Ejemplo n.º 1
0
    def verify(self, mhash, S):
        """Verify that a certain PKCS#1 PSS signature is authentic.
    
        This function checks if the party holding the private half of the given
        RSA key has really signed the message.
    
        This function is called ``RSASSA-PSS-VERIFY``, and is specified in section
        8.1.2 of RFC3447.
    
        :Parameters:
         mhash : hash object
                The hash that was carried out over the message. This is an object
                belonging to the `Crypro.Hash` module.
         S : string
                The signature that needs to be validated.
    
        :Return: True if verification is correct. False otherwise.
        """
        # TODO: Verify the key is RSA

        # Set defaults for salt length and mask generation function
        if self._saltLen == None:
            sLen = mhash.digest_size
        else:
            sLen = self._saltLen
        if self._mgfunc:
            mgf = self._mgfunc
        else:
            mgf = lambda x, y: MGF1(x, y, mhash)

        modBits = Crypro.Util.number.size(self._key.n)

        # See 8.1.2 in RFC3447
        k = ceil_div(modBits, 8)  # Convert from bits to bytes
        # Step 1
        if len(S) != k:
            return False
        # Step 2a (O2SIP), 2b (RSAVP1), and partially 2c (I2OSP)
        # Note that signature must be smaller than the module
        # but RSA.py won't complain about it.
        # TODO: Fix RSA object; don't do it here.
        em = self._key.encrypt(S, 0)[0]
        # Step 2c
        emLen = ceil_div(modBits - 1, 8)
        em = bchr(0x00) * (emLen - len(em)) + em
        # Step 3
        try:
            result = EMSA_PSS_VERIFY(mhash, em, modBits - 1, mgf, sLen)
        except ValueError:
            return False
        # Step 4
        return result
Ejemplo n.º 2
0
    def randrange(self, *args):
        """randrange([start,] stop[, step]):
        Return a randomly-selected element from range(start, stop, step)."""
        if len(args) == 3:
            (start, stop, step) = args
        elif len(args) == 2:
            (start, stop) = args
            step = 1
        elif len(args) == 1:
            (stop,) = args
            start = 0
            step = 1
        else:
            raise TypeError("randrange expected at most 3 arguments, got %d" % (len(args),))
        if (not isinstance(start, int)
                or not isinstance(stop, int)
                or not isinstance(step, int)):
            raise TypeError("randrange requires integer arguments")
        if step == 0:
            raise ValueError("randrange step argument must not be zero")

        num_choices = ceil_div(stop - start, step)
        if num_choices < 0:
            num_choices = 0
        if num_choices < 1:
            raise ValueError("empty range for randrange(%r, %r, %r)" % (start, stop, step))

        # Pick a random number in the range of possible numbers
        r = num_choices
        while r >= num_choices:
            r = self.getrandbits(size(num_choices))

        return start + (step * r)
Ejemplo n.º 3
0
def EMSA_PSS_ENCODE(mhash, emBits, randFunc, mgf, sLen):
    """
    Implement the ``EMSA-PSS-ENCODE`` function, as defined
    in PKCS#1 v2.1 (RFC3447, 9.1.1).

    The original ``EMSA-PSS-ENCODE`` actually accepts the message ``M`` as input,
    and hash it internally. Here, we expect that the message has already
    been hashed instead.

    :Parameters:
     mhash : hash object
            The hash object that holds the digest of the message being signed.
     emBits : int
            Maximum length of the final encoding, in bits.
     randFunc : callable
            An RNG function that accepts as only parameter an int, and returns
            a string of random bytes, to be used as salt.
     mgf : callable
            A mask generation function that accepts two parameters: a string to
            use as seed, and the lenth of the mask to generate, in bytes.
     sLen : int
            Length of the salt, in bytes.

    :Return: An ``emLen`` byte long string that encodes the hash
            (with ``emLen = \ceil(emBits/8)``).

