Beispiel #1
0
def _sign_pss_raw(data: bytes, signing_key: keys.PrivateKeyInfo,
                  params: algos.RSASSAPSSParams, digest_algorithm: str):

    pss_padding, hash_algo = _process_pss_params(params, digest_algorithm)

    from cryptography.hazmat.primitives import serialization
    from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
    priv_key: RSAPrivateKey = serialization.load_der_private_key(
        signing_key.dump(), password=None)

    return priv_key.sign(data=data, padding=pss_padding, algorithm=hash_algo)
def _oscrypto_hacky_load_pss_exclusive_key(private: keys.PrivateKeyInfo):
    from oscrypto import asymmetric
    # HACK to load PSS-exclusive RSA keys in oscrypto
    #  Don't ever do this in production code!
    algo_copy = private['private_key_algorithm'].native
    private_copy = keys.PrivateKeyInfo.load(private.dump())
    # set the algorithm to "generic RSA"
    private_copy['private_key_algorithm'] = {'algorithm': 'rsa'}
    loaded_key = asymmetric.load_private_key(private_copy)
    public = loaded_key.public_key.asn1
    public['algorithm'] = algo_copy
    return loaded_key, public
def generic_sign_prehashed(private_key: keys.PrivateKeyInfo, tbs_digest: bytes,
                           sd_algo: algos.SignedDigestAlgorithm,
                           digest_algorithm) -> bytes:
    from cryptography.hazmat.primitives import hashes, serialization
    from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
    from cryptography.hazmat.primitives.asymmetric.utils import Prehashed

    if private_key.algorithm == 'rsassa_pss':
        # as usual, we need to pretend it's a normal RSA key
        # for pyca_cryptography to be able to load it
        private_key_copy = private_key.copy()
        private_key_copy['private_key_algorithm'] = {'algorithm': 'rsa'}
        priv_key_bytes = private_key_copy.dump()
    else:
        priv_key_bytes = private_key.dump()

    priv_key = serialization.load_der_private_key(priv_key_bytes,
                                                  password=None)
    sig_algo = sd_algo.signature_algo
    if sig_algo == 'rsassa_pkcs1v15':
        padding: padding.AsymmetricPadding = padding.PKCS1v15()
        hash_algo = getattr(hashes, digest_algorithm.upper())()
        assert isinstance(priv_key, rsa.RSAPrivateKey)
        return priv_key.sign(tbs_digest, padding, Prehashed(hash_algo))
    elif sig_algo == 'rsassa_pss':
        parameters = None
        if private_key.algorithm == 'rsassa_pss':
            key_params = \
                private_key['private_key_algorithm']['parameters']
            # if the key is parameterised, we must use those params
            if key_params.native is not None:
                parameters = key_params
        if parameters is None:
            parameters = sd_algo['parameters']

        mga: algos.MaskGenAlgorithm = parameters['mask_gen_algorithm']
        if not mga['algorithm'].native == 'mgf1':
            raise NotImplementedError("Only MFG1 is supported")

        mgf_md_name = mga['parameters']['algorithm'].native

        salt_len: int = parameters['salt_length'].native

        mgf_md = getattr(hashes, mgf_md_name.upper())()
        pss_padding: padding.AsymmetricPadding = padding.PSS(
            mgf=padding.MGF1(algorithm=mgf_md), salt_length=salt_len)
        hash_algo = getattr(hashes, digest_algorithm.upper())()
        assert isinstance(priv_key, rsa.RSAPrivateKey)
        return priv_key.sign(tbs_digest, pss_padding, Prehashed(hash_algo))
    elif sig_algo == 'dsa':
        assert isinstance(priv_key, dsa.DSAPrivateKey)
        hash_algo = getattr(hashes, digest_algorithm.upper())()
        return priv_key.sign(tbs_digest, Prehashed(hash_algo))
    elif sig_algo == 'ecdsa':
        hash_algo = getattr(hashes, digest_algorithm.upper())()
        assert isinstance(priv_key, ec.EllipticCurvePrivateKey)
        return priv_key.sign(tbs_digest,
                             signature_algorithm=ec.ECDSA(
                                 Prehashed(hash_algo)))
    else:  # pragma: nocover
        raise NotImplementedError(f"The signature signature_algo {sig_algo} "
                                  f"is unsupported")