def verify(self, signature, payload): k = self.key if isinstance(self.key, rsa.RSAPrivateKey): k = self.key.public_key() return k.verify(signature=signature, data=payload, padding=PSS(mgf=MGF1(SHA256()), salt_length=32), algorithm=SHA256())
def sign(self, payload): # The verification code only allows the salt length to be the # same as the hash length, 32. return self.key.sign( data=payload, padding=PSS(mgf=MGF1(SHA256()), salt_length=32), algorithm=SHA256())
def sign(self, message): signature = self.private_key.sign( message, PSS(mgf=MGF1(hashes.SHA256()), salt_length=PSS.MAX_LENGTH), hashes.SHA256()) return signature
def rsa_sign(self, msg, user_pri_key): signer = user_pri_key.signer( PSS(mgf=MGF1(SHA512()), salt_length=PSS.MAX_LENGTH), SHA512()) signer.update(msg) signature = signer.finalize() sig_length = (len(signature)).to_bytes(4, byteorder='big') return sig_length + signature + msg
def verify(self, message, signature): self.client_public_key.verify( signature, message, PSS(mgf=MGF1(hashes.SHA256()), salt_length=PSS.MAX_LENGTH), hashes.SHA256())
def test_sign(self, sign_key): # create signature message = b"Hello World" digest = hashes.Hash(hashes.SHA256(), backend=default_backend()) digest.update(message) digest = digest.finalize() signature, key_public_pem, cert_pem = self.fapi.sign( path=sign_key, digest=digest ) assert type(signature) == bytes assert type(key_public_pem) == bytes assert type(cert_pem) == bytes # verify via fapi self.fapi.verify_signature(sign_key, digest, signature) # verify via openssl public_key = serialization.load_pem_public_key( key_public_pem, backend=default_backend() ) public_key.verify( signature, message, PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=32), hashes.SHA256(), )
def asymmetric_sign(msg, sign_key): """Asymmetrically signs a message""" signer = sign_key.signer( PSS(mgf=MGF1(SHA256()), salt_length=PSS.MAX_LENGTH), SHA256()) if isinstance(msg, str): msg = bytes(msg, encoding='utf-8') elif isinstance(msg, bytearray): msg = bytes(msg) signer.update(msg) return signer.finalize()
def test_sig(self): k = RSA2048.generate() buf = b'This is the message' sig = k.sign(buf) # The code doesn't have any verification, so verify this # manually. k.key.public_key().verify(signature=sig, data=buf, padding=PSS(mgf=MGF1(SHA256()), salt_length=32), algorithm=SHA256()) # Modify the message to make sure the signature fails. self.assertRaises(InvalidSignature, k.key.public_key().verify, signature=sig, data=b'This is thE message', padding=PSS(mgf=MGF1(SHA256()), salt_length=32), algorithm=SHA256())
def rsa_verify(self, msg, user_pub_key): sig_length_bytes = msg[:4] sig_length = int.from_bytes(sig_length_bytes, byteorder='big') signature = msg[4:4 + sig_length] s = msg[4 + sig_length:] verifier = user_pub_key.verifier( signature, PSS(mgf=MGF1(SHA512()), salt_length=PSS.MAX_LENGTH), SHA512()) verifier.update(s) verifier.verify() return s
def sign(self, payload): if sign_rsa_pss: signature = self.key.sign(data=bytes(payload), padding=PSS(mgf=MGF1(SHA256()), salt_length=32), algorithm=SHA256()) else: signature = self.key.sign(data=bytes(payload), padding=PKCS1v15(), algorithm=SHA256()) assert len(signature) == self.sig_len() return signature
def compune_commit(cec_1_0, cec_5_0, cec_10_0, n): global my_info, keys identitate = b"netflix.com" identitate = add_bytes(identitate, 32) date = str(datetime.datetime.now().date()).encode("utf-8") lenght = str(n).encode("utf-8") commit = my_info.get( "certificat" ) + cec_1_0 + cec_5_0 + cec_10_0 + identitate + date + lenght signature = keys["private_key"].sign( commit, PSS(mgf=MGF1(hashes.SHA256()), salt_length=PSS.MAX_LENGTH), hashes.SHA256()) return signature + commit #256biti semnatura
def asymmetric_verify(signature, plaintext, public_key): """Verifies an asymmetrically signed message""" try: if isinstance(plaintext, str): plaintext = bytes(plaintext, encoding='utf-8') elif isinstance(plaintext, bytearray): plaintext = bytes(plaintext) public_key.verify(signature, plaintext, PSS(mgf=MGF1(SHA256()), salt_length=PSS.MAX_LENGTH), SHA256()) return True except InvalidSignature: return False