    :Raise ValueError:
        When digest or salt length are too big.
    """

    emLen = ceil_div(emBits, 8)

    # Bitmask of digits that fill up
    lmask = 0
    for i in range(8 * emLen - emBits):
        lmask = lmask >> 1 | 0x80

    # Step 1 and 2 have been already done
    # Step 3
    if emLen < mhash.digest_size + sLen + 2:
        raise ValueError(
            "Digest or salt length are too long for given key size.")
    # Step 4
    salt = b("")
    if randFunc and sLen > 0:
        salt = randFunc(sLen)
    # Step 5 and 6
    h = mhash.new(bchr(0x00) * 8 + mhash.digest() + salt)
    # Step 7 and 8
    db = bchr(0x00) * (emLen - sLen - mhash.digest_size -
                       2) + bchr(0x01) + salt
    # Step 9
    dbMask = mgf(h.digest(), emLen - mhash.digest_size - 1)
    # Step 10
    maskedDB = strxor(db, dbMask)
    # Step 11
    maskedDB = bchr(bord(maskedDB[0]) & ~lmask) + maskedDB[1:]
    # Step 12
    em = maskedDB + h.digest() + bchr(0xBC)
    return em
Ejemplo n.º 4
0
    def sign(self, mhash):
        """Produce the PKCS#1 v1.5 signature of a message.
    
        This function is named ``RSASSA-PKCS1-V1_5-SIGN``, and is specified in
        section 8.2.1 of RFC3447.
    
        :Parameters:
         mhash : hash object
                The hash that was carried out over the message. This is an object
                belonging to the `Crypro.Hash` module.
    
        :Return: The signature encoded as a string.
        :Raise ValueError:
            If the RSA key length is not sufficiently long to deal with the given
            hash algorithm.
        :Raise TypeError:
            If the RSA key has no private half.
        """
        # TODO: Verify the key is RSA

        # See 8.2.1 in RFC3447
        modBits = Crypro.Util.number.size(self._key.n)
        k = ceil_div(modBits, 8)  # Convert from bits to bytes

        # Step 1
        em = EMSA_PKCS1_V1_5_ENCODE(mhash, k)
        # Step 2a (OS2IP) and 2b (RSASP1)
        m = self._key.decrypt(em)
        # Step 2c (I2OSP)
        S = bchr(0x00) * (k - len(m)) + m
        return S
Ejemplo n.º 5
0
def MGF1(mgfSeed, maskLen, hash):
    """Mask Generation Function, described in B.2.1"""
    T = b("")
    for counter in range(ceil_div(maskLen, hash.digest_size)):
        c = long_to_bytes(counter, 4)
        T = T + hash.new(mgfSeed + c).digest()
    assert (len(T) >= maskLen)
    return T[:maskLen]
Ejemplo n.º 6
0
  def encrypt(self, message):
      """Produce the PKCS#1 OAEP encryption of a message.
  
      This function is named ``RSAES-OAEP-ENCRYPT``, and is specified in
      section 7.1.1 of RFC3447.
  
      :Parameters:
       message : string
              The message to encrypt, also known as plaintext. It can be of
              variable length, but not longer than the RSA modulus (in bytes)
              minus 2, minus twice the hash output size.
 
      :Return: A string, the ciphertext in which the message is encrypted.
          It is as long as the RSA modulus (in bytes).
      :Raise ValueError:
          If the RSA key length is not sufficiently long to deal with the given
          message.
      """
      # TODO: Verify the key is RSA
  
      randFunc = self._key._randfunc
  
      # See 7.1.1 in RFC3447
      modBits = Crypro.Util.number.size(self._key.n)
      k = ceil_div(modBits,8) # Convert from bits to bytes
      hLen = self._hashObj.digest_size
      mLen = len(message)
  
      # Step 1b
      ps_len = k-mLen-2*hLen-2
      if ps_len<0:
          raise ValueError("Plaintext is too long.")
      # Step 2a
      lHash = self._hashObj.new(self._label).digest()
      # Step 2b
      ps = bchr(0x00)*ps_len
      # Step 2c
      db = lHash + ps + bchr(0x01) + message
      # Step 2d
      ros = randFunc(hLen)
      # Step 2e
      dbMask = self._mgf(ros, k-hLen-1)
      # Step 2f
      maskedDB = strxor(db, dbMask)
      # Step 2g
      seedMask = self._mgf(maskedDB, hLen)
      # Step 2h
      maskedSeed = strxor(ros, seedMask)
      # Step 2i
      em = bchr(0x00) + maskedSeed + maskedDB
      # Step 3a (OS2IP), step 3b (RSAEP), part of step 3c (I2OSP)
      m = self._key.encrypt(em, 0)[0]
      # Complete step 3c (I2OSP)
      c = bchr(0x00)*(k-len(m)) + m
      return c
Ejemplo n.º 7
0
    def encrypt(self, message):
        """Produce the PKCS#1 v1.5 encryption of a message.
    
