This flow demonstrates how to create and verify a digital signature using the cryptography library in Python. This process ensures the authenticity and integrity of the message, confirming that it was signed by the holder of the private key and has not been altered.
There are main 3 steps.
Generate Key Pair:
Private Key: Created using RSA, with a public exponent of 65537 and a key size of 2048 bits.
Public Key: Derived from the private key.
Storage: Both keys are saved to files in PEM format.
Sign the Message:
Message: The data to be signed.
Hash Function: SHA-256 is used to hash the message.
Padding: PSS (Probabilistic Signature Scheme) with MGF1 (Mask Generation Function) and a maximum salt length is used for padding.
Signature: The message is signed using the private key, and the signature is saved to a file.
Verify the Signature:
Public Key: Loaded from the PEM file.
Signature: Loaded from the file.
Message: The original message that was signed.
Verification: The public key, along with the message and the signature, is used to verify the authenticity of the signature. If the signature is valid, it means the message was signed by the corresponding private key.
Step 1: Install the Required Library
First, ensure you have the cryptography library installed. You can install it using pip:
Step 2: Generate a Key Pair
A key pair consists of a private key (used for signing) and a public key (used for verification).
from cryptography.hazmat.primitives import serialization
# Generate private key
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
)
# Generate public key from the private key
public_key = private_key.public_key()
# Save the private key to a file
with open(“private_key.pem“, “wb“) as f:
f.write(private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
))
# Save the public key to a file
with open(“public_key.pem“, “wb“) as f:
f.write(public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo
))
Step 3: Sign a Message
To create a digital signature, you’ll use the private key to sign a message.
from cryptography.hazmat.primitives.asymmetric import padding
# Message to be signed
message = b“Hello, this is a secret message!“
# Sign the message
signature = private_key.sign(
message,
padding.PSS(
mgf=padding.MGF1(hashes.SHA256()),
salt_length=padding.PSS.MAX_LENGTH
),
hashes.SHA256()
)
# Save the signature to a file
with open(“signature.bin“, “wb“) as f:
f.write(signature)
Step 4: Verify the Signature
To verify the signature, use the public key to check if it matches the message.
with open(“public_key.pem“, “rb“) as f:
public_key = serialization.load_pem_public_key(f.read())
# Load the signature
with open(“signature.bin“, “rb“) as f:
signature = f.read()
# Message to be verified
message = b“Hello, this is a secret message!“
# Verify the signature
try:
public_key.verify(
signature,
message,
padding.PSS(
mgf=padding.MGF1(hashes.SHA256()),
salt_length=padding.PSS.MAX_LENGTH
),
hashes.SHA256()
)
print(“The signature is valid.“)
except:
print(“The signature is invalid.“)