def verify_signature( *, public_key: Union[EllipticCurvePublicKey, RSAPublicKey, Ed25519PublicKey, DSAPublicKey, Ed448PublicKey, X25519PublicKey, X448PublicKey, ], signature_alg: COSEAlgorithmIdentifier, signature: bytes, data: bytes, ) -> None: """Verify a signature was signed with the private key corresponding to the provided public key. Args: `public_key`: A public key loaded via cryptography's `load_der_public_key`, `load_der_x509_certificate`, etc... `signature_alg`: Algorithm ID used to sign the signature `signature`: Signature to verify `data`: Data signed by private key Raises: `webauth.helpers.exceptions.UnsupportedAlgorithm` when the algorithm is not a recognized COSE algorithm ID `webauth.helpers.exceptions.UnsupportedPublicKey` when the public key is not a valid EC2, RSA, or OKP certificate `cryptography.exceptions.InvalidSignature` when the signature cannot be verified """ if isinstance(public_key, EllipticCurvePublicKey): public_key.verify(signature, data, get_ec2_sig_alg(signature_alg)) elif isinstance(public_key, RSAPublicKey): if is_rsa_pkcs(signature_alg): public_key.verify(signature, data, PKCS1v15(), get_rsa_pkcs1_sig_alg(signature_alg)) elif is_rsa_pss(signature_alg): rsa_alg = get_rsa_pss_sig_alg(signature_alg) public_key.verify( signature, data, PSS(mgf=MGF1(rsa_alg), salt_length=PSS.MAX_LENGTH), rsa_alg, ) else: raise UnsupportedAlgorithm( f"Unrecognized RSA signature alg {signature_alg}") elif isinstance(public_key, Ed25519PublicKey): public_key.verify(signature, data) else: raise UnsupportedPublicKey( f"Unsupported public key for signature verification: {public_key}")
def engine_padding_pss(hsh: str, saltlen: int) -> PSS: """ Utility function for cryptography padding instance :param hsh: str the hash name 'sha1' 'sha256' etc OpenSSL EVP_PKEY_CTX_set_rsa_padding() :param saltlen: int the PSS salt length usually the hash length, e.g. 32 for sha256 cannot use OpenSSL special -1, -2 values here OpenSSL EVP_PKEY_CTX_set_rsa_pss_saltlen() :return: PSS instance """ return PSS(MGF1(engine_hashes(hsh)), saltlen)
def DefaultSign(msg, rsaPrivKey): return rsaPrivKey.sign( msg, PSS(mgf=MGF1(hashes.SHA256()), salt_length=PSS.MAX_LENGTH), hashes.SHA256())
def pay_vendor(): global history print(">> Pornim serverul TCP/IP") connection, address = startTCP_serv(IPbanca, portBanca) print(address) criptotext = b"" while True: data = connection.recv(1024) criptotext += data if not data: break print(">> Am primit commitul si hasurile") if not criptotext: return False commit = criptotext[:1572] c1 = criptotext[1572:1604] c5 = criptotext[1604:1636] c10 = criptotext[1636:1668] l1 = criptotext[1668:1671] l1 = take_back_bytes(l1) l5 = criptotext[1671:1674] l5 = take_back_bytes(l5) l10 = criptotext[1674:1677] l10 = take_back_bytes(l10) signature = commit[:256] content = commit[256:-4] IP = content[256:265] public_key_B = content[265:716] #451 dimensiunea cheii publice serializate #deserializez cheia lui B publica pt a verifica semnatura public_key_B = serialization.load_pem_public_key(public_key_B, backend=default_backend()) public_key_U = content[716:1167] public_key_U = serialization.load_pem_public_key(public_key_U, backend=default_backend()) cec_1_0 = commit[1428:1460] cec_5_0 = commit[1460:1492] cec_10_0 = commit[1492:1524] indentitate = commit[1524:1556] date = commit[1556:1566] n = commit[1566:1568] n = int(n.decode("utf-8")) try: #verific certificatul folosind cheia publica a lui B public_key_U.verify( signature, content, PSS(mgf=MGF1(hashes.SHA256()), salt_length=PSS.MAX_LENGTH), hashes.SHA256()) except: print(">> Semnatura si certificatul nu se potrivesc!!!") return False else: #daca nu apare nici o eroare certificatul e valid print(">> Certificatul a fost autentificat si salvat.") check1 = verifica_hash(c1, cec_1_0, l1) check5 = verifica_hash(c5, cec_5_0, l5) check10 = verifica_hash(c10, cec_10_0, l10) if check1 != False and check5 != False and check10 != False: print(">> Hasurile sunt bune.") if check1 not in history and check5 not in history and check10 not in history: history.append(check1) history.append(check5) history.append(check10) print(">> Tanzactia a fost aprobata si salvata in istoric.") suma = len( history[0]) + 5 * len(history[1]) + 10 * len(history[2]) print(">> Vendorul primeste " + str(suma) + " lei.") return True else: print(">> Tranzactia nu a fost aprobata.") else: print(">> Tranzactia nu a fost aprobata.")
