def decrypt(self, buff): md = SHA256.new(buff[:-0x100]) verifier = PKCS1_v1_5.new(self._static_pubkey) if verifier.verify(md, buff[-0x100:]) == False: raise ValueError('Invalid signature in footer.') if self._pubkey is not None: md = SHA256.new(buff[:-0x200]) verifier = PKCS1_v1_5.new(self._pubkey) if verifier.verify(md, buff[-0x200:-0x100]) == False: raise ValueError('Invalid signature in footer.') buff = buff[:-0x200] nonce = array.array('I', buff[-4:]) nonce.byteswap() length = len(buff) - 4 buff = array.array('I', buff[:-4] + b'\x00' * (8 - length % 8)) buff.byteswap() counter = Counter.new(32, prefix=nonce.tostring(), initial_value=0, little_endian=True) cipher = Blowfish.new(self._key, Blowfish.MODE_CTR, counter=counter) buff = array.array('I', cipher.decrypt(buff.tostring())) buff.byteswap() buff = buff.tostring()[:length] md = buff[-20:] buff = buff[:-20] if md != hashlib.sha1(buff).digest(): raise ValueError('Invalid SHA1 hash in footer.') return buff
def testSignVerify(self): rng = Random.new().read key = RSA.generate(1024, rng) for hashmod in (MD2, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, RIPEMD160): hobj = hashmod.new() hobj.update(b('blah blah blah')) signer = PKCS.new(key) signature = signer.sign(hobj) signer.verify(hobj, signature) # Blake2b has variable digest size for digest_bits in (160, 256, 384, 512): hobj = BLAKE2b.new(digest_bits=digest_bits) hobj.update(b("BLAKE2b supports several digest sizes")) signer = PKCS.new(key) signature = signer.sign(hobj) signer.verify(hobj, signature) # Blake2s too for digest_bits in (128, 160, 224, 256): hobj = BLAKE2s.new(digest_bits=digest_bits) hobj.update(b("BLAKE2s supports several digest sizes")) signer = PKCS.new(key) signature = signer.sign(hobj) signer.verify(hobj, signature)
def do(pub_key, priv_key): d = SHA.new('hello') priv = pkcs.new(priv_key) ret_sign = priv.sign(d) pub = pkcs.new(pub_key) pub.verify(d, ret_sign)
def test_rsa_verify(key=KEY, time=TIME, data=DATA): """ RSA Verify (PKCS #1 v1.5) """ time = test_time(time) mac = HMAC.new(time, data.encode("ascii"), SHA256) mac = SHA256.new(mac.digest()) key = RSA.importKey(key) sig = PKCS1_v1_5.new(key).sign(mac) return b"Yes" if PKCS1_v1_5.new(key).verify(mac, sig) else b"No"
def main(): pub_key, priv_key = load_keys() d = SHA.new(config.test_data) priv = pkcs.new(priv_key) ret_sign = priv.sign(d) pub = pkcs.new(pub_key) pub.verify(d, ret_sign)
def __init__(self, public_key_file, private_key_file): with open(public_key_file,'rb') as pkf: pubkey_string = pkf.read() self.public_key = RSA.importKey(pubkey_string) with open(private_key_file,'rb') as pkf: privkey_string = pkf.read() self.private_key = RSA.importKey(privkey_string) self.public = PKCS1_OAEP.new(self.public_key) self.private = PKCS1_OAEP.new(self.private_key) self.signer = PKCS1_v1_5.new(self.private_key) self.verifier = PKCS1_v1_5.new(self.public_key)
def runTest(self): key = RSA.importKey(PKCS1_15_NoParams.rsakey) hashed = SHA1.new(b("Test")) good_signature = PKCS1_v1_5.new(key).sign(hashed) verifier = PKCS1_v1_5.new(key.publickey()) self.assertEqual(verifier.verify(hashed, good_signature), True) # Flip a few bits in the signature bad_signature = strxor(good_signature, bchr(1) * len(good_signature)) self.assertEqual(verifier.verify(hashed, bad_signature), False)
def main_01(): def do(pub, priv): d = SHA.new('hello') ret_sign = priv.sign(d) pub.verify(d, ret_sign) pub = pkcs.new(pub_key) priv = pkcs.new(priv_key) for _ in range(config.calc_times): do(pub, priv)
def sign(xml_etree, certificate, der_key, passphrase=None, trusted=None): """ Return xmldsig XML string from xml_string of XML. :param xml_etree: etree of the xml to sign :param der_key: Private key in DER format :param certificate: publicKey Public key :returns: signed XML byte string """ # from M2Crypto import RSA as m2cryptoRSA # from M2Crypto import EVP as m2cryptoEVP # from Crypto.PublicKey import RSA as cryptoRSA # path_to_pem="/home/rovskyhp/.virtualenvs/agreement/var/tmp/tmp_60.pem" # evp = m2cryptoEVP.load_key(str(path_to_pem)).as_der() # Convert Private key (M2Crypto Object) to DER format # key = cryptoRSA.importKey(evp, passphrase='12345678a') if hasattr(certificate, 'key'): key_info_xml = _generate_key_info_xml_rsa(certificate.key.n, certificate.key.e) pubkey, hasher = certificate, Hash.SHA1 else: der_cer = certificate.as_der() key_info_xml = _generate_key_info_xml_x509(der_cer) #pubkey, hasher, serialNumber, subject = _x509_certificate(der_cer=certificate, trusted=trusted) pubkey = RSA.importKey(certificate.get_pubkey().as_der()) signed_info_xml = _generate_signed_info(xml_etree) text = c14n(signed_info_xml) key = RSA.importKey(der_key, passphrase) signer = PKCS1_v1_5.new(key) signature = signer.sign(Hash.SHA1.new(text)) verifier = PKCS1_v1_5.new(pubkey) if not verifier.verify(Hash.SHA1.new(text), signature): raise Exception("Signature verification failure!") signature_xml = PTN_SIGNATURE_XML % { 'signed_info_xml': signed_info_xml, 'signature_value': binascii.b2a_base64(signature)[:-1], 'key_info_xml': key_info_xml, } signature_etree = etree.parse(StringIO(signature_xml)) xml_etree.append(signature_etree.getroot()) return xml_etree
def test_wrong_signature(self): key = RSA.generate(1024) msg_hash = SHA1.new(b("Message")) signer = PKCS.new(key) s = signer.sign(msg_hash) verifier = PKCS.new(key.publickey()) # The signature s should be OK verifier.verify(msg_hash, s) # Construct an incorrect signature and ensure that the check fails wrong_s = s[:-1] + bchr(bord(s[-1]) ^ 0xFF) self.assertRaises(ValueError, verifier.verify, msg_hash, wrong_s)
