def test_verify_signature_ECC(self, mock_get_pub_key):
        data = b'224626ae19824466f2a7f39ab7b80f7f'
        # test every ECC curve
        for curve in signature_utils.ECC_CURVES:
            key_type_name = 'ECC_' + curve.name.upper()
            try:
                signature_utils.SignatureKeyType.lookup(key_type_name)
            except exception.SignatureVerificationError:
                import warnings
                warnings.warn("ECC curve '%s' not supported" % curve.name)
                continue

            # Create a private key to use
            private_key = ec.generate_private_key(curve,
                                                  default_backend())
            mock_get_pub_key.return_value = private_key.public_key()
            for hash_name, hash_alg in signature_utils.HASH_METHODS.items():
                signer = private_key.signer(
                    ec.ECDSA(hash_alg)
                )
                signer.update(data)
                signature = base64.b64encode(signer.finalize())
                image_props = {CERT_UUID:
                               'fea14bc2-d75f-4ba5-bccc-b5c924ad0693',
                               HASH_METHOD: hash_name,
                               KEY_TYPE: key_type_name,
                               SIGNATURE: signature}
                verifier = signature_utils.get_verifier(None, image_props)
                verifier.update(data)
                verifier.verify()
Exemple #2
0
    def test_verify_signature_ECC(self, mock_get_pub_key):
        data = b'224626ae19824466f2a7f39ab7b80f7f'
        # test every ECC curve
        for curve in signature_utils.ECC_CURVES:
            key_type_name = 'ECC_' + curve.name.upper()
            try:
                signature_utils.SignatureKeyType.lookup(key_type_name)
            except exception.SignatureVerificationError:
                import warnings
                warnings.warn("ECC curve '%s' not supported" % curve.name)
                continue

            # Create a private key to use
            private_key = ec.generate_private_key(curve, default_backend())
            mock_get_pub_key.return_value = private_key.public_key()
            for hash_name, hash_alg in signature_utils.HASH_METHODS.items():
                signer = private_key.signer(ec.ECDSA(hash_alg))
                signer.update(data)
                signature = base64.b64encode(signer.finalize())
                image_props = {
                    CERT_UUID: 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693',
                    HASH_METHOD: hash_name,
                    KEY_TYPE: key_type_name,
                    SIGNATURE: signature
                }
                verifier = signature_utils.get_verifier(None, image_props)
                verifier.update(data)
                verifier.verify()
 def test_verify_signature_bad_signature(self, mock_get_pub_key):
     data = b'224626ae19824466f2a7f39ab7b80f7f'
     mock_get_pub_key.return_value = TEST_PRIVATE_KEY.public_key()
     image_properties = {CERT_UUID:
                         'fea14bc2-d75f-4ba5-bccc-b5c924ad0693',
                         HASH_METHOD: 'SHA-256',
                         KEY_TYPE: 'RSA-PSS',
                         SIGNATURE: 'BLAH'}
     verifier = signature_utils.get_verifier(None, image_properties)
     verifier.update(data)
     self.assertRaises(crypto_exception.InvalidSignature,
                       verifier.verify)
Exemple #4
0
 def test_verify_signature_bad_signature(self, mock_get_pub_key):
     data = b'224626ae19824466f2a7f39ab7b80f7f'
     mock_get_pub_key.return_value = TEST_RSA_PRIVATE_KEY.public_key()
     image_properties = {
         CERT_UUID: 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693',
         HASH_METHOD: 'SHA-256',
         KEY_TYPE: 'RSA-PSS',
         SIGNATURE: 'BLAH'
     }
     verifier = signature_utils.get_verifier(None, image_properties)
     verifier.update(data)
     self.assertRaises(crypto_exception.InvalidSignature, verifier.verify)
Exemple #5
0
 def test_verify_signature_DSA(self, mock_get_pub_key):
     data = b'224626ae19824466f2a7f39ab7b80f7f'
     mock_get_pub_key.return_value = TEST_DSA_PRIVATE_KEY.public_key()
     for hash_name, hash_alg in signature_utils.HASH_METHODS.items():
         signer = TEST_DSA_PRIVATE_KEY.signer(hash_alg)
         signer.update(data)
         signature = base64.b64encode(signer.finalize())
         image_props = {
             CERT_UUID: 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693',
             HASH_METHOD: hash_name,
             KEY_TYPE: 'DSA',
             SIGNATURE: signature
         }
         verifier = signature_utils.get_verifier(None, image_props)
         verifier.update(data)
         verifier.verify()
 def test_verify_signature_DSA(self, mock_get_pub_key):
     data = b'224626ae19824466f2a7f39ab7b80f7f'
     mock_get_pub_key.return_value = TEST_DSA_PRIVATE_KEY.public_key()
     for hash_name, hash_alg in signature_utils.HASH_METHODS.items():
         signer = TEST_DSA_PRIVATE_KEY.signer(
             hash_alg
         )
         signer.update(data)
         signature = base64.b64encode(signer.finalize())
         image_props = {CERT_UUID:
                        'fea14bc2-d75f-4ba5-bccc-b5c924ad0693',
                        HASH_METHOD: hash_name,
                        KEY_TYPE: 'DSA',
                        SIGNATURE: signature}
         verifier = signature_utils.get_verifier(None, image_props)
         verifier.update(data)
         verifier.verify()
Exemple #7
0
    def set_data(self, data, size=None):
        if size is None:
            size = 0  # NOTE(markwash): zero -> unknown size

