def verify(message, signature, pub_key): """Verifies that the signature matches the message. The hash method is detected automatically from the signature. :param message: the signed message. Can be an 8-bit string or a file-like object. If ``message`` has a ``read()`` method, it is assumed to be a file-like object. :param signature: the signature block, as created with :py:func:`rsa.sign`. :param pub_key: the :py:class:`adafruit_rsaPublicKey` of the person signing the message. :raise VerificationError: when the signature doesn't match the message. :returns: the name of the used hash. """ keylength = common.byte_size(pub_key.n) encrypted = transform.bytes2int(signature) decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n) clearsig = transform.int2bytes(decrypted, keylength) # Get the hash method method_name = _find_method_hash(clearsig) message_hash = compute_hash(message, method_name) # Reconstruct the expected padded hash cleartext = HASH_ASN1[method_name] + message_hash expected = _pad_for_signing(cleartext, keylength) # Compare with the signed one if expected != clearsig: raise VerificationError("Verification failed") return method_name
def sign_hash(hash_value, priv_key, hash_method): """Signs a precomputed hash with the private key. Hashes the message, then signs the hash with the given key. This is known as a "detached signature", because the message itself isn't altered. :param hash_value: A precomputed hash to sign (ignores message). Should be set to None if needing to hash and sign message. :param priv_key: the :py:class:`adafruit_rsaPrivateKey` to sign with :param hash_method: the hash method used on the message. Use 'MD5', 'SHA-1', 'SHA-224', SHA-256', 'SHA-384' or 'SHA-512'. :return: a message signature block. :raise OverflowError: if the private key is too small to contain the requested hash. """ # Get the ASN1 code for this hash method if hash_method not in HASH_ASN1: raise ValueError("Invalid hash method: %s" % hash_method) asn1code = HASH_ASN1[hash_method] # Encrypt the hash with the private key cleartext = asn1code + hash_value keylength = common.byte_size(priv_key.n) padded = _pad_for_signing(cleartext, keylength) payload = transform.bytes2int(padded) encrypted = priv_key.blinded_encrypt(payload) block = transform.int2bytes(encrypted, keylength) return block
def encrypt(message, pub_key): """Encrypts the given message using PKCS#1 v1.5 :param message: the message to encrypt. Must be a byte string no longer than ``k-11`` bytes, where ``k`` is the number of bytes needed to encode the ``n`` component of the public key. :param pub_key: the :py:class:`adafruit_rsaPublicKey` to encrypt with. :raise OverflowError: when the message is too large to fit in the padded block. >>> from adafruit_rsa.rsa import key, common >>> (pub_key, priv_key) = key.newkeys(256) >>> message = b'hello' >>> crypto = encrypt(message, pub_key) The crypto text should be just as long as the public key 'n' component: >>> len(crypto) == common.byte_size(pub_key.n) True """ keylength = common.byte_size(pub_key.n) padded = _pad_for_encryption(message, keylength) payload = transform.bytes2int(padded) encrypted = core.encrypt_int(payload, pub_key.e, pub_key.n) block = transform.int2bytes(encrypted, keylength) return block
def read_random_int(nbits): """Reads a random integer of approximately nbits bits.""" randomdata = read_random_bits(nbits) value = transform.bytes2int(randomdata) # Ensure that the number is large enough to just fill out the required # number of bits. value |= 1 << (nbits - 1) return value
def find_signature_hash(signature, pub_key): """Returns the hash name detected from the signature. If you also want to verify the message, use :py:func:`adafruit_rsaverify()` instead. It also returns the name of the used hash. :param signature: the signature block, as created with :py:func:`adafruit_rsasign`. :param pub_key: the :py:class:`adafruit_rsaPublicKey` of the person signing the message. :returns: the name of the used hash. """ keylength = common.byte_size(pub_key.n) encrypted = transform.bytes2int(signature) decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n) clearsig = transform.int2bytes(decrypted, keylength) return _find_method_hash(clearsig)
def decrypt(crypto, priv_key): """Decrypts the given message using PKCS#1 v1.5 The decryption is considered 'failed' when the resulting cleartext doesn't start with the bytes 00 02, or when the 00 byte between the padding and the message cannot be found. :param crypto: the crypto text as returned by :py:func:`adafruit_rsaencrypt` :param priv_key: the :py:class:`adafruit_rsaPrivateKey` to decrypt with. :raise DecryptionError: when the decryption fails. No details are given as to why the code thinks the decryption fails, as this would leak information about the private key. >>> import adafruit_rsa.rsa >>> (pub_key, priv_key) = adafruit_rsanewkeys(256) It works with strings: >>> crypto = encrypt(b'hello', pub_key) >>> decrypt(crypto, priv_key) b'hello' And with binary data: >>> crypto = encrypt(b'\x00\x00\x00\x00\x01', pub_key) >>> decrypt(crypto, priv_key) b'\x00\x00\x00\x00\x01' Altering the encrypted information will *likely* cause a :py:class:`adafruit_rsapkcs1.DecryptionError`. If you want to be *sure*, use :py:func:`adafruit_rsasign`. .. warning:: Never display the stack trace of a :py:class:`adafruit_rsapkcs1.DecryptionError` exception. It shows where in the code the exception occurred, and thus leaks information about the key. It's only a tiny bit of information, but every bit makes cracking the keys easier. >>> crypto = encrypt(b'hello', pub_key) >>> crypto = crypto[0:5] + b'X' + crypto[6:] # change a byte >>> decrypt(crypto, priv_key) Traceback (most recent call last): ... adafruit_rsapkcs1.DecryptionError: Decryption failed """ blocksize = common.byte_size(priv_key.n) encrypted = transform.bytes2int(crypto) decrypted = priv_key.blinded_decrypt(encrypted) cleartext = transform.int2bytes(decrypted, blocksize) # Find the 00 separator between the padding and the message try: sep_idx = cleartext.index(b"\x00", 2) except ValueError: raise DecryptionError("Decryption failed") return cleartext[sep_idx + 1:]