def _get_signature_bytes(credentials, string_to_sign): """Uses crypto attributes of credentials to sign a string/bytes. :type credentials: :class:`client.SignedJwtAssertionCredentials`, :class:`service_account._ServiceAccountCredentials`, :class:`_GAECreds` :param credentials: The credentials used for signing text (typically involves the creation of an RSA key). :type string_to_sign: string :param string_to_sign: The string to be signed by the credentials. :rtype: bytes :returns: Signed bytes produced by the credentials. """ if isinstance(credentials, _GAECreds): _, signed_bytes = app_identity.sign_blob(string_to_sign) return signed_bytes else: pem_key = _get_pem_key(credentials) # Sign the string with the RSA key. signer = PKCS1_v1_5.new(pem_key) if not isinstance(string_to_sign, six.binary_type): string_to_sign = string_to_sign.encode('utf-8') signature_hash = SHA256.new(string_to_sign) return signer.sign(signature_hash)
def get_new_token(self): """ Get a new token using the email address and RSA Key. :return: Dictionary containing token information :rtype: ``dict`` """ # The header is always the same header = {'alg': 'RS256', 'typ': 'JWT'} header_enc = base64.urlsafe_b64encode(b(json.dumps(header))) # Construct a claim set claim_set = {'iss': self.user_id, 'scope': self.scopes, 'aud': 'https://accounts.google.com/o/oauth2/token', 'exp': int(time.time()) + 3600, 'iat': int(time.time())} claim_set_enc = base64.urlsafe_b64encode(b(json.dumps(claim_set))) # The message contains both the header and claim set message = b'.'.join((header_enc, claim_set_enc)) # Then the message is signed using the key supplied key = RSA.importKey(self.key) hash_func = SHA256.new(message) signer = PKCS1_v1_5.new(key) signature = base64.urlsafe_b64encode(signer.sign(hash_func)) # Finally the message and signature are sent to get a token jwt = b'.'.join((message, signature)) request = {'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'assertion': jwt} return self._token_request(request)
def Generate(self): if not os.path.exists(self.source_dir_): print("The source directory %s is invalid." % self.source_dir_) return try: zip_file = '%s.tmp' % self.output_file_ self.__Compress(self.source_dir_, zip_file) signer = PKCS1_v1_5.new(self.RSAkey) zfile = open(zip_file, 'rb') sha = SHA.new(zfile.read()) signature = signer.sign(sha) xpk = open(self.output_file_, 'wb') zfile.seek(0) print('Generating XPK package: %s' % self.output_file_) xpk.write('\x43\x72\x57\x6B') xpk.write(struct.pack('<I', len(self.pubkey))) xpk.write(struct.pack('<I', len(signature))) xpk.write(self.pubkey) xpk.write(signature) xpk.write(zfile.read()) zfile.close() xpk.close() print('Generated new XPK package %s successfully.' % self.output_file_) except IOError: if os.path.exists(self.output_file_): os.remove(self.output_file_) traceback.print_exc() finally: if os.path.exists(zip_file): os.remove(zip_file)
def sign(message, sender_private_key): h = SHA.new(message) signer = PKCS1_v1_5.new(sender_private_key) signature = signer.sign(h) return signature
def webhooks_verify(path_pubkey, private_sign, req_data): """ path_pubkey : 公钥文件路径,内容为ping++提供的公钥(账户和设置 - Ping++ 公钥) private_sign: ping++对应的私钥签名后的字符串 req_data : 请求的json格式字符串,不要get_json(),因为会改变字段的顺序,直接获取原始字符串即可 备注:遇到一个坑,直接从官网上copy公钥时,vim保存文件时会多一个字符,导致验算不通过,推荐notepad++保存 最后一行不要有换行符 """ import base64 from Crypto.PublicKey import RSA from Crypto.Signature import PKCS1_v1_5 from Crypto.Hash import SHA256 def decode_base64(data): missing_padding = 4 - len(data) % 4 if missing_padding: data += b'='*missing_padding return base64.decodestring(data) sig = decode_base64(private_sign) req_data = req_data.encode('utf-8') digest = SHA256.new(req_data) pubkey = RSA.importKey(open(path_pubkey).read()) pkcs = PKCS1_v1_5.new(pubkey) return pkcs.verify(digest, sig)
def verify(self, msg, sig, key): h = self.digest.new(msg) verifier = PKCS1_v1_5.new(key) if verifier.verify(h, sig): return True else: raise BadSignature()
def sign_rsa_sha1(base_string, rsa_private_key): """**RSA-SHA1** Per `section 3.4.3`_ of the spec. The "RSA-SHA1" signature method uses the RSASSA-PKCS1-v1_5 signature algorithm as defined in `RFC3447, Section 8.2`_ (also known as PKCS#1), using SHA-1 as the hash function for EMSA-PKCS1-v1_5. To use this method, the client MUST have established client credentials with the server that included its RSA public key (in a manner that is beyond the scope of this specification). NOTE: this method requires the python-rsa library. .. _`section 3.4.3`: http://tools.ietf.org/html/rfc5849#section-3.4.3 .. _`RFC3447, Section 8.2`: http://tools.ietf.org/html/rfc3447#section-8.2 """ # TODO: finish RSA documentation from Crypto.PublicKey import RSA from Crypto.Signature import PKCS1_v1_5 from Crypto.Hash import SHA key = RSA.importKey(rsa_private_key) if isinstance(base_string, unicode_type): base_string = base_string.encode("utf-8") h = SHA.new(base_string) p = PKCS1_v1_5.new(key) return binascii.b2a_base64(p.sign(h))[:-1].decode("utf-8")
def rsa_sign(para_str): """对请求参数做rsa签名""" para_str = para_str.encode('utf-8') key = RSA.importKey(settings.ALIPAY_PRIVATE_KEY) h = SHA.new(para_str) signer = PKCS1_v1_5.new(key) return base64.b64encode(signer.sign(h))
def verify_hash(pub_algorithm_type, public_key, hash_, values): if pub_algorithm_type in (1, 3): # RSA s = long_to_bytes(values[0]) return PKCS1_v1_5.new(public_key).verify(hash_, s) elif pub_algorithm_type == 20: # ELG # TODO: Remove dependence on undocumented method sig_string = PKCS1_v1_5.EMSA_PKCS1_V1_5_ENCODE( hash_, public_key.size()) return public_key.verify(sig_string, values) elif pub_algorithm_type == 17: # DSA q = public_key.q qbits = int(math.floor(float(math.log(q, 2)))) + 1 qbytes = int(math.ceil(qbits / 8.0)) digest = hash_.digest() # Discard empty leading bytes start = 0 while digest[start] == b'\x00': start += 1 digest = digest[start:start + qbytes] return public_key.verify(bytes_to_long(digest), values) else: # TODO: complete this raise ValueError