        This function is named ``RSAES-PKCS1-V1_5-ENCRYPT``, and is specified in
        section 7.2.1 of RFC3447.
        For a complete example see `Crypro.Cipher.PKCS1_v1_5`.
    
        :Parameters:
         message : byte string
                The message to encrypt, also known as plaintext. It can be of
                variable length, but not longer than the RSA modulus (in bytes) minus 11.
    
        :Return: A byte string, the ciphertext in which the message is encrypted.
            It is as long as the RSA modulus (in bytes).
        :Raise ValueError:
            If the RSA key length is not sufficiently long to deal with the given
            message.

        """
        # TODO: Verify the key is RSA

        randFunc = self._key._randfunc

        # See 7.2.1 in RFC3447
        modBits = Crypro.Util.number.size(self._key.n)
        k = ceil_div(modBits, 8)  # Convert from bits to bytes
        mLen = len(message)

        # Step 1
        if mLen > k - 11:
            raise ValueError("Plaintext is too long.")
        # Step 2a
        class nonZeroRandByte:
            def __init__(self, rf):
                self.rf = rf

            def __call__(self, c):
                while bord(c) == 0x00:
                    c = self.rf(1)[0]
                return c

        ps = tobytes(
            list(map(nonZeroRandByte(randFunc), randFunc(k - mLen - 3))))
        # Step 2b
        em = b('\x00\x02') + ps + bchr(0x00) + message
        # Step 3a (OS2IP), step 3b (RSAEP), part of step 3c (I2OSP)
        m = self._key.encrypt(em, 0)[0]
        # Complete step 3c (I2OSP)
        c = bchr(0x00) * (k - len(m)) + m
        return c
Ejemplo n.º 8
0
    def sign(self, mhash):
        """Produce the PKCS#1 PSS signature of a message.
    
        This function is named ``RSASSA-PSS-SIGN``, and is specified in
        section 8.1.1 of RFC3447.
    
        :Parameters:
         mhash : hash object
                The hash that was carried out over the message. This is an object
                belonging to the `Crypro.Hash` module.
   
        :Return: The PSS signature encoded as a string.
        :Raise ValueError:
            If the RSA key length is not sufficiently long to deal with the given
            hash algorithm.
        :Raise TypeError:
            If the RSA key has no private half.
    
        :attention: Modify the salt length and the mask generation function only
                    if you know what you are doing.
                    The receiver must use the same parameters too.
        """
        # TODO: Verify the key is RSA

        randfunc = self._key._randfunc

        # Set defaults for salt length and mask generation function
        if self._saltLen == None:
            sLen = mhash.digest_size
        else:
            sLen = self._saltLen
        if self._mgfunc:
            mgf = self._mgfunc
        else:
            mgf = lambda x, y: MGF1(x, y, mhash)

        modBits = Crypro.Util.number.size(self._key.n)

        # See 8.1.1 in RFC3447
        k = ceil_div(modBits, 8)  # Convert from bits to bytes
        # Step 1
        em = EMSA_PSS_ENCODE(mhash, modBits - 1, randfunc, mgf, sLen)
        # Step 2a (OS2IP) and 2b (RSASP1)
        m = self._key.decrypt(em)
        # Step 2c (I2OSP)
        S = bchr(0x00) * (k - len(m)) + m
        return S
Ejemplo n.º 9
0
    def verify(self, mhash, S):
        """Verify that a certain PKCS#1 v1.5 signature is authentic.
    
        This function checks if the party holding the private half of the key
        really signed the message.
    
        This function is named ``RSASSA-PKCS1-V1_5-VERIFY``, and is specified in
        section 8.2.2 of RFC3447.
    
        :Parameters:
         mhash : hash object
                The hash that was carried out over the message. This is an object
                belonging to the `Crypro.Hash` module.
         S : string
                The signature that needs to be validated.
    
