def _verify_signature_with_pubkey(self, signed_info_c14n, raw_signature, key_value, signature_alg):
if "ecdsa-" in signature_alg:
ec_key_value = self._find(key_value, "ECKeyValue", namespace="dsig11")
named_curve = self._find(ec_key_value, "NamedCurve", namespace="dsig11")
public_key = self._find(ec_key_value, "PublicKey", namespace="dsig11")
key_data = b64decode(public_key.text)[1:]
x = bytes_to_long(key_data[:len(key_data)//2])
y = bytes_to_long(key_data[len(key_data)//2:])
curve_class = self.known_ecdsa_curves[named_curve.get("URI")]
key = ec.EllipticCurvePublicNumbers(x=x, y=y, curve=curve_class()).public_key(backend=default_backend())
verifier = key.verifier(raw_signature, ec.ECDSA(self._get_signature_digest_method(signature_alg)))
elif "dsa-" in signature_alg:
dsa_key_value = self._find(key_value, "DSAKeyValue")
p = self._get_long(dsa_key_value, "P")
q = self._get_long(dsa_key_value, "Q")
g = self._get_long(dsa_key_value, "G", require=False)
y = self._get_long(dsa_key_value, "Y")
pn = dsa.DSAPublicNumbers(y=y, parameter_numbers=dsa.DSAParameterNumbers(p=p, q=q, g=g))
key = pn.public_key(backend=default_backend())
from asn1crypto.algos import DSASignature
sig_as_der_seq = DSASignature.from_p1363(raw_signature).dump()
verifier = key.verifier(sig_as_der_seq, self._get_signature_digest_method(signature_alg))
elif "rsa-" in signature_alg:
rsa_key_value = self._find(key_value, "RSAKeyValue")
modulus = self._get_long(rsa_key_value, "Modulus")
exponent = self._get_long(rsa_key_value, "Exponent")
key = rsa.RSAPublicNumbers(e=exponent, n=modulus).public_key(backend=default_backend())
verifier = key.verifier(raw_signature, padding=PKCS1v15(),
algorithm=self._get_signature_digest_method(signature_alg))
else:
raise NotImplementedError()
verifier.update(signed_info_c14n)
verifier.verify()
def encode_ecdsa_signature(signature):
"""
Encode a signature (generated by :meth:`pkcs11.SignMixin.sign`) into
DER-encoded ASN.1 (ECDSA_Sig_Value) format.
:param bytes signature: signature as bytes
:rtype: bytes
"""
return DSASignature.from_p1363(signature).dump()
def _verify_signature_with_pubkey(self, signed_info_c14n, raw_signature, key_value, signature_alg):
if "ecdsa-" in signature_alg:
ec_key_value = self._find(key_value, "ECKeyValue", namespace="dsig11")
named_curve = self._find(ec_key_value, "NamedCurve", namespace="dsig11")
public_key = self._find(ec_key_value, "PublicKey", namespace="dsig11")
key_data = b64decode(public_key.text)[1:]
x = bytes_to_long(key_data[:len(key_data)//2])
y = bytes_to_long(key_data[len(key_data)//2:])
curve_class = self.known_ecdsa_curves[named_curve.get("URI")]
key = ec.EllipticCurvePublicNumbers(x=x, y=y, curve=curve_class()).public_key(backend=default_backend())
key.verify(raw_signature,
data=signed_info_c14n,
signature_algorithm=ec.ECDSA(self._get_signature_digest_method(signature_alg)))
elif "dsa-" in signature_alg:
dsa_key_value = self._find(key_value, "DSAKeyValue")
p = self._get_long(dsa_key_value, "P")
q = self._get_long(dsa_key_value, "Q")
g = self._get_long(dsa_key_value, "G", require=False)
y = self._get_long(dsa_key_value, "Y")
pn = dsa.DSAPublicNumbers(y=y, parameter_numbers=dsa.DSAParameterNumbers(p=p, q=q, g=g))
key = pn.public_key(backend=default_backend())
from asn1crypto.algos import DSASignature
sig_as_der_seq = DSASignature.from_p1363(raw_signature).dump()
key.verify(sig_as_der_seq,
data=signed_info_c14n,
algorithm=self._get_signature_digest_method(signature_alg))
elif "rsa-" in signature_alg:
rsa_key_value = self._find(key_value, "RSAKeyValue")
modulus = self._get_long(rsa_key_value, "Modulus")
exponent = self._get_long(rsa_key_value, "Exponent")
key = rsa.RSAPublicNumbers(e=exponent, n=modulus).public_key(backend=default_backend())
key.verify(raw_signature,
data=signed_info_c14n,
padding=PKCS1v15(),
algorithm=self._get_signature_digest_method(signature_alg))
else:
raise NotImplementedError()