Python function to check a RSA signature

example.py

# http://stuvel.eu/files/python-rsa-doc
# You can `pip install rsa`
import rsa

### KEY GENERATION ###
### Run once, on your dev environment
### Store the private key in a secure place; add the pubkey to your program

(pubkey, privkey) = rsa.newkeys(1024)

# This is the private key, keep this secret. You'll need it to sign new updates.
privkey = privkey.save_pkcs1()
print("Private key: \n" + privkey)

# This is the public key you must distribute with your program and pass to rsa_verify.
pubkey = (pubkey.n, pubkey.e)
print("pubkey = (%#x, %i)" % pubkey)


### NEW UPDATE SIGNING ###
### Run every new update, on your dev environment
### This will need the private key from above, and will generate a signature to publish along with the update

# Anything you like. I usually ship a JSON with URLs and MD5
update_data = json.dumps({ 'latest': '2012.12.12',
    'versions': {
        '2012.12.12': ('http://...', '229e5b1363be0591e674cd57b3bb8645')
    }
}, sort_keys=True)

# Here you might want to input it manually or something.
privkey = rsa.PrivateKey.load_pkcs1(privkey)

# The signature to attach to the update_data
# You can even add it to update_data, just remember to `del update_data['signature']` before checking the signature
from binascii import hexlify
import json
signature = hexlify(rsa.pkcs1.sign(update_data, privkey, 'SHA-256'))
print('signature = ' + signature)


### UPDATE CHECKING ###
### This is what you do in your program to check a new update
### All you need is the signature published along with the update and the pubkey

# You might want to include the full stand-alone function here
from rsa_verify import rsa_verify

result = rsa_verify(update_data, signature, pubkey)
print('rsa_verify: %s' % result)

license.txt

rsa_verify - standalone functions to check RSA signatures

Written in 2012 by Filippo Valsorda filippo.valsorda->gmail.com

To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.

You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.

##########################################################################

Creative Commons Legal Code

CC0 1.0 Universal

    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
    HEREUNDER.

Statement of Purpose

The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator
and subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").

Certain owners wish to permanently relinquish those rights to a Work for
the purpose of contributing to a commons of creative, cultural and
scientific works ("Commons") that the public can reliably and without fear
of later claims of infringement build upon, modify, incorporate in other
works, reuse and redistribute as freely as possible in any form whatsoever
and for any purposes, including without limitation commercial purposes.
These owners may contribute to the Commons to promote the ideal of a free
culture and the further production of creative, cultural and scientific
works, or to gain reputation or greater distribution for their Work in
part through the use and efforts of others.

For these and/or other purposes and motivations, and without any
expectation of additional consideration or compensation, the person
associating CC0 with a Work (the "Affirmer"), to the extent that he or she
is an owner of Copyright and Related Rights in the Work, voluntarily
elects to apply CC0 to the Work and publicly distribute the Work under its
terms, with knowledge of his or her Copyright and Related Rights in the
Work and the meaning and intended legal effect of CC0 on those rights.

1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not
limited to, the following:

  i. the right to reproduce, adapt, distribute, perform, display,
     communicate, and translate a Work;
 ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or
     likeness depicted in a Work;
 iv. rights protecting against unfair competition in regards to a Work,
     subject to the limitations in paragraph 4(a), below;
  v. rights protecting the extraction, dissemination, use and reuse of data
     in a Work;
 vi. database rights (such as those arising under Directive 96/9/EC of the
     European Parliament and of the Council of 11 March 1996 on the legal
     protection of databases, and under any national implementation
     thereof, including any amended or successor version of such
     directive); and
vii. other similar, equivalent or corresponding rights throughout the
     world based on applicable law or treaty, and any national
     implementations thereof.

2. Waiver. To the greatest extent permitted by, but not in contravention
of, applicable law, Affirmer hereby overtly, fully, permanently,
irrevocably and unconditionally waives, abandons, and surrenders all of
Affirmer's Copyright and Related Rights and associated claims and causes
of action, whether now known or unknown (including existing as well as
future claims and causes of action), in the Work (i) in all territories
worldwide, (ii) for the maximum duration provided by applicable law or
treaty (including future time extensions), (iii) in any current or future
medium and for any number of copies, and (iv) for any purpose whatsoever,
including without limitation commercial, advertising or promotional
purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
member of the public at large and to the detriment of Affirmer's heirs and
successors, fully intending that such Waiver shall not be subject to
revocation, rescission, cancellation, termination, or any other legal or
equitable action to disrupt the quiet enjoyment of the Work by the public
as contemplated by Affirmer's express Statement of Purpose.