def sign_hash(pub_algorithm_type, secret_key, hash_, k=None): if pub_algorithm_type in (1, 3): # RSA sig_string = PKCS1_v1_5.new(secret_key).sign(hash_) return (bytes_to_long(sig_string),) elif pub_algorithm_type == 20: # ELG # TODO: Should only be allowed for test purposes if k is None: while 1: # This can be pretty darn slow k = random.StrongRandom().randint(1, secret_key.p - 1) if GCD(k, secret_key.p - 1) == 1: break print(k) # TODO: Remove dependence on undocumented method sig_string = PKCS1_v1_5.EMSA_PKCS1_V1_5_ENCODE( hash_, secret_key.size()) return secret_key.sign(sig_string, k) elif pub_algorithm_type == 17: q = secret_key.q qbits = int(math.floor(float(math.log(q, 2)))) + 1 qbytes = int(math.ceil(qbits / 8.0)) if k is None: k = random.StrongRandom().randint(1, q - 1) digest = hash_.digest()[:qbytes] return secret_key.sign(bytes_to_long(digest), k) else: # TODO: complete raise ValueError
def _verify_sign(self, public_key, sign_str, sign): rsa_key = RSA.importKey(public_key) signer = PKCS1_v1_5.new(rsa_key) digest = SHA.new(sign_str) if signer.verify(digest, base64.decodestring(sign)): return True return False
def post_results(self, url, content, sign_with=None): '''Post the combined results back to the server.''' endpoint = '%s/v1/results/' % url headers = {'Content-type': 'application/json'} data = json.dumps(content) self.logger.debug('API request content: %s ' % content) if sign_with: data_hash = SHA256.new() data_hash.update(data.encode('utf-8')) with open(sign_with) as key_pair_file: try: key = RSA.importKey(key_pair_file.read()) except (IOError, ValueError) as e: self.logger.info('Error during upload key pair %s' '' % key_pair_file) self.logger.exception(e) return signer = PKCS1_v1_5.new(key) sign = signer.sign(data_hash) headers['X-Signature'] = binascii.b2a_hex(sign) headers['X-Public-Key'] = key.publickey().exportKey('OpenSSH') try: response = requests.post(endpoint, data=data, headers=headers, verify=not self.args.insecure) self.logger.info(endpoint + " Response: " + str(response.text)) except Exception as e: self.logger.info('Failed to post %s - %s ' % (endpoint, e)) self.logger.exception(e) return if response.status_code == 201: resp = response.json() print 'Test results uploaded!\nURL: %s' % resp.get('url', '')
def check_signature(baseurl, signature, data, publickey=None): if publickey == None: if baseurl in publickeys: publickey = base64.decodestring(publickeys[baseurl]) else: print >>sys.stderr, "Public key for", baseurl, \ "not found, specify key file with --publickey" # sys.exit(1) raise Exception (hash_alg, signature_alg, unpacked_signature) = decode_signature(signature) assert hash_alg == 4, \ "hash_alg is %d, expected 4" % (hash_alg,) # sha256 assert (signature_alg == 3 or signature_alg == 1), \ "signature_alg is %d, expected 1 or 3" % (signature_alg,) # ecdsa if signature_alg == 3: vk = ecdsa.VerifyingKey.from_der(publickey) vk.verify(unpacked_signature, data, hashfunc=hashlib.sha256, sigdecode=ecdsa.util.sigdecode_der) else: h = SHA256.new(data) rsa_key = RSA.importKey(publickey) verifier = PKCS1_v1_5.new(rsa_key) assert verifier.verify(h, unpacked_signature), \ "could not verify RSA signature"
def __init__(self, conf, state): """ conf -- dictionary with configuration variables state -- class object with update() function """ self.logger = conf['log'] self.maxBal = -1 self.maxVBal = -1 # highest ballot voted in self.maxVVal = None # value voted for maxVBal self.avs = [] # msg dict keyed by value self.seen = {} # 1b messages -> use to check if v is safe at b self.bmsgs = [] # log of values in 2b messages sent by this instance self.Q = None with open(conf['keyfile'], 'r') as fh: key = RSA.importKey(fh.read()) self.signer = PKCS1_v1_5.new(key) # initialize localgroup self.peers = GroupManager(conf) self.peers.init_local_group() self.state = state #self.state.groups['G1'] = self.peers self.ctx = get_ssl_context(conf['peer_certs']) self.pending = None
def _sign_request(self, info, return_urls): """Create and sign payment request data.""" # Basic fields fields = [('VK_SERVICE', u'1002'), ('VK_VERSION', u'008'), ('VK_SND_ID', self.user), ('VK_STAMP', '%d' % int(time())), ('VK_AMOUNT', info.amount), ('VK_CURR', u'EUR'), ('VK_REF', info.refnum), ('VK_MSG', info.message)] # Check whether provider supplies extra fields if hasattr(self, 'extra_fields'): fields.extend(self.extra_fields) ## MAC calculation for request 1002 m = self._build_mac(('SERVICE', 'VERSION', 'SND_ID', 'STAMP', \ 'AMOUNT', 'CURR', 'REF', 'MSG'), dict(fields)) # Append mac fields fields.append(('VK_MAC', b64encode( \ PKCS1_v1_5.new(self.keychain.private_key) .sign(SHA.new(m))))) # Append return url field(s) fields.append(('VK_RETURN', return_urls['return'])) return fields
def parse_response(self, form, success=True): """Parse and return payment response.""" fields = { # Successful payment '1101': ('SERVICE', 'VERSION', 'SND_ID', 'REC_ID', 'STAMP', # 1..5 'T_NO', 'AMOUNT', 'CURR', 'REC_ACC', 'REC_NAME', # 6..10 'SND_ACC', 'SND_NAME', 'REF', 'MSG', 'T_DATE'), # 11..15 # Unsuccessful payment '1901': ('SERVICE', 'VERSION', 'SND_ID', 'REC_ID', 'STAMP', # 1..5 'REF', 'MSG') # 6..7 } # See which response we got resp = form.get('VK_SERVICE', None) if not resp and resp not in fields: raise InvalidResponseError success = resp == '1101' Random.atfork() # Parse and validate MAC m = self._build_mac(fields[resp], form) f = lambda x: form.get('VK_%s' % x) if not PKCS1_v1_5.new(self.keychain.public_key) \ .verify(SHA.new(m), b64decode(f('MAC'))): raise InvalidResponseError # Save payment data data = {} if success: for item in ('T_NO', 'AMOUNT', 'CURR', 'REC_ACC', 'REC_NAME', 'SND_ACC', 'SND_NAME', 'REF', 'MSG', 'T_DATE'): data[item] = f(item) return PaymentResponse(self, data, success)