        :Return: True if verification is correct. False otherwise.
        """
        # TODO: Verify the key is RSA

        # See 8.2.2 in RFC3447
        modBits = Crypro.Util.number.size(self._key.n)
        k = ceil_div(modBits, 8)  # Convert from bits to bytes

        # Step 1
        if len(S) != k:
            return 0
        # Step 2a (O2SIP) and 2b (RSAVP1)
        # Note that signature must be smaller than the module
        # but RSA.py won't complain about it.
        # TODO: Fix RSA object; don't do it here.
        m = self._key.encrypt(S, 0)[0]
        # Step 2c (I2OSP)
        em1 = bchr(0x00) * (k - len(m)) + m
        # Step 3
        try:
            em2 = EMSA_PKCS1_V1_5_ENCODE(mhash, k)
        except ValueError:
            return 0
        # Step 4
        # By comparing the full encodings (as opposed to checking each
        # of its components one at a time) we avoid attacks to the padding
        # scheme like Bleichenbacher's (see http://www.mail-archive.com/[email protected]/msg06537).
        #
        return em1 == em2
Ejemplo n.º 10
0
    def test_ceil_div(self):
        """Util.number.ceil_div"""
        self.assertRaises(TypeError, number.ceil_div, "1", 1)
        self.assertRaises(ZeroDivisionError, number.ceil_div, 1, 0)
        self.assertRaises(ZeroDivisionError, number.ceil_div, -1, 0)

        # b = -1
        self.assertEqual(0, number.ceil_div(0, -1))
        self.assertEqual(-1, number.ceil_div(1, -1))
        self.assertEqual(-2, number.ceil_div(2, -1))
        self.assertEqual(-3, number.ceil_div(3, -1))

        # b = 1
        self.assertEqual(0, number.ceil_div(0, 1))
        self.assertEqual(1, number.ceil_div(1, 1))
        self.assertEqual(2, number.ceil_div(2, 1))
        self.assertEqual(3, number.ceil_div(3, 1))

        # b = 2
        self.assertEqual(0, number.ceil_div(0, 2))
        self.assertEqual(1, number.ceil_div(1, 2))
        self.assertEqual(1, number.ceil_div(2, 2))
        self.assertEqual(2, number.ceil_div(3, 2))
        self.assertEqual(2, number.ceil_div(4, 2))
        self.assertEqual(3, number.ceil_div(5, 2))

        # b = 3
        self.assertEqual(0, number.ceil_div(0, 3))
        self.assertEqual(1, number.ceil_div(1, 3))
        self.assertEqual(1, number.ceil_div(2, 3))
        self.assertEqual(1, number.ceil_div(3, 3))
        self.assertEqual(2, number.ceil_div(4, 3))
        self.assertEqual(2, number.ceil_div(5, 3))
        self.assertEqual(2, number.ceil_div(6, 3))
        self.assertEqual(3, number.ceil_div(7, 3))

        # b = 4
        self.assertEqual(0, number.ceil_div(0, 4))
        self.assertEqual(1, number.ceil_div(1, 4))
        self.assertEqual(1, number.ceil_div(2, 4))
        self.assertEqual(1, number.ceil_div(3, 4))
        self.assertEqual(1, number.ceil_div(4, 4))
        self.assertEqual(2, number.ceil_div(5, 4))
        self.assertEqual(2, number.ceil_div(6, 4))
        self.assertEqual(2, number.ceil_div(7, 4))
        self.assertEqual(2, number.ceil_div(8, 4))
        self.assertEqual(3, number.ceil_div(9, 4))

