def verify_sig_chain_trc(msg, sig, subject, chain, trc): """ Verify whether the packed message with attached signature is validly signed by a particular subject belonging to a valid certificate chain. :param bytes msg: message corresponding to the given signature. :param bytes sig: signature computed on msg. :param ISD_AS subject: signer identity. :param CertificateChain chain: Certificate chain containing the signing entity's certificate. :param TRC trc: Issuing TRC containing all root of trust certificates for one ISD. :raises: SCIONVerificationError if the verification fails. """ assert isinstance(chain, CertificateChain) assert isinstance(trc, TRC) subject = str(subject) try: chain.verify(subject, trc) except SCIONVerificationError as e: raise SCIONVerificationError( "The certificate chain verification failed:\n%s" % e) verifying_key = None for signer_cert in chain.certs: if signer_cert.subject == subject: verifying_key = signer_cert.subject_sig_key_raw break if verifying_key is None: if subject not in trc.core_ases: raise SCIONVerificationError( "Signer's public key has not been found: %s" % subject) verifying_key = trc.core_ases[subject].subject_sig_key_raw verify(msg, sig, verifying_key)
def verify_sig_chain_trc(msg, sig, subject, chain, trc, trc_ver): """ Verify whether the packed message with attached signature is validly signed by a particular subject belonging to a valid certificate chain. :param str msg: message corresponding to the given signature. :param bytes sig: signature computed on msg. :param str subject: signer identity. :param chain: Certificate chain containing the signing entity's certificate. :type chain: :class:`CertificateChain` :param trc: Current TRC containing all root of trust certificates for one ISD. :type trc: :class:`TRC` :param trc_ver: The TRCs version :returns: True or False whether the verification is successful or not. :rtype: bool """ assert isinstance(chain, CertificateChain) assert isinstance(trc, TRC) if not chain.verify(subject, trc): logging.error("The certificate chain verification failed.") return False verifying_key = None for signer_cert in chain.certs: if signer_cert.subject == subject: verifying_key = signer_cert.subject_sig_key_raw break if verifying_key is None: if subject not in trc.core_ases: logging.error("Signer's public key has not been found.") return False verifying_key = trc.core_ases[subject].subject_sig_key_raw return verify(msg, sig, verifying_key)
def verify_sig_chain_trc(msg, sig, subject, chain, trc): """ Verify whether the packed message with attached signature is validly signed by a particular subject belonging to a valid certificate chain. :param bytes msg: message corresponding to the given signature. :param bytes sig: signature computed on msg. :param ISD_AS subject: signer identity. :param CertificateChain chain: Certificate chain containing the signing entity's certificate. :param TRC trc: Issuing TRC containing all root of trust certificates for one ISD. :raises: SCIONVerificationError if the verification fails. """ assert isinstance(chain, CertificateChain), type(chain) assert isinstance(trc, TRC), type(trc) verify_chain_trc(subject, chain, trc) verifying_key = chain.as_cert.subject_sig_key_raw if not verifying_key: raise SCIONVerificationError("Signer's public key has not been found: %s" % subject) verify(msg, sig, verifying_key)
def _verify_signature(self, signature, public_key): """ Checks if the signature can be verified with the given public key for a single signature :returns: True if the given signature could be verified with the given key, False otherwise :rtype bool """ if not verify(self._sig_input(), signature, public_key): return False return True
def verify(self, key, msg): assert isinstance(msg, bytes), type(msg) if len(msg) == 0: raise ProtoSignError("Message is empty (verify)") if self.p.type == ProtoSignType.NONE: return True if len(self.p.signature) == 0: raise ProtoSignError("No signature to verify") elif self.p.type == ProtoSignType.ED25519: return verify(self._sig_input(msg), self.p.signature, key) else: raise ProtoSignError("Unsupported proto signature type (verify): %s" % self.p.type)
def _verify_signatures(self, old_trc): """ Perform signature verification for core signatures as defined in old TRC. Raises an error if verification is unsuccessful. :param: TRC old_trc: the previous TRC which has already been verified. :raises: SCIONVerificationError """ # Only look at signatures which are from core ASes as defined in old TRC val_count = 0 # Count number of verifiable signatures for signer in old_trc.core_ases.keys(): public_key = old_trc.core_ases[signer][ONLINE_KEY_STRING] try: verify(self._sig_input(), self.signatures[signer], public_key) val_count += 1 except (SCIONVerificationError, KeyError): continue # Check if enough valid signatures if val_count < old_trc.quorum_trc: raise SCIONVerificationError("Not enough valid signatures %s. Expected %s" % ( val_count, old_trc.quorum_trc))
def verify(self): """ Perform signatures verification. :returns: True or False whether the verification succeeds or fails. :rtype: bool """ msg = self.to_json(with_signatures=False).encode('utf-8') for signer in self.signatures: if signer not in self.core_ases: logging.warning("A signature could not be verified.") return False public_key = self.core_ases[signer].subject_sig_key if not verify(msg, self.signatures[signer], public_key): logging.warning("A signature is not valid.") return False return True
def verify(self, subject, issuer_cert): """ Perform one step verification. :param str subject: the certificate subject. It can either be an AS, an email address or a domain address. :param str issuer_cert: the certificate issuer. It can only be an AS. :returns: True or False whether the verification succeeds or fails. :rtype: bool """ if int(time.time()) >= self.expiration_time: logging.warning("The certificate is expired.") return False if subject != self.subject: logging.warning("The given subject doesn't match the " + "certificate's subject") return False msg = self.__str__(with_signature=False).encode('utf-8') return verify(msg, self.signature, issuer_cert.subject_sig_key)
def _verify_signature(self, signature, public_key): """ Checks if the signature can be verified with the given public key """ verify(self._sig_input(), signature, public_key)
def validate(self, pubkey): inst = copy.copy(self) inst.signature = b"" if not verify(inst.pack(), self.signature, pubkey): raise EEPKIValidationError("Incorrect signature") return True