def sign_data(data, key_path): with open(key_path, 'r') as f: key = RSA.importKey(f.read()) signer = PKCS1_v1_5.new(key) hash = SHA.new(data) signature = signer.sign(hash) return base64.b64encode(signature)
def verify_rsa_sha1(request, rsa_public_key): """Verify a RSASSA-PKCS #1 v1.5 base64 encoded signature. Per `section 3.4.3`_ of the spec. Note this method requires the PyCrypto library. .. _`section 3.4.3`: http://tools.ietf.org/html/rfc5849#section-3.4.3 To satisfy `RFC2616 section 5.2`_ item 1, the request argument's uri attribute MUST be an absolute URI whose netloc part identifies the origin server or gateway on which the resource resides. Any Host item of the request argument's headers dict attribute will be ignored. .. _`RFC2616 section 5.2`: http://tools.ietf.org/html/rfc2616#section-5.2 """ from Crypto.PublicKey import RSA from Crypto.Signature import PKCS1_v1_5 from Crypto.Hash import SHA key = RSA.importKey(rsa_public_key) norm_params = normalize_parameters(request.params) uri = normalize_base_string_uri(request.uri) message = construct_base_string(request.http_method, uri, norm_params) h = SHA.new(message.encode('utf-8')) p = PKCS1_v1_5.new(key) sig = binascii.a2b_base64(request.signature.encode('utf-8')) return p.verify(h, sig)
def sign(cls, string): """Returns the signature of a string. This signature is generated using the singleton private key, then base64-encoded. It's of the form expected by Google Cloud Storage query string authentication. See https://developers.google.com/storage/docs/accesscontrol#Signed-URLs. """ # All Google API keys have "notasecret" as their passphrase value = cls.get_oauth() if value is None: raise "Private key has not been set." if handlers.is_production(): # TODO(nweiz): This currently doesn't work on the development server # without adding 'AESCipher', 'blockalgo', and '_AES' to the # __CRYPTO_CIPHER_ALLOWED_MODULES constant in # google/appengine/tools/dev_appserver_import_hook.py. However, it # does work in production, so to make it work locally, we just do a # dumb hash of the private key and the string. # # See http://code.google.com/p/googleappengine/issues/detail?id=8188 key = RSA.importKey(value, passphrase='notasecret') return base64.b64encode(PKCS1_v1_5.new(key).sign(SHA256.new(string))) else: m = hashlib.md5() m.update(value) m.update(string) return base64.b64encode(m.digest())
def sign_file(f): # TODO: For Part 2, you'll use public key crypto here # The existing scheme just ensures the updates start with the line 'Caesar' # This is naive -- replace it with something better! # Generate key pairs key = RSA.generate(2048) # Export public key to file export_pukey = key.publickey().exportKey('PEM') publickey_file = open(os.path.join("pastebot.net", "publickey"), "wb") publickey_file.write(export_pukey) publickey_file.close() # Create RSA object from public key publickey_file = open(os.path.join("pastebot.net", "publickey"), "rb").read() public_key = RSA.importKey(publickey_file) # Hash message hashed_m = SHA256.new(f) # Encrypt message using public key cipher = PKCS1_cipher.new(public_key) ciphertext = cipher.encrypt(f+hashed_m.digest()) # Export private key to be prefixed to ciphertext export_prkey = key.exportKey('PEM') # Sign message using private key prkey = RSA.importKey(export_prkey) signer = PKCS1_v1_5.new(prkey) signature = signer.sign(hashed_m) # Return private key and ciphertext, as well as signature separately return export_prkey + b"\n" + ciphertext, signature
def rsa_sign(s, key, mod=SHA256): key = RSA.importKey(key) hash = mod.new(s) return PKCS1_v1_5_SIG.new(key).sign(hash)
def update(): #print "got form",request.form validate_uuid = UUID(request.form['uuid']) uuid = str(validate_uuid) session = ws.hashlib.sha256(config.SESSION_SECRET + uuid).hexdigest() email = request.form['email'] if 'email' in request.form else None wallet = request.form['wallet'] if 'wallet' in request.form else None secret = request.form['mfasecret'] if 'mfasecret' in request.form else None token = request.form['mfatoken'] if 'mfatoken' in request.form else None action = request.form['mfaaction'] if 'mfaaction' in request.form else None question = unicode( str(request.form['question'])[:64], errors='replace') if 'question' in request.form else None answer = unicode(str(request.form['answer'])[:32], errors='replace') if 'answer' in request.form else None if config.LOCALDEVBYPASSDB: session_challenge = session + "_challenge" session_pubkey = session + "_public_key" if session_challenge not in session_store: print 'Challenge not in session' abort(403) if session_pubkey not in session_store: print 'Public key not in session' abort(403) challenge = session_store.get(session_challenge) signature = request.form['signature'] pubkey = session_store.get(session_pubkey) key = RSA.importKey(pubkey) h = SHA.new(challenge) verifier = PKCS1_v1_5.new(key) if not verifier.verify(h, signature.decode('hex')): print 'Challenge signature not verified' abort(403) session_store.delete(session_challenge) else: ROWS = dbSelect( "select challenge,pubkey from sessions where sessionid=%s", [session]) if len(ROWS) == 0 or ROWS[0][0] == None: print 'Challenge not in session' abort(403) if len(ROWS) == 0 or ROWS[0][1] == None: print 'Public key not in session' abort(403) challenge = ROWS[0][0] signature = request.form['signature'] pubkey = ROWS[0][1] key = RSA.importKey(pubkey) h = SHA.new(challenge) verifier = PKCS1_v1_5.new(key) if not verifier.verify(h, signature.decode('hex')): print 'Challenge signature not verified' abort(403) dbExecute( "update sessions set challenge=NULL, timestamp=DEFAULT where sessionid=%s", [session]) dbCommit() ret = False if wallet != None: if email != None: ret = write_wallet(uuid, wallet, email) else: ret = write_wallet(uuid, wallet) elif None not in [token, action]: ret = update_mfa(uuid, token, action, secret) if ret and action == 'add': data = {'question': question, 'answer': answer} encdata = encrypt_value(json.dumps(data)) if encdata[0]: if not (set_setting(uuid, 'asq', encdata[1])): print "Error setting ASQ:", uuid, encdata else: print "Error setting ASQ:", uuid, data, encdata response = {'updated': ret} print response return jsonify(response)
