def test_basic_ops(self): msg = 'this is a message' priv = signer.generate_privkey() pub = signer.generate_pubkey(priv) sig = signer.sign(msg, priv) ver = signer.verify(msg, sig, pub) self.assertTrue(ver)
def validate_batch(batch): # validate batch signature header = BatchHeader() header.ParseFromString(batch.header) valid = signing.verify(batch.header, batch.header_signature, header.signer_pubkey) if not valid: LOGGER.debug("batch failed signature validation: %s", batch.header_signature) # validate all transactions in batch total = len(batch.transactions) index = 0 while valid and index < total: txn = batch.transactions[index] valid = validate_transaction(txn) if valid: txn_header = TransactionHeader() txn_header.ParseFromString(txn.header) if txn_header.batcher_pubkey != header.signer_pubkey: LOGGER.debug( "txn batcher pubkey does not match signer" "pubkey for batch: %s txn: %s", batch.header_signature, txn.header_signature) valid = False index += 1 return valid
def _verify_block_signature(self, blkw): """ Verify a block is properly signed. :param blkw: the block to verify :return: Boolean - True on success. """ return signing.verify(blkw.block.header, blkw.block.header_signature, blkw.header.signer_pubkey)
def test_invalid_signature(self): msg = "This is a message" priv = signer.generate_privkey() priv2 = signer.generate_privkey() sig = signer.sign(msg, priv) pub = signer.generate_pubkey(priv2) ver = signer.verify(msg, sig, pub) self.assertFalse(ver)
def validate_transaction(txn): # validate transactions signature header = TransactionHeader() header.ParseFromString(txn.header) valid = signing.verify(txn.header, txn.header_signature, header.signer_pubkey) if not valid: LOGGER.debug("transaction signature invalid for txn: %s", txn.header_signature) return valid
def verify_wait_certificate(cls, certificate, poet_public_key): # Since the signing module uses a hex-encoded string as the canonical # format for public keys and we should be handed a public key that was # part of signup information created by us, don't bother decoding # the public key. if not \ signing.verify( certificate.serialize(), certificate.signature, poet_public_key): raise ValueError('Wait certificate signature does not match')
def deserialize_wait_timer(cls, serialized_timer, signature): with cls._lock: # Verify the signature before trying to deserialize if not signing.verify(serialized_timer, signature, cls._poet_public_key): return None return \ EnclaveWaitTimer.wait_timer_from_serialized( serialized_timer=serialized_timer, signature=signature)
def verify_wait_certificate(cls, certificate, poet_public_key): # Reconstitute the PoET public key and check the signature over the # serialized wait certificate. decoded_poet_public_key = \ signing.decode_pubkey(poet_public_key, 'hex') if not \ signing.verify( certificate.serialize(), certificate.signature, decoded_poet_public_key): raise ValueError('Wait certificate signature does not match')
def validate_block(block): # validate block signature header = BlockHeader() header.ParseFromString(block.header) valid = signing.verify(block.header, block.header_signature, header.signer_pubkey) # validate all batches in block. These are not all batches in the # batch_ids stored in the block header, only those sent with the block. total = len(block.batches) index = 0 while valid and index < total: valid = validate_batch(block.batches[index]) index += 1 return valid
def _verify_block_signature(self, blkw): """ Verify a block is properly signed. :param blkw: the block to verify :return: Boolean - True on success. """ try: return signing.verify(blkw.block.header, blkw.block.header_signature, blkw.header.signer_pubkey) # To be on the safe side, assume any exception thrown # during signature validation means the signature # is invalid. # pylint: disable=broad-except except Exception: return False
def verify_signature(message, signature, public_key): # Signature verification based on message and public key verifystatus = signing.verify(message, signature, public_key) return verifystatus
def verify_signup_info(cls, signup_info, originator_public_key_hash, most_recent_wait_certificate_id): # Verify the attestation verification report signature proof_data_dict = json2dict(signup_info.proof_data) verification_report = proof_data_dict.get('verification_report') if verification_report is None: raise ValueError('Verification report is missing from proof data') signature = proof_data_dict.get('signature') if signature is None: raise ValueError('Signature is missing from proof data') if not signing.verify( verification_report, signature, cls._report_public_key): raise ValueError('Verification report signature is invalid') verification_report_dict = json2dict(verification_report) # Verify that the verification report contains a PSE manifest status # and it is OK pse_manifest_status = \ verification_report_dict.get('pseManifestStatus') if pse_manifest_status is None: raise \ ValueError( 'Verification report does not contain a PSE manifest ' 'status') if pse_manifest_status != 'OK': raise \ ValueError( 'PSE manifest status is {} (i.e., not OK)'.format( pse_manifest_status)) # Verify that the verification report contains a PSE manifest hash # and it is the value we expect pse_manifest_hash = \ verification_report_dict.get('pseManifestHash') if pse_manifest_hash is None: raise \ ValueError( 'Verification report does not contain a PSE manifest ' 'hash') expected_pse_manifest_hash = \ base64.b64encode( hashlib.sha256( bytes(b'Do you believe in ' b'manifest destiny?')).hexdigest() .encode()).decode() if pse_manifest_hash != expected_pse_manifest_hash: raise \ ValueError( 'PSE manifest hash {0} does not match {1}'.format( pse_manifest_hash, expected_pse_manifest_hash)) # Verify that the verification report contains an enclave quote and # that its status is OK enclave_quote_status = \ verification_report_dict.get('isvEnclaveQuoteStatus') if enclave_quote_status is None: raise \ ValueError( 'Verification report does not contain an enclave quote ' 'status') if enclave_quote_status != 'OK': raise \ ValueError( 'Enclave quote status is {} (i.e., not OK)'.format( enclave_quote_status)) enclave_quote = verification_report_dict.get('isvEnclaveQuoteBody') if enclave_quote is None: raise \ ValueError( 'Verification report does not contain an enclave quote') # Verify that the enclave quote contains a report body with the value # we expect (i.e., SHA256(SHA256