        # Create the verifier for signature verification (if correct properties
        # are present)
        if (signature_utils.should_create_verifier(
                self.image.extra_properties)):
            # NOTE(bpoulos): if creating verifier fails, exception will be
            # raised
            verifier = signature_utils.get_verifier(
                self.context, self.image.extra_properties)
        else:
            verifier = None

        location, size, checksum, loc_meta = self.store_api.add_to_backend(
            CONF,
            self.image.image_id,
            utils.LimitingReader(utils.CooperativeReader(data),
                                 CONF.image_size_cap),
            size,
            context=self.context,
            verifier=verifier)

        self._verify_signature_if_needed(checksum)

        # NOTE(bpoulos): if verification fails, exception will be raised
        if verifier:
            try:
                verifier.verify()
                LOG.info(_LI("Successfully verified signature for image %s"),
                         self.image.image_id)
            except crypto_exception.InvalidSignature:
                raise exception.SignatureVerificationError(
                    _('Signature verification failed'))

        self.image.locations = [{
            'url': location,
            'metadata': loc_meta,
            'status': 'active'
        }]
        self.image.size = size
        self.image.checksum = checksum
        self.image.status = 'active'
Exemple #8
0
    def set_data(self, data, size=None):
        if size is None:
            size = 0  # NOTE(markwash): zero -> unknown size

        # Create the verifier for signature verification (if correct properties
        # are present)
        if (signature_utils.should_create_verifier(
                self.image.extra_properties)):
            # NOTE(bpoulos): if creating verifier fails, exception will be
            # raised
            verifier = signature_utils.get_verifier(
                self.context, self.image.extra_properties)
        else:
            verifier = None

        location, size, checksum, loc_meta = self.store_api.add_to_backend(
            CONF,
            self.image.image_id,
            utils.LimitingReader(utils.CooperativeReader(data),
                                 CONF.image_size_cap),
            size,
            context=self.context,
            verifier=verifier)

        self._verify_signature_if_needed(checksum)

        # NOTE(bpoulos): if verification fails, exception will be raised
        if verifier:
            try:
                verifier.verify()
                LOG.info(_LI("Successfully verified signature for image %s"),
                         self.image.image_id)
            except crypto_exception.InvalidSignature:
                raise exception.SignatureVerificationError(
                    _('Signature verification failed')
                )

        self.image.locations = [{'url': location, 'metadata': loc_meta,
                                 'status': 'active'}]
        self.image.size = size
        self.image.checksum = checksum
        self.image.status = 'active'