def verify(self, msg, sig): try: return PKCS1_v1_5.new(self.prepared_key).verify( self.hash_alg.new(msg), sig) except Exception as e: return False
def _download_manifest_info(self): """Download and cache the manifest information.""" self.template = requests.get(settings.fake_manifest.url).content self.signing_key = requests.get(settings.fake_manifest.key_url).content self.signature = PKCS1_v1_5.new(RSA.importKey(self.signing_key))
from Crypto.Signature import PKCS1_v1_5 from Crypto.Hash import SHA from Crypto.PublicKey import RSA message = open('./signingText').read() key = RSA.importKey(open('private.pem').read()) h = SHA.new(message) signer = PKCS1_v1_5.new(key) signature = signer.sign(h) open('./pycryptoSignature', 'w').write(signature) key = RSA.importKey(open('public.pem').read()) h = SHA.new(message) verifier = PKCS1_v1_5.new(key) if verifier.verify(h, signature): print "The signature is authentic." else: print "The signature is not authentic."
encrypted_message = json.dumps(encrypted_message).encode('utf-8') encryptor = PKCS1_OAEP.new(pubKey) encrypted = encryptor.encrypt(encrypted_message) # Example signed message message_to_sign = { 'auth': auth_token.decode('utf-8'), 'patient_info': patient_info, 't_start': t_start } message_to_sign = json.dumps(message_to_sign).encode('utf-8') digest = SHA256.new() digest.update(message_to_sign) signer = PKCS1_v1_5.new(keyPair) signed_message = signer.sign(digest) breakglass_validation_time = {} SECRET_KEY = settings.SECRET_KEY for i in range(100000): start = timer() # RA must verify the signature verifier = PKCS1_v1_5.new(pubKey) verified = verifier.verify(digest, signed_message) # Decrypt the message and the token, to retrieve the team and patient info decryptor = PKCS1_OAEP.new(keyPair)
def sign(self, msg): try: return PKCS1_v1_5.new(self.prepared_key).sign( self.hash_alg.new(msg)) except Exception as e: raise JWKError(e)
dec_session_key = rsa_cipher.decrypt(enc_session_key) #Decrypt encrypted signed message iv = Random.new().read(AES.block_size) aes_cipher = AES.new(dec_session_key, AES.MODE_CFB, iv) dec_signed_msg =aes_cipher.decrypt(enc_message) ret = str(dec_signed_msg) dec_signed_msg = ret[AES.block_size:] # Verify Signature message = dec_signed_msg.split(delimiter)[0] signature = dec_signed_msg.split(delimiter)[1] s_public_key = RSA.importKey(open('server_pubkey.pem').read()) message_hash = SHA256.new(message) verifier = PKCS1_v1_5.new(s_public_key) if verifier.verify(message_hash, signature): print "The signature is authentic." print("Data Received:") print(message) else: print "The signature is not authentic." f.write(data) except: pass f.close() if data != "nill" : print('Successfully got the file') sock.close() print('connection closed')
print(type(private_key)) msg = b"secrect" digest = SHA512.new() print("digest: ", digest) digest.update(msg) print("digest update : ", digest) # msg = hashlib.sha512(msg).digest() # print("msg : ",digest.digest()) with open('msg.txt', 'wb') as f: f.write(msg) with open('message.txt', 'wb') as f: f.write(digest.digest()) signer = PKCS1_v1_5.new(private_key) sig = signer.sign(digest) # encrypt text with privateKey # cipher = private_key.encrypt( # msg, # padding.OAEP( # mgf=padding.MGF1( # algorithm=hashes.SHA512()), # algorithm=hashes.SHA512(), # label=None # ) # ) # cipher = private_key.sign( # msg,
def verify_file_signature(hash_value, signature_bin, publicrsa_key): verifier = PKCS1_v1_5.new(publicrsa_key) if verifier.verify(hash_value, signature_bin): return True else: return False
'patient_id' : patient_id, 'team_id' : team_id, 't_rev' : t_rev } message = json.dumps(message).encode('utf-8') encryptor = PKCS1_OAEP.new(pubKey) encrypted = encryptor.encrypt(message) # Example sign message message_to_sign = { 'auth_token' : auth_token.decode('utf-8'), 'request' : "RevokeTeam", 'patient_id' : patient_id, 'team_id' : team_id, 't_rev' : t_rev } message = json.dumps(message_to_sign).encode('utf-8') digest = SHA256.new() digest.update(message) signer = PKCS1_v1_5.new(keyPair) sig = signer.sign(digest) enc_and_sign_time[i] = round(timer() - start, 7) with open('m10_100K.json', 'w') as f: json.dump(enc_and_sign_time, f)
