def c_verify(h_session, h_key, data_to_verify, signature, mechanism):
    """Verifies data with the given signature, key and mechanism.

    .. note:: If data is a list or tuple of strings, multi-part operations will be used.

    :param int h_session: Session handle
    :param data_to_verify: The data to sign, either a string or a list of strings. If this is a list
                         a multipart operation will be used.

                         ex:

                         - "This is a proper argument of some data to use in the function"
                         - ["This is another format of data this", "function will accept.",
                           "It will operate on these strings in parts"]
    :param bytes signature: Signature with which to verify the data.
    :param int h_key: The verifying key
    :param mechanism: See the :py:func:`~pypkcs11.mechanism.parse_mechanism` function
        for possible values.
    :return: retcode of verify operation
    """

    mech = parse_mechanism(mechanism)

    # Initialize the verify operation
    ret = C_VerifyInit(h_session, mech, CK_ULONG(h_key))
    if ret != CKR_OK:
        return ret

    # if a list is passed out do a verify operation on each string in the list,
    # otherwise just do one verify operation
    is_multi_part_operation = isinstance(data_to_verify, list) or isinstance(
        data_to_verify, tuple)

    if is_multi_part_operation:
        ret = do_multipart_verify(h_session, data_to_verify, signature)
    else:
        # Prepare the data to verify
        c_data_to_verify, plain_data_len = to_byte_array(
            from_bytestring(data_to_verify))
        c_data_to_verify = cast(c_data_to_verify, POINTER(c_ubyte))

        c_signature, c_sig_length = to_byte_array(from_bytestring(signature))
        c_signature = cast(c_signature, POINTER(c_ubyte))

        # Actually verify the data
        ret = C_Verify(h_session, c_data_to_verify, plain_data_len,
                       c_signature, c_sig_length)

    return ret
def to_byte_array(val, reverse=False):
    """Converts an arbitrarily sized integer, list, or byte array
    into a byte array.

    It'll zero-pad the bit length so it's a multiple of 8, then convert
    the int to binary, split the binary string into sections of 8, then
    place each section into a slot in a :class:`ctypes.c_ubyte` array (converting to small
    int).

    :param val: Value to convert
    :param reverse: Whether to convert from C -> Python
    :return: (:class:`ctypes.c_void_p` ptr to :class:`pypkcs11.cryptoki.CK_BYTE` array,
    :class:`ctypes.c_ulong` size of array)
    """
    if reverse:
        LOG.debug(
            "Attempting to convert CK_ATTRIBUTE(len:%s, data:%s, type:%s) back to hex",
            val.usValueLen, val.pValue, val.type)
        data_list = list(cast(val.pValue, POINTER(c_ubyte))[0:val.usValueLen])
        fin = binascii.hexlify(bytearray(data_list))
        LOG.debug("Final hex data: %s", fin)
        return fin

    if not isinstance(val, (binary_type, collections.Iterable, integer_types)):
        raise TypeError("Unknown conversion to byte array for type {}".format(
            type(val)))

    if isinstance(val, binary_type):
        # Hex-string in form '0xdeadbeef''
        if val.startswith(b"0x"):
            val = val.replace(b"0x", b"", 1)
        # Raw byte data: '\xde\xad\xbe\xef"
        if "\\x" in repr(val):
            val = list(from_bytestring(val))
            byte_array = (CK_BYTE * len(val))(*val)
        # Hex string: '01af'
        else:
            val = int(val, 16)
    elif isinstance(val, collections.Iterable):
        py_bytes = bytearray(val)
        byte_array = (CK_BYTE * len(py_bytes))(*py_bytes)

    if isinstance(val, integer_types):
        # Explicitly convert to a long. Python doesn't like X.bit_length() where X is an int
        # and not a variable assigned an int.
        x = val
        width = x.bit_length()
        width += 8 - ((width % 8) or 8)

        fmt = "{:0%sb}" % width
        str_val = fmt.format(val)
        n = 8
        str_array = [str_val[i:i + n] for i in range(0, len(str_val), n)]
        byte_array = (CK_BYTE *
                      len(str_array))(*[int(x, 2) for x in str_array])

    return cast(pointer(byte_array), c_void_p), CK_ULONG(sizeof(byte_array))
def do_multipart_verify(h_session, input_data_list, signature):
    """
    Do a multipart verify operation