        # b = -4
        self.assertEqual(3, number.ceil_div(-9, -4))
        self.assertEqual(2, number.ceil_div(-8, -4))
        self.assertEqual(2, number.ceil_div(-7, -4))
        self.assertEqual(2, number.ceil_div(-6, -4))
        self.assertEqual(2, number.ceil_div(-5, -4))
        self.assertEqual(1, number.ceil_div(-4, -4))
        self.assertEqual(1, number.ceil_div(-3, -4))
        self.assertEqual(1, number.ceil_div(-2, -4))
        self.assertEqual(1, number.ceil_div(-1, -4))
        self.assertEqual(0, number.ceil_div(0, -4))
        self.assertEqual(0, number.ceil_div(1, -4))
        self.assertEqual(0, number.ceil_div(2, -4))
        self.assertEqual(0, number.ceil_div(3, -4))
        self.assertEqual(-1, number.ceil_div(4, -4))
        self.assertEqual(-1, number.ceil_div(5, -4))
        self.assertEqual(-1, number.ceil_div(6, -4))
        self.assertEqual(-1, number.ceil_div(7, -4))
        self.assertEqual(-2, number.ceil_div(8, -4))
        self.assertEqual(-2, number.ceil_div(9, -4))
Ejemplo n.º 11
0
  def decrypt(self, ct):
      """Decrypt a PKCS#1 OAEP ciphertext.
  
      This function is named ``RSAES-OAEP-DECRYPT``, and is specified in
      section 7.1.2 of RFC3447.
  
      :Parameters:
       ct : string
              The ciphertext that contains the message to recover.
 
      :Return: A string, the original message.
      :Raise ValueError:
          If the ciphertext length is incorrect, or if the decryption does not
          succeed.
      :Raise TypeError:
          If the RSA key has no private half.
      """
      # TODO: Verify the key is RSA
  
      # See 7.1.2 in RFC3447
      modBits = Crypro.Util.number.size(self._key.n)
      k = ceil_div(modBits,8) # Convert from bits to bytes
      hLen = self._hashObj.digest_size
  
      # Step 1b and 1c
      if len(ct) != k or k<hLen+2:
          raise ValueError("Ciphertext with incorrect length.")
      # Step 2a (O2SIP), 2b (RSADP), and part of 2c (I2OSP)
      m = self._key.decrypt(ct)
      # Complete step 2c (I2OSP)
      em = bchr(0x00)*(k-len(m)) + m
      # Step 3a
      lHash = self._hashObj.new(self._label).digest()
      # Step 3b
      y = em[0]
      # y must be 0, but we MUST NOT check it here in order not to
      # allow attacks like Manger's (http://dl.acm.org/citation.cfm?id=704143)
      maskedSeed = em[1:hLen+1]
      maskedDB = em[hLen+1:]
      # Step 3c
      seedMask = self._mgf(maskedDB, hLen)
      # Step 3d
      seed = strxor(maskedSeed, seedMask)
      # Step 3e
      dbMask = self._mgf(seed, k-hLen-1)
      # Step 3f
      db = strxor(maskedDB, dbMask)
      # Step 3g
      valid = 1
      one = db[hLen:].find(bchr(0x01))
      lHash1 = db[:hLen]
      if lHash1!=lHash:
          valid = 0
      if one<0:
          valid = 0
      if bord(y)!=0:
          valid = 0
      if not valid:
          raise ValueError("Incorrect decryption.")
      # Step 4
      return db[hLen+one+1:]
Ejemplo n.º 12
0
 def getrandbits(self, k):
     """Return a python long integer with k random bits."""
     if self._randfunc is None:
         self._randfunc = Random.new().read
     mask = (1 << k) - 1
     return mask & bytes_to_long(self._randfunc(ceil_div(k, 8)))
Ejemplo n.º 13
0
    def decrypt(self, ct, sentinel):
        """Decrypt a PKCS#1 v1.5 ciphertext.
    
        This function is named ``RSAES-PKCS1-V1_5-DECRYPT``, and is specified in
        section 7.2.2 of RFC3447.
        For a complete example see `Crypro.Cipher.PKCS1_v1_5`.
    
        :Parameters:
         ct : byte string
                The ciphertext that contains the message to recover.
         sentinel : any type
                The object to return to indicate that an error was detected during decryption.
    
        :Return: A byte string. It is either the original message or the ``sentinel`` (in case of an error).
        :Raise ValueError:
            If the ciphertext length is incorrect
        :Raise TypeError:
            If the RSA key has no private half.
    
        :attention:
            You should **never** let the party who submitted the ciphertext know that
            this function returned the ``sentinel`` value.
            Armed with such knowledge (for a fair amount of carefully crafted but invalid ciphertexts),
            an attacker is able to recontruct the plaintext of any other encryption that were carried out
            with the same RSA public key (see `Bleichenbacher's`__ attack).
            