def miner(privatekey_readable, public_key_hashed, address, miners, resultQueue): from Crypto.PublicKey import RSA Random.atfork() key = RSA.importKey(privatekey_readable) rndfile = Random.new() tries = 0 firstrun = True begin = time.time() if pool_conf == 1: #do not use pools public key to sign, signature will be invalid self_address = address address = pool_address #ask for diff percentage s_pool = socks.socksocket() s_pool.settimeout(0.3) if tor_conf == 1: s_pool.setproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9050) s_pool.connect((pool_ip_conf, 8525)) # connect to pool print("Connected") print( "Miner: Asking pool for share qualification difficulty requirement" ) connections.send(s_pool, "diffp", 10) pool_diff_percentage = int(connections.receive(s_pool, 10)) print( "Miner: Received pool for share qualification difficulty requirement: {}%" .format(pool_diff_percentage)) s_pool.close() #ask for diff percentage q = 0 # OpenCL Hash parameters for m in miners: m.setHeader(address.encode('utf-8')) db_block_hash = "" diff = 0 old_hashes = [] # OpenCL Hash parameters start = time.time() while True: try: # OpenCL Hash parameters old_diff = diff old_db = db_block_hash # OpenCL Hash parameters # calculate new hash nonces = 0 # calculate difficulty s_node = socks.socksocket() if tor_conf == 1: s_node.setproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9050) s_node.connect((node_ip_conf, int(port))) # connect to local node connections.send(s_node, "blocklast", 10) blocklast = connections.receive(s_node, 10) db_block_hash = blocklast[7] connections.send(s_node, "diffget", 10) diff = connections.receive(s_node, 10) s_node.close() diff = int(diff[1]) diff_real = int(diff) if pool_conf == 0: diff = int(diff) else: # if pooled diff_pool = diff_real diff = percentage(pool_diff_percentage, diff_real) if diff > diff_pool: diff = diff_pool mining_condition = bin_convert(db_block_hash)[0:diff] # block_hash = hashlib.sha224(str(block_send) + db_block_hash).hexdigest() # OpenCL Hash parameters if old_db == db_block_hash: if old_diff > diff: for hash in old_hashes: resultQueue.pushCandidate([hash, 0]) else: old_hashes = [] if opencl_full_check == 1: searchKey = np.uint32(int(diff)) print("Difficulty: {}".format(searchKey)) else: searchKey = np.uint32(int(db_block_hash[:8], 16)) print("Search key: {:x}".format(searchKey)) for m in miners: m.setTail(db_block_hash.encode('utf-8')) m.setKernelParams(searchKey) m.startMining() elapsed = 0 # OpenCL Hash parameters while True: cand, onlist = resultQueue.getNextCandidate(opencl_timeout - elapsed) end = time.time() if cand is None: print("Thread{} {} @ Update blockchain (timeout {} sec)". format(q, db_block_hash[:10], opencl_timeout)) break candidate = cand[0] old_hashes.append(candidate) q = cand[1] elapsed += (end - start) print( "Thread{} {} @ {:,.4f} sec to find a candidate ({} waiting to process)" .format(q, db_block_hash[:10], end - start, onlist)) start = time.time() nonce = candidate.tobytes('C').hex() np.set_printoptions(formatter={'int': hex}) print("(python) Nonce: {}".format(nonce)) seeder = db_block_hash.encode("utf-8") print("(python) Seeder: {}".format(seeder)) debug_hash = hashlib.sha224( (address + nonce + db_block_hash).encode("utf-8")).hexdigest() print("(python) Hash : {}".format(debug_hash)) print("(python) address: {}".format(address)) print("(python) mining_condition: {}".format( db_block_hash[0:int(diff / 8) + 1])) mining_condition = bin_convert(db_block_hash)[0:diff] mining_hash = bin_convert( hashlib.sha224( (address + nonce + db_block_hash).encode("utf-8")).hexdigest()) tries = tries + 1 print("Hashrate: {} hash/sec".format( tries * opencl_hash_count / elapsed)) #print(mining_hash) #print(mining_condition) if mining_condition in mining_hash: print("Thread {} found a good block hash in {} cycles". format(q, tries)) tries = 0 # serialize txs block_send = [] del block_send[:] # empty removal_signature = [] del removal_signature[:] # empty s_node = socks.socksocket() if tor_conf == 1: s_node.setproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9050) s_node.connect((node_ip_conf, int(port))) # connect to config.txt node connections.send(s_node, "mpget", 10) data = connections.receive(s_node, 10) s_node.close() if data != "[]": mempool = data for mpdata in mempool: transaction = (str(mpdata[0]), str(mpdata[1][:56]), str(mpdata[2][:56]), '%.8f' % float(mpdata[3]), str(mpdata[4]), str(mpdata[5]), str(mpdata[6]), str(mpdata[7]) ) # create tuple # print transaction block_send.append( transaction ) # append tuple to list for each run removal_signature.append( str(mpdata[4] )) # for removal after successful mining # claim reward block_timestamp = '%.2f' % time.time() transaction_reward = (str(block_timestamp), str(address[:56]), str(address[:56]), '%.8f' % float(0), "0", str(nonce) ) # only this part is signed! # print transaction_reward h = SHA.new(str(transaction_reward).encode("utf-8")) signer = PKCS1_v1_5.new(key) signature = signer.sign(h) signature_enc = base64.b64encode(signature) if signer.verify(h, signature) == True: print("Signature valid") block_send.append( (str(block_timestamp), str(address[:56]), str(address[:56]), '%.8f' % float(0), str(signature_enc.decode("utf-8")), str(public_key_hashed), "0", str(nonce), db_block_hash)) # mining reward tx #print("Block to send: {}".format(block_send)) if not any( isinstance(el, list) for el in block_send ): # if it's not a list of lists (only the mining tx and no others) new_list = [] new_list.append(block_send) block_send = new_list # make it a list of lists # claim reward # include data # submit mined block to node if sync_conf == 1: check_uptodate(300) if pool_conf == 1: #mining_condition = bin_convert(db_block_hash)[0:diff_real] #if mining_condition in mining_hash: # print("Miner: Submitting block to all nodes, because it satisfies real difficulty too") # threading.Thread( target=nodes_block_submit, args=(block_send, ) ).start() try: s_pool = socks.socksocket() s_pool.settimeout(0.3) if tor_conf == 1: s_pool.setproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9050) s_pool.connect( (pool_ip_conf, 8525)) # connect to pool print("Connected") print( "Miner: Proceeding to submit mined block to pool" ) connections.send(s_pool, "block", 10) connections.send(s_pool, self_address, 10) connections.send(s_pool, block_send, 10) s_pool.close() print("Miner: Block submitted to pool") except Exception as e: print("Miner: Could not submit block to pool") pass if pool_conf == 0: threading.Thread(target=nodes_block_submit, args=(block_send, )).start() else: print("Invalid signature") except Exception as e: print(e) time.sleep(0.1) if debug_conf == 1: raise else: pass
