def Verify(self, pub_key):
"""Verify the data in this blob.
Args:
pub_key: The public key to use for verification.
Returns:
True when verification succeeds.
Raises:
rdfvalue.DecodeError if the data is not suitable verified.
"""
if self.digest_type != self.HashType.SHA256:
raise rdfvalue.DecodeError("Unsupported digest.")
rsa = pub_key.GetPublicKey()
result = 0
try:
result = rsa.verify(self.digest, self.signature,
DIGEST_ALGORITHM_STR)
if result != 1:
raise rdfvalue.DecodeError("Could not verify blob.")
except RSA.RSAError, e:
raise rdfvalue.DecodeError("Could not verify blob. Error: %s" % e)
def Verify(self, public_key):
"""Verify the data in this blob.
Args:
public_key: The public key to use for verification.
Returns:
True when verification succeeds.
Raises:
rdfvalue.DecodeError if the data is not suitable verified.
"""
if self.digest_type != self.HashType.SHA256:
raise rdfvalue.DecodeError("Unsupported digest.")
if self.signature_type not in [
self.SignatureType.RSA_PKCS1v15, self.SignatureType.RSA_PSS
]:
raise rdfvalue.DecodeError("Unsupported signature type.")
try:
public_key.Verify(self.data, self.signature)
except InvalidSignature as e:
raise rdfvalue.DecodeError("Could not verify blob. Error: %s" % e)
return True
def GetCN(self):
subject = self._value.subject
try:
cn_attributes = subject.get_attributes_for_oid(oid.NameOID.COMMON_NAME)
if len(cn_attributes) > 1:
raise rdfvalue.DecodeError("Cert has more than 1 CN entries.")
cn_attribute = cn_attributes[0]
except IndexError:
raise rdfvalue.DecodeError("Cert has no CN")
return cn_attribute.value
def ParseFromString(self, string):
try:
self._value = x509.load_pem_x509_certificate(
string, backend=openssl.backend)
except (ValueError, TypeError) as e:
raise rdfvalue.DecodeError("Invalid certificate %s: %s" % (string, e))
# This can also raise if there isn't exactly one CN entry.
self.GetCN()
def _GetCN(self, x509cert):
subject = x509cert.get_subject()
try:
cn_id = subject.nid["CN"]
cn = subject.get_entries_by_nid(cn_id)[0]
except IndexError:
raise rdfvalue.DecodeError("Cert has no CN")
self.common_name = rdfvalue.RDFURN(cn.get_data().as_text())
class SignedBlob(rdfvalue.RDFProtoStruct):
"""A signed blob.
The client can receive and verify a signed blob (e.g. driver or executable
binary). Once verified, the client may execute this.
"""
protobuf = jobs_pb2.SignedBlob
def Verify(self, pub_key):
"""Verify the data in this blob.
Args:
pub_key: The public key to use for verification.
Returns:
True when verification succeeds.
Raises:
rdfvalue.DecodeError if the data is not suitable verified.
"""
if self.digest_type != self.HashType.SHA256:
raise rdfvalue.DecodeError("Unsupported digest.")
rsa = pub_key.GetPublicKey()
result = 0
try:
result = rsa.verify(self.digest, self.signature,
DIGEST_ALGORITHM_STR)
if result != 1:
raise rdfvalue.DecodeError("Could not verify blob.")
except RSA.RSAError, e:
raise rdfvalue.DecodeError("Could not verify blob. Error: %s" % e)
digest = hashlib.sha256(self.data).digest()
if digest != self.digest:
raise rdfvalue.DecodeError(
"SignedBlob: Digest did not match actual data.")
if result != 1:
raise rdfvalue.DecodeError("Verification failed.")
return True
def ParseFromString(self, string):
try:
# Try to unpickle using the fast unpickler. This is the most common case.
self.data = cPickle.loads(string)
except Exception as e: # pylint: disable=broad-except
# If an error occurs we try to use the more robust version to at least
# salvage some data. This could happen if an old version of the pickle is
# stored in the data store.
self.errors = e
try:
self.data = RobustUnpickler(StringIO.StringIO(string)).load()
except Exception as e: # pylint: disable=broad-except
raise rdfvalue.DecodeError(e)
def ParseFromString(self, string):
super(RDFX509Cert, self).ParseFromString(string)
try:
self._GetCN(self.GetX509Cert())
except X509.X509Error:
raise rdfvalue.DecodeError("Cert invalid")
