def test_get_hashing_class(self):
# Assert return expected hashing class
expected_hashing_class = [hashing.SHA1, hashing.SHA256, hashing.SHA512]
for idx, hashing_id in enumerate([SHA1, SHA256, SHA512]):
result = get_hashing_class(hashing_id)
self.assertEqual(result, expected_hashing_class[idx])
# Assert raises ValueError with non-supported hashing id
with self.assertRaises(ValueError):
get_hashing_class("bogus_hashing_id")
def verify_signature(signature_object, pubkey_info, content,
hash_algorithm_id):
"""
<Purpose>
Verify the passed signature against the passed content with the passed
ED25519 public key using pyca/cryptography.
<Arguments>
signature_object:
A signature dictionary as specified by
securesystemslib.formats.GPG_SIGNATURE_SCHEMA
pubkey_info:
The DSA public key info dictionary as specified by
securesystemslib.formats.GPG_ED25519_PUBKEY_SCHEMA
hash_algorithm_id:
one of SHA1, SHA256, SHA512 (see securesystemslib.gpg.constants)
used to verify the signature
NOTE: Overrides any hash algorithm specification in "pubkey_info"'s
"hashes" or "method" fields.
content:
The signed bytes against which the signature is verified
<Exceptions>
securesystemslib.exceptions.FormatError if:
signature_object does not match securesystemslib.formats.GPG_SIGNATURE_SCHEMA
pubkey_info does not match securesystemslib.formats.GPG_ED25519_PUBKEY_SCHEMA
securesystemslib.exceptions.UnsupportedLibraryError if:
the cryptography module is unavailable
ValueError:
if the passed hash_algorithm_id is not supported (see
securesystemslib.gpg.util.get_hashing_class)
<Returns>
True if signature verification passes and False otherwise.
"""
if not CRYPTO: # pragma: no cover
raise exceptions.UnsupportedLibraryError(NO_CRYPTO_MSG)
formats.GPG_SIGNATURE_SCHEMA.check_match(signature_object)
formats.GPG_ED25519_PUBKEY_SCHEMA.check_match(pubkey_info)
hasher = gpg_util.get_hashing_class(hash_algorithm_id)
pubkey_object = create_pubkey(pubkey_info)
# See RFC4880-bis8 14.8. EdDSA and 5.2.4 "Computing Signatures"
digest = gpg_util.hash_object(
binascii.unhexlify(signature_object["other_headers"]),
hasher(), content)
try:
pubkey_object.verify(
binascii.unhexlify(signature_object["signature"]),
digest
)
return True
except InvalidSignature:
return False
def verify_signature(signature_object, pubkey_info, content,
hash_algorithm_id):
"""
<Purpose>
Verify the passed signature against the passed content with the passed
RSA public key using pyca/cryptography.
<Arguments>
signature_object:
A signature dictionary as specified by
securesystemslib.formats.GPG_SIGNATURE_SCHEMA
pubkey_info:
The RSA public key info dictionary as specified by
securesystemslib.formats.GPG_RSA_PUBKEY_SCHEMA
content:
The signed bytes against which the signature is verified
hash_algorithm_id:
one of SHA1, SHA256, SHA512 (see securesystemslib.gpg.constants)
used to verify the signature
NOTE: Overrides any hash algorithm specification in "pubkey_info"'s
"hashes" or "method" fields.
<Exceptions>
securesystemslib.exceptions.FormatError if:
signature_object does not match
securesystemslib.formats.GPG_SIGNATURE_SCHEMA,
pubkey_info does not match securesystemslib.formats.GPG_RSA_PUBKEY_SCHEMA
securesystemslib.exceptions.UnsupportedLibraryError if:
the cryptography module is unavailable
ValueError:
if the passed hash_algorithm_id is not supported (see
securesystemslib.gpg.util.get_hashing_class)
<Returns>
True if signature verification passes and False otherwise
"""
if not CRYPTO: # pragma: no cover
raise exceptions.UnsupportedLibraryError(NO_CRYPTO_MSG)
formats.GPG_SIGNATURE_SCHEMA.check_match(signature_object)
formats.GPG_RSA_PUBKEY_SCHEMA.check_match(pubkey_info)
hasher = gpg_util.get_hashing_class(hash_algorithm_id)
pubkey_object = create_pubkey(pubkey_info)
# zero-pad the signature due to a discrepancy between the openssl backend
# and the gnupg interpretation of PKCSv1.5. Read more at:
# https://github.com/in-toto/in-toto/issues/171#issuecomment-440039256
# we are skipping this if on the tests because well, how would one test this
# deterministically.
pubkey_length = len(pubkey_info['keyval']['public']['n'])
signature_length = len(signature_object['signature'])
if pubkey_length != signature_length: # pragma: no cover
zero_pad = "0" * (pubkey_length - signature_length)
signature_object['signature'] = "{}{}".format(
zero_pad, signature_object['signature'])
digest = gpg_util.hash_object(
binascii.unhexlify(signature_object['other_headers']), hasher(),
content)
try:
pubkey_object.verify(binascii.unhexlify(signature_object['signature']),
digest, padding.PKCS1v15(),
utils.Prehashed(hasher()))
return True
except InvalidSignature:
return False