to_sign = sign_file.read() # PROBLEM if file is LARGE 

Reading whole file at once is probably not best idea but I don't know how to do it in other way.

Here is the code:

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import OpenSSL
import argparse
import getpass
import logging

DIGEST_METHOD = 'sha256'
SSL_CERT_FORMAT_TYPE = OpenSSL.crypto.FILETYPE_PEM
LOG_FORMAT = '[%(asctime)s][ %(levelname)s ] %(message)s'


def create_args_parser():
    p = argparse.ArgumentParser(description='Simple SSL signature generator.')
    p.add_argument('file', type=argparse.FileType('rb'),
                   metavar='signed_file_path',
                   help='path to the file that will be signed')
    p.add_argument('--ssl-key', type=argparse.FileType(), 
                   metavar='CERT_PATH', required=True,
                   help='path to SSL certificate private key in PEM format')
    p.add_argument('-o', '--out', type=argparse.FileType('wb'),
                   metavar='SIGNATURE_PATH', required=True,
                   help='path where generated signature will be saved')
    return p


def get_priv_key_obj(ssl_key_file):
    """Get password protecting SSL private key and create private key object."""

    priv_key_str = ssl_key_file.read()
    ssl_key_file.close()  # https://stackoverflow.com/a/18863046/1321680
    priv_key = None

    while not priv_key:
        ssl_passwd = getpass.getpass()
        try:
            priv_key = OpenSSL.crypto.load_privatekey(SSL_CERT_FORMAT_TYPE,
                                                      priv_key_str,
                                                      ssl_passwd.encode('ascii'))
        except OpenSSL.crypto.Error:
            logging.warning('Probably wrong password - try again')

    return priv_key


def sign_file(priv_key, sign_file, out_file):
    """Sign given file with SSL private key and save signature in given file."""

    bytes_to_sign = sign_file.read()  # PROBLEM if file is LARGE
    sign = OpenSSL.crypto.sign(priv_key, bytes_to_sign, DIGEST_METHOD)
    sign_file.close()

    out_file.write(sign)
    out_file.close()


def main():
    parser = create_args_parser()
    args = parser.parse_args()
    priv_key = get_priv_key_obj(args.ssl_key)
    sign_file(priv_key, args.file, args.out)


if __name__ == '__main__':
    try:
        logging.basicConfig(format=LOG_FORMAT)
        main()
    except Exception as e:
        logging.exception('Generating SSL certificate has failed. Check if '
                          'SSL cert password is correct. Details: {}'.format(e))

Script --help :

usage: sign.py [-h] --ssl-key CERT_PATH -o SIGNATURE_PATH signed_file_path

Simple SSL signature generator.

positional arguments:
  signed_file_path      path to the file that will be signed

optional arguments:
  -h, --help            show this help message and exit
  --ssl-key CERT_PATH   path to SSL certificate private key saved in PEM
                        format
  -o SIGNATURE_PATH, --out SIGNATURE_PATH
                        path where generated signature will be saved

Is there any way to not read() the whole file at once?

---

• To verify the created signature run (or alternatively implement verification using pyOpenSSL ):

   openssl dgst -sha256 -verify cert_public_key_file.pub -signature cert_file.crt signed_file_path 

• If you need to create SSL certificate to test it, see this tutorial .

• I know that there are similar questions on SO but they doesn't answer my problem.

Answer 1

You have to implement your own chunked sign Function.
But what about the Recipient, will it be able to verify?

Read about: EVP_DigestSignInit
EVP_DigestSignUpdate() hashes cnt bytes of data at d into the signature context ctx.
This function can be called several times on the same ctx to include additional data.

---

Adapt from def sign(pkey, data, digest):