            In general, it should not be possible for the other party to distinguish
            whether processing at the server side failed because the value returned
            was a ``sentinel`` as opposed to a random, invalid message.
            
            In fact, the second option is not that unlikely: encryption done according to PKCS#1 v1.5
            embeds no good integrity check. There is roughly one chance
            in 2^16 for a random ciphertext to be returned as a valid message
            (although random looking).
    
            It is therefore advisabled to:
    
            1. Select as ``sentinel`` a value that resembles a plausable random, invalid message.
            2. Not report back an error as soon as you detect a ``sentinel`` value.
               Put differently, you should not explicitly check if the returned value is the ``sentinel`` or not.
            3. Cover all possible errors with a single, generic error indicator.
            4. Embed into the definition of ``message`` (at the protocol level) a digest (e.g. ``SHA-1``).
               It is recommended for it to be the rightmost part ``message``.
            5. Where possible, monitor the number of errors due to ciphertexts originating from the same party,
               and slow down the rate of the requests from such party (or even blacklist it altogether).
     
            **If you are designing a new protocol, consider using the more robust PKCS#1 OAEP.**
    
            .. __: http://www.bell-labs.com/user/bleichen/papers/pkcs.ps
    
        """

        # TODO: Verify the key is RSA

        # See 7.2.1 in RFC3447
        modBits = Crypro.Util.number.size(self._key.n)
        k = ceil_div(modBits, 8)  # Convert from bits to bytes

        # Step 1
        if len(ct) != k:
            raise ValueError("Ciphertext with incorrect length.")
        # Step 2a (O2SIP), 2b (RSADP), and part of 2c (I2OSP)
        m = self._key.decrypt(ct)
        # Complete step 2c (I2OSP)
        em = bchr(0x00) * (k - len(m)) + m
        # Step 3
        sep = em.find(bchr(0x00), 2)
        if not em.startswith(b('\x00\x02')) or sep < 10:
            return sentinel
        # Step 4
        return em[sep + 1:]
Ejemplo n.º 14
0
def EMSA_PSS_VERIFY(mhash, em, emBits, mgf, sLen):
    """
    Implement the ``EMSA-PSS-VERIFY`` function, as defined
    in PKCS#1 v2.1 (RFC3447, 9.1.2).

    ``EMSA-PSS-VERIFY`` actually accepts the message ``M`` as input,
    and hash it internally. Here, we expect that the message has already
    been hashed instead.

    :Parameters:
     mhash : hash object
            The hash object that holds the digest of the message to be verified.
     em : string
            The signature to verify, therefore proving that the sender really signed
            the message that was received.
     emBits : int
            Length of the final encoding (em), in bits.
     mgf : callable
            A mask generation function that accepts two parameters: a string to
            use as seed, and the lenth of the mask to generate, in bytes.
     sLen : int
            Length of the salt, in bytes.

    :Return: 0 if the encoding is consistent, 1 if it is inconsistent.

    :Raise ValueError:
        When digest or salt length are too big.
    """

    emLen = ceil_div(emBits, 8)

    # Bitmask of digits that fill up
    lmask = 0
    for i in range(8 * emLen - emBits):
        lmask = lmask >> 1 | 0x80

    # Step 1 and 2 have been already done
    # Step 3
    if emLen < mhash.digest_size + sLen + 2:
        return False
    # Step 4
    if ord(em[-1:]) != 0xBC:
        return False
    # Step 5
    maskedDB = em[:emLen - mhash.digest_size - 1]
    h = em[emLen - mhash.digest_size - 1:-1]
    # Step 6
    if lmask & bord(em[0]):
        return False
    # Step 7
    dbMask = mgf(h, emLen - mhash.digest_size - 1)
    # Step 8
    db = strxor(maskedDB, dbMask)
    # Step 9
    db = bchr(bord(db[0]) & ~lmask) + db[1:]
    # Step 10
    if not db.startswith(
            bchr(0x00) * (emLen - mhash.digest_size - sLen - 2) + bchr(0x01)):
        return False
    # Step 11
    salt = b("")
    if sLen: salt = db[-sLen:]
    # Step 12 and 13
    hp = mhash.new(bchr(0x00) * 8 + mhash.digest() + salt).digest()
    # Step 14
    if h != hp:
        return False
    return True