def certificate_exchange(): global keys, user_info print(">> Pornesc serverul TCP/IP") #pornesc serverul TCP/IP (connection, address) = startTCP_serv(IPbanca, portBanca) print("Clinet:", IPclient[-1]) print(">> Se face schimbul DH") #se face schimbul DH si salvez cheile DH si cea pt encriptia simetrica DH, key = DHexchange(connection) print(">> Generez cheia privata si publica") #generez cheia privata si publica RSA serv_private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) serv_public_key = serv_private_key.public_key() #le salvez in dictionarul global keys keys.update({ "serv_private_key": serv_private_key, "serv_public_key": serv_public_key }) #serializez cheia publica pentru a o putea trimite serial_public_key = serv_public_key.public_bytes( encoding=Encoding.PEM, format=PublicFormat.SubjectPublicKeyInfo) #generez un IV pt encriptia simetrica iv = generate_IV(DH, 16) #primesc informatiile personale de la U criptotext = bytes() while True: data = connection.recv(1024) criptotext += data break #le decriptez si salvez inf_personale = decriptare_simetrica_AES(criptotext, key, iv) ############ Am terminat cu canalul privat U-B ################ #desfac informatiile personale pt a compune certificatul serial_public_key_client = inf_personale[:451] cont_bancar = inf_personale[451:470] nume = inf_personale[470:] client_public_key = serialization.load_pem_public_key( serial_public_key_client, backend=default_backend()) info = "nimic" #salvez cheia publica a lui U keys.update({"public_key_U": client_public_key}) print(">> Compun certificatul.") #compun certificatul certificat = make_certificate(IPclient[-1], serial_public_key, serial_public_key_client, info) #compun semnatura pe certificat signature = serv_private_key.sign( certificat, PSS(mgf=MGF1(hashes.SHA256()), salt_length=PSS.MAX_LENGTH), hashes.SHA256()) #adaug semnatura la certificat certificat = signature + certificat #salvez datele personale ale userului intr-un dictionar user_info.update({ "nume": nume.decode("UTF-8"), "cont_bancar": cont_bancar.decode("UTF-8"), "certificat": certificat, "numeral": 1000, "info": info }) print(">> Trimit certificatul.") #trimit certificatul lui U connection.send(certificat) #certificatul a fost trimis inchid conexiunea connection.close() print( ">> Certificatul a fost trimis si salvat. \n>> Am inchis conexiunea cu clientul." )
def verify(self, public_key, m, sig): public_key.verify( sig, m, PSS(mgf=MGF1(hashes.SHA256()), salt_length=PSS.MAX_LENGTH), hashes.SHA256())
def certificate_exchange(): global s, keys, my_info print(">> Ma conextex la banca.") #ma conectez la serverul TCP/IP startTCP_client(IPbanca, portBanca) print(">> Fac schimbul HD.") #fac schimbul DH si salvez cheia master DH si cheia pt encriptia simetrica DH, key = DHexchange() print(">> Generez cheia privata si publica.") #generez cheia purivata si cheia publica RSA private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) public_key = private_key.public_key() #le salvez in dictionarul global keys keys.update({"private_key": private_key, "public_key": public_key}) #serializez cheia publica serial_public_key = public_key.public_bytes( encoding=Encoding.PEM, format=PublicFormat.SubjectPublicKeyInfo) #generez IV-ul pt ecriptia simetrica iv = generate_IV(DH, 16) cont_bancar = b"167 123 123 123 123" nume = b"Anon Anonimus" inf_personale = serial_public_key + cont_bancar + nume #criptez cheia publica si informatiile personale criptotext = criptare_simetrica_AES(inf_personale, key, iv) print(">> Trimit inf personale pe canalul privat.") #trimit cheia si informatiile personale pt generarea certificatului s.send(criptotext) print(">> Primesc certificatul.") #primesc certificatul semnat criptotext = bytes() while True: data = s.recv(100) criptotext += data if not data: break #desfac certificatul in semnatura, cheia lui B publica si restul informatiilor signature = criptotext[:256] IP = criptotext[256:265] public_key_B = criptotext[265: 716] #451 dimensiunea cheii publice serializate #deserializez cheia lui B publica pt a verifica semnatura public_key_B = serialization.load_pem_public_key(public_key_B, backend=default_backend()) public_key_U = criptotext[716:1167] info = criptotext[1167:] keys.update({"public_key_B": public_key_B}) my_info.update({"certificat": criptotext, "numeral": 1000}) #compun certificatul fara semnatura certificat = criptotext[256:] print(">> Verific semnatura certificatului.") try: #verific certificatul folosind cheia publica a lui B public_key_B.verify( signature, certificat, PSS(mgf=MGF1(hashes.SHA256()), salt_length=PSS.MAX_LENGTH), hashes.SHA256()) except: print(">> Semnatura si certificatul nu se potrivesc") else: #daca nu apare nici o eroare certificatul e valid print(">> Certificatul a fost autentificat si salvat.") s.close()