3. Public License Fallback. Should any part of the Waiver for any reason
be judged legally invalid or ineffective under applicable law, then the
Waiver shall be preserved to the maximum extent permitted taking into
account Affirmer's express Statement of Purpose. In addition, to the
extent the Waiver is so judged Affirmer hereby grants to each affected
person a royalty-free, non transferable, non sublicensable, non exclusive,
irrevocable and unconditional license to exercise Affirmer's Copyright and
Related Rights in the Work (i) in all territories worldwide, (ii) for the
maximum duration provided by applicable law or treaty (including future
time extensions), (iii) in any current or future medium and for any number
of copies, and (iv) for any purpose whatsoever, including without
limitation commercial, advertising or promotional purposes (the
"License"). The License shall be deemed effective as of the date CC0 was
applied by Affirmer to the Work. Should any part of the License for any
reason be judged legally invalid or ineffective under applicable law, such
partial invalidity or ineffectiveness shall not invalidate the remainder
of the License, and in such case Affirmer hereby affirms that he or she
will not (i) exercise any of his or her remaining Copyright and Related
Rights in the Work or (ii) assert any associated claims and causes of
action with respect to the Work, in either case contrary to Affirmer's
express Statement of Purpose.

4. Limitations and Disclaimers.

 a. No trademark or patent rights held by Affirmer are waived, abandoned,
    surrendered, licensed or otherwise affected by this document.
 b. Affirmer offers the Work as-is and makes no representations or
    warranties of any kind concerning the Work, express, implied,
    statutory or otherwise, including without limitation warranties of
    title, merchantability, fitness for a particular purpose, non
    infringement, or the absence of latent or other defects, accuracy, or
    the present or absence of errors, whether or not discoverable, all to
    the greatest extent permissible under applicable law.
 c. Affirmer disclaims responsibility for clearing rights of other persons
    that may apply to the Work or any use thereof, including without
    limitation any person's Copyright and Related Rights in the Work.
    Further, Affirmer disclaims responsibility for obtaining any necessary
    consents, permissions or other rights required for any use of the
    Work.
 d. Affirmer understands and acknowledges that Creative Commons is not a
    party to this document and has no duty or obligation with respect to
    this CC0 or use of the Work.

rsa_verify.py

def rsa_verify(message, signature, key):
    from struct import pack
    from hashlib import sha256 # You'll need the backport for 2.4 http://code.krypto.org/python/hashlib/
    from sys import version_info
    def b(x):
        if version_info[0] == 2: return x
        else: return x.encode('latin1')
    assert(type(message) == type(b('')))
    block_size = 0
    n = key[0]
    while n:
        block_size += 1
        n >>= 8
    signature = pow(int(signature, 16), key[1], key[0])
    raw_bytes = []
    while signature:
        raw_bytes.insert(0, pack("B", signature & 0xFF))
        signature >>= 8
    signature = (block_size - len(raw_bytes)) * b('\x00') + b('').join(raw_bytes)
    if signature[0:2] != b('\x00\x01'): return False
    signature = signature[2:]
    if not b('\x00') in signature: return False
    signature = signature[signature.index(b('\x00'))+1:]
    if not signature.startswith(b('\x30\x31\x30\x0D\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20')): return False
    signature = signature[19:]
    if signature != sha256(message).digest(): return False
    return True

test.py

import sys
from rsa_verify import rsa_verify

signature = '84e402a13281b299352ddb1844f61d542d11641da1cc30e3837e6b5cdad0fe9e779a1a9dbcd0d9463947d0de63b329b02456c67beba97ea5275cd1385ca15b2fb822218ee45c279c81024a2ecf37ce594fef0c58a0a67799d0105644476a0dc0fdbc391f4257d043b870b1aa5cfa0149d43036ebc65933c2016db3ac74ecfc8e'
# signature = hexlify(rsa.pkcs1.sign(b'bella', priv, 'SHA-256'))
key = (0xa6480f4d0d057c9290a2f755354b6fc1689b7667f414ca432984da211c3cdf367c3e6ded82da9528657c336b454b2ee57301ff14e2ecbba0a8e91d006032acc029696a9eb70d41737df25ef47b166b61a9fcad1cb8f73662130cc7c02d2a10006d69d5aed31742dbe66b7819d5f98e9b6b35a83811918f74517e965b23cd73df, 65537)
# key = (pub.n, pub.e)

if sys.version_info[0] == 2:
    print(repr(rsa_verify('bella', signature, key))) # True
    print(repr(rsa_verify('brutta', signature, key))) # False
    print(repr(rsa_verify('bella', signature[2:], key))) # False
    print(repr(rsa_verify('bella', signature, (key[0]+1, key[1])))) # False
    print(repr(rsa_verify('bella', signature, (key[0], key[1]+1)))) # False
    print(repr(rsa_verify('bella'.decode(), signature, key))) # AssertionError
elif sys.version_info[0] == 3:
    print(repr(rsa_verify('bella'.encode('latin1'), signature, key))) # True
    print(repr(rsa_verify('brutta'.encode('latin1'), signature, key))) # False
    print(repr(rsa_verify('bella'.encode('latin1'), signature[2:], key))) # False
    print(repr(rsa_verify('bella'.encode('latin1'), signature, (key[0]+1, key[1])))) # False
    print(repr(rsa_verify('bella'.encode('latin1'), signature, (key[0], key[1]+1)))) # False
    print(repr(rsa_verify('bella', signature, key))) # AssertionError