def applyCertificateChain(self, message, PKI_object): hash_message = SHA256.new(message) signature = PKCS1_v1_5.new(self.key).sign(hash_message) return PKI_object.applyCertificateChain(message, self.publicKey, signature)
def rsa_verify(s, key, sig, mod=SHA256): key = RSA.importKey(key) hash = mod.new(s) return PKCS1_v1_5_SIG.new(key).verify(hash, sig)
def applyToRootCA(self, message, intermedia): hash_message = SHA256.new(message); signature = PKCS1_v1_5.new(self.key).sign(hash_message) return intermedia.applyCertificateChain(message, self.publicKey, signature)
def sign_transaction(self): private_key = RSA.importKey(binascii.unhexlify( self.sender_private_key)) signer = PKCS1_v1_5.new(private_key) h = SHA.new(str(self.to_dict()).encode('utf8')) return binascii.hexlify(signer.sign(h)).decode('ascii')
def get_sha512_signature (private_key): global hash signer = PKCS1_v1_5.new(private_key) #signature = signer.sign(hash) return signer.sign(hash)
def applyCertificateChain(self, message, public_key, signature): hash_message = SHA256.new(message); verified = PKCS1_v1_5.new(public_key).verify(hash_message, signature) if verified == True: return self.generateCertiChain(public_key);
def rsaSign(key, message): h = SHA256.new(str(message).encode('ascii')) signer = PKCS1_v1_5.new(key) return signer.sign(h)
def rsaVerify(key, message, signature): h = SHA256.new(str(message).encode('ascii')) verifier = PKCS1_v1_5.new(key) return verifier.verify(h, signature)
def sign(message, priv_key): global hash signer = PKCS1_v1_5.new(priv_key) digest = SHA256.new() digest.update(message) return b64encode(signer.sign(digest))
def verify(message, signature, pub_key): signer = PKCS1_v1_5.new(pub_key) digest = SHA256.new() digest.update(message) return signer.verify(digest, b64decode(signature))
def sign(self, msg, key): h = self.digest.new(msg) signer = PKCS1_v1_5.new(key) return signer.sign(h)
def __init__(self): random = Crypto.Random.new().read self._private_key = RSA.generate(1024, random) self._public_key = self._private_key.publickey() self._signer = PKCS1_v1_5.new(self._private_key)
def query(action=None, command=None, args=None, method='GET', location=None, data=None): ''' Make a web call to Joyent ''' user = config.get_cloud_config_value('user', get_configured_provider(), __opts__, search_global=False) password = config.get_cloud_config_value('password', get_configured_provider(), __opts__, search_global=False) verify_ssl = config.get_cloud_config_value('verify_ssl', get_configured_provider(), __opts__, search_global=False, default=True) ssh_keyfile = config.get_cloud_config_value('private_key', get_configured_provider(), __opts__, search_global=False, default=True) ssh_keyname = config.get_cloud_config_value('keyname', get_configured_provider(), __opts__, search_global=False, default=True) if not location: location = get_location() api_host_suffix = config.get_cloud_config_value( 'api_host_suffix', get_configured_provider(), __opts__, search_global=False, default=JOYENT_API_HOST_SUFFIX) path = get_location_path(location=location, api_host_suffix=api_host_suffix) if action: path += action if command: path += '/{0}'.format(command) log.debug('User: \'{0}\' on PATH: {1}'.format(user, path)) timenow = datetime.datetime.utcnow() timestamp = timenow.strftime('%a, %d %b %Y %H:%M:%S %Z').strip() with salt.utils.fopen(ssh_keyfile, 'r') as kh_: rsa_key = RSA.importKey(kh_) rsa_ = PKCS1_v1_5.new(rsa_key) hash_ = SHA256.new() hash_.update(timestamp) signed = base64.b64encode(rsa_.sign(hash_)) keyid = '/{0}/keys/{1}'.format(user, ssh_keyname) headers = { 'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Api-Version': JOYENT_API_VERSION, 'Date': timestamp, 'Authorization': 'Signature keyId="{0}",algorithm="rsa-sha256" {1}'.format( keyid, signed), } if not isinstance(args, dict): args = {} # post form data if not data: data = json.dumps({}) return_content = None result = salt.utils.http.query( path, method, params=args, header_dict=headers, data=data, decode=False, text=True, status=True, headers=True, verify_ssl=verify_ssl, opts=__opts__, ) log.debug('Joyent Response Status Code: {0}'.format(result['status'])) if 'Content-Length' in result['headers']: content = result['text'] return_content = yaml.safe_load(content) return [result['status'], return_content]
def send(amount_input, recipient_input, keep_input, openfield_input): try: key except: top5 = Toplevel() top5.title("Locked") Label(top5, text="Wallet is locked", width=20).grid(row=0, pady=0) done = Button(top5, text="Cancel", command=top5.destroy) done.grid(row=1, column=0, sticky=W + E, padx=15, pady=(5, 5)) app_log.info("Received tx command") try: float(amount_input) except: top7 = Toplevel() top7.title("Invalid amount") Label(top7, text="Amount must be a number", width=20).grid(row=0, pady=0) done = Button(top7, text="Cancel", command=top7.destroy) done.grid(row=1, column=0, sticky=W + E, padx=15, pady=(5, 5)) if encode_var.get() == 1: openfield_input = str(base64.b64encode(openfield_input)) # alias check if alias_cb_var.get() == 1: conn = sqlite3.connect('static/ledger.db') conn.text_factory = str c = conn.cursor() c.execute( "SELECT address FROM transactions WHERE openfield = ? ORDER BY block_height ASC, timestamp ASC LIMIT 1;", ("alias=" + recipient_input, )) #asc for first entry recipient_input = c.fetchone()[0] conn.close() app_log.info("Fetched the following alias recipient: {}".format( recipient_input)) # alias check if len(recipient_input) != 56: top6 = Toplevel() top6.title("Invalid address") Label(top6, text="Wrong address length", width=20).grid(row=0, pady=0) done = Button(top6, text="Cancel", command=top6.destroy) done.grid(row=1, column=0, sticky=W + E, padx=15, pady=(5, 5)) else: app_log.info("Amount: {}".format(amount_input)) app_log.info("Recipient: {}".format(recipient_input)) app_log.info("Keep Forever: {}".format(keep_input)) app_log.info("OpenField Data: {}".format(openfield_input)) timestamp = '%.2f' % time.time() transaction = (timestamp, address, recipient_input, '%.8f' % float(amount_input), keep_input, openfield_input) #this is signed #print transaction h = SHA.new(str(transaction)) signer = PKCS1_v1_5.new(key) signature = signer.sign(h) signature_enc = base64.b64encode(signature) app_log.info("Client: Encoded Signature: {}".format(signature_enc)) verifier = PKCS1_v1_5.new(key) if verifier.verify(h, signature) == True: if float(amount_input) < 0: app_log.info( "Client: Signature OK, but cannot use negative amounts") elif (float(amount_input) > float(balance)): app_log.info("Mempool: Sending more than owned") else: app_log.info( "Client: The signature is valid, proceeding to save transaction, signature, new txhash and the public key to mempool" ) mempool = sqlite3.connect('mempool.db') mempool.text_factory = str m = mempool.cursor() m.execute("INSERT INTO transactions VALUES (?,?,?,?,?,?,?,?)", (timestamp, address, recipient_input, '%.8f' % float(amount_input), signature_enc, public_key_hashed, keep_input, openfield_input)) mempool.commit() # Save (commit) the changes mempool.close() app_log.info( "Client: Mempool updated with a received transaction") #refresh() experimentally disabled else: app_log.info("Client: Invalid signature") #enter transaction end refresh()
def Sign(self, data): h = FakeSHA1(data) return PKCS1_v1_5.new(self.rsa_key).sign(h)
def base64sign(plaintext, private_key): """Function used to sign the URLs.""" shahash = SHA256.new(plaintext.encode('utf8')) signer = PKCS1_v1_5.new(private_key) signature_bytes = signer.sign(shahash) return base64.b64encode(signature_bytes)
save_to_file('encodemessage.txt', cipher_text) #ghost使用自己的私钥对内容进行解密 with open('ghost-private.pem') as f: key = f.read() rsakey = RSA.importKey(key) cipher = Cipher_pkcs1_v1_5.new(rsakey) text = cipher.decrypt(base64.b64decode(cipher_text), random_generator) print text #master使用自己的公钥对内容进行签名 with open('master-private.pem') as f: key = f.read() rsakey = RSA.importKey(key) signer = Signature_pkcs1_v1_5.new(rsakey) digest = SHA.new() digest.update(message) sign = signer.sign(digest) signature = base64.b64encode(sign) save_to_file('signer.txt', signature) ''' #验证签名 with open('master-public.pem')as f: key=f.read() rsakey=RSA.importKey(key) verifier=Signature_pkcs1_v1_5.new(rsakey) digest-SHA.new() #假定数据是基于base64编码的 digest.update(message) is_verify=signer.verify(digest,base64.b64decode(signature))
def send(amount_input, recipient_input, keep_input, openfield_input): try: key except: top5 = Toplevel() top5.title("Locked") Label(top5, text="Wallet is locked", width=20).grid(row=0, pady=0) done = Button(top5, text="Cancel", command=top5.destroy) done.grid(row=1, column=0, sticky=W + E, padx=15, pady=(5, 5)) app_log.warning("Received tx command") try: float(amount_input) except: top7 = Toplevel() top7.title("Invalid amount") Label(top7, text="Amount must be a number", width=20).grid(row=0, pady=0) done = Button(top7, text="Cancel", command=top7.destroy) done.grid(row=1, column=0, sticky=W + E, padx=15, pady=(5, 5)) # alias check # alias check if len(recipient_input) != 56: top6 = Toplevel() top6.title("Invalid address") Label(top6, text="Wrong address length", width=20).grid(row=0, pady=0) done = Button(top6, text="Cancel", command=top6.destroy) done.grid(row=1, column=0, sticky=W + E, padx=15, pady=(5, 5)) else: app_log.warning("Amount: {}".format(amount_input)) app_log.warning("Recipient: {}".format(recipient_input)) app_log.warning("Keep Forever: {}".format(keep_input)) app_log.warning("OpenField Data: {}".format(openfield_input)) timestamp = '%.2f' % time.time() transaction = (str(timestamp), str(myaddress), str(recipient_input), '%.8f' % float(amount_input), str(keep_input), str(openfield_input)) # this is signed h = SHA.new(str(transaction).encode("utf-8")) signer = PKCS1_v1_5.new(key) signature = signer.sign(h) signature_enc = base64.b64encode(signature) app_log.warning("Client: Encoded Signature: {}".format( signature_enc.decode("utf-8"))) verifier = PKCS1_v1_5.new(key) if verifier.verify(h, signature) == True: fee = fee_calculate(openfield_input, keep_var.get()) if float(amount_input) < 0: app_log.warning( "Client: Signature OK, but cannot use negative amounts") elif (float(amount_input) + float(fee) > float(balance)): app_log.warning("Mempool: Sending more than owned") else: app_log.warning( "Client: The signature is valid, proceeding to save transaction, signature, new txhash and the public key to mempool" ) # print(str(timestamp), str(address), str(recipient_input), '%.8f' % float(amount_input),str(signature_enc), str(public_key_hashed), str(keep_input), str(openfield_input)) tx_submit = (str(timestamp), str(myaddress), str(recipient_input), '%.8f' % float(amount_input), str(signature_enc.decode("utf-8")), str(public_key_hashed.decode("utf-8")), str(keep_input), str(openfield_input)) while True: connections.send(s, "mpinsert", 10) connections.send( s, [tx_submit], 10 ) # change address here to view other people's transactions reply = connections.receive(s, 10) app_log.warning("Client: {}".format(reply)) break else: app_log.warning("Client: Invalid signature")