    :param int h_session: Session handle
    :param input_data_list: list of data to verify with
    :param signature: signature to verify
    :return: The result code
    """
    error = None
    for index, chunk in enumerate(input_data_list):

        data_chunk, data_chunk_len = to_byte_array(from_bytestring(chunk))
        data_chunk = cast(data_chunk, POINTER(c_ubyte))

        ret = C_VerifyUpdate(h_session, data_chunk, data_chunk_len)
        if ret != CKR_OK:
            error = ret
            break

    # An C_VerifyUpdate failed. We should still try to call C_**Final() though to ensure
    #  that the
    # operation is still finalized, but we'll return the original error code.
    if error:
        ret = C_VerifyFinal(
            h_session, cast(create_string_buffer(b"", MAX_BUFFER),
                            CK_BYTE_PTR), CK_ULONG(MAX_BUFFER))
        LOG.debug(
            "C_VerifyFinal call after a C_VerifyUpdate failure returned:"
            " %s (%s)", ret_vals_dictionary.get(ret, "Unknown retcode"),
            str(hex(ret)))
        return error, None

    # Finalizing multipart decrypt operation
    c_sig_data, c_sig_data_len = to_byte_array(from_bytestring(signature))
    output = cast(c_sig_data, CK_BYTE_PTR)
    ret = C_VerifyFinal(h_session, output, c_sig_data_len)
    return ret
def do_multipart_sign_or_digest(h_session,
                                c_update_function,
                                c_final_function,
                                input_data_list,
                                output_buffer=None):
    """
    Do a multipart sign or digest operation

    :param int h_session: Session handle
    :param func c_update_function: signing update function
    :param func c_final_function: signing finalization function
    :param iterable input_data_list: Iterable of data to sign.
    :param int output_buffer: Integer that specifies a size of an output bufffer to use
        for the Sign/Digeste operation. By default will query with NULL pointer buffer
        to get required size of buffer
    :return: The result code, A python string representing the signature
    """
    error = None

    for index, chunk in enumerate(input_data_list):
        data_chunk, data_chunk_len = to_byte_array(from_bytestring(chunk))
        data_chunk = cast(data_chunk, POINTER(c_ubyte))

        ret = c_update_function(h_session, data_chunk, data_chunk_len)
        if ret != CKR_OK:
            LOG.debug("%s call on chunk %.20s (%s/%s) Failed w/ ret %s (%s)",
                      c_update_function.__name__, chunk, index + 1,
                      len(input_data_list),
                      ret_vals_dictionary.get(ret, "Unknown retcode"),
                      str(hex(ret)))
            error = ret
            break

    # An Update function failed. We should still try to call C_**Final() though to ensure that the
    # operation is still finalized, but we'll return the original error code.
    if error:
        ret = c_final_function(
            h_session, cast(create_string_buffer(b'', MAX_BUFFER),
                            CK_BYTE_PTR), CK_ULONG(MAX_BUFFER))
        LOG.debug("%s call after a %s failure returned: %s (%s)",
                  c_final_function.__name__, c_update_function.__name__,
                  ret_vals_dictionary.get(ret,
                                          "Unknown retcode"), str(hex(ret)))
        return error, None

    if output_buffer is not None:
        size = CK_ULONG(output_buffer)
        out_data = AutoCArray(ctype=c_ubyte, size=size)

        ret = c_final_function(h_session, out_data.array, out_data.size)

    else:
        out_data = AutoCArray(ctype=c_ubyte)

        @refresh_c_arrays(1)
        def _final():
            """
            Closure to acces AutoCArray properties correctly
            """
            return c_final_function(h_session, out_data.array, out_data.size)

        ret = _final()

    if ret != CKR_OK:
        return ret, None
    else:
        python_string = string_at(out_data.array, out_data.size.contents.value)
        return ret, python_string
def c_sign(h_session, h_key, data_to_sign, mechanism, output_buffer=None):
    """Signs the given data with given key and mechanism.

    .. note:: If data is a list or tuple of strings, multi-part operations will be used.

    :param int h_session: Session handle
    :param data_to_sign: The data to sign, either a string or a list of strings. If this is a list
         a multipart operation will be used.

         ex:

             - "This is a proper argument of some data to use in the function"
             - ["This is another format of data this", "function will accept.",
               "It will operate on these strings in parts"]

    :param int h_key: The signing key
    :param mechanism: See the :py:func:`~pypkcs11.mechanism.parse_mechanism` function
        for possible values.
    :param list|int output_buffer: Integer or list of integers that specify a size of output
        buffer to use for an operation. By default will query with NULL pointer buffer
        to get required size of buffer.
    :return: (retcode, python string of signed data)
    :rtype: tuple
    """

    mech = parse_mechanism(mechanism)

    # Initialize the sign operation
    ret = C_SignInit(h_session, byref(mech), CK_ULONG(h_key))
    if ret != CKR_OK:
        return ret, None

    # if a list is passed out do a sign operation on each string in the list,
    # otherwise just do one sign operation
    is_multi_part_operation = isinstance(data_to_sign, (list, tuple))

    if is_multi_part_operation:
        ret, signature_string = do_multipart_sign_or_digest(
            h_session,
            C_SignUpdate,
            C_SignFinal,
            data_to_sign,
            output_buffer=output_buffer)
    else:
        # Prepare the data to sign
        c_data_to_sign, plain_date_len = to_byte_array(
            from_bytestring(data_to_sign))
        c_data_to_sign = cast(c_data_to_sign, POINTER(c_ubyte))

        if output_buffer is not None:
            size = CK_ULONG(output_buffer)
            signed_data = AutoCArray(ctype=c_ubyte, size=size)
            ret = C_Sign(h_session, c_data_to_sign, plain_date_len,
                         signed_data.array, signed_data.size)
        else:
            signed_data = AutoCArray(ctype=c_ubyte)

            @refresh_c_arrays(1)
            def _sign():
                """Perform the signing operation"""
                return C_Sign(h_session, c_data_to_sign, plain_date_len,
                              signed_data.array, signed_data.size)

            ret = _sign()
        if ret != CKR_OK:
            return ret, None

        signature_string = string_at(signed_data.array,
                                     signed_data.size.contents.value)

    return ret, signature_string
Example #6
0
def c_digest(h_session,
             data_to_digest,
             digest_flavor,
             mechanism=None,
             output_buffer=None):
    """Digests some data

    :param int h_session: Session handle
    :param bytes data_to_digest: The data to digest, either a string or a list of strings.
        If this is a list a multipart operation will be used
    :param int digest_flavor: The flavour of the mechanism to digest (MD2, SHA-1, HAS-160,
        SHA224, SHA256, SHA384, SHA512)
    :param mechanism: See the :py:func:`~pypkcs11.mechanism.parse_mechanism` function
        for possible values. If None will use digest flavor.
    :param list|int output_buffer: Integer or list of integers that specify a size of output
        buffer to use for an operation. By default will query with NULL pointer buffer
        to get required size of buffer.
    :returns: (retcode, a python string of the digested data)
    :rtype: tuple
    """
    if mechanism is None:
        mech = parse_mechanism(digest_flavor)
    else:
        mech = parse_mechanism(mechanism)

    # Initialize Digestion
    ret = C_DigestInit(h_session, mech)
    if ret != CKR_OK:
        return ret, None

    # if a list is passed out do an digest operation on each string in the list, otherwise just
    # do one digest operation
    is_multi_part_operation = isinstance(data_to_digest, (list, tuple))

    if is_multi_part_operation:
        ret, digested_python_string = do_multipart_sign_or_digest(
            h_session,
            C_DigestUpdate,
            C_DigestFinal,
            data_to_digest,
            output_buffer=output_buffer)
    else:
        # Get arguments
        c_data_to_digest, c_digest_data_len = to_byte_array(
            from_bytestring(data_to_digest))
        c_data_to_digest = cast(c_data_to_digest, POINTER(c_ubyte))

        if output_buffer is not None:
            size = CK_ULONG(output_buffer)
            digested_data = AutoCArray(ctype=c_ubyte, size=size)
            ret = C_Digest(h_session, c_data_to_digest, c_digest_data_len,
                           digested_data.array, digested_data.size)
        else:
            digested_data = AutoCArray(ctype=c_ubyte)

            @refresh_c_arrays(1)
            def _digest():
                """ Perform the digest operations
                """
                return C_Digest(h_session, c_data_to_digest, c_digest_data_len,
                                digested_data.array, digested_data.size)

            ret = _digest()

        if ret != CKR_OK:
            return ret, None

        # Convert Digested data into a python string
        digested_python_string = string_at(digested_data.array,
                                           digested_data.size.contents.value)

    return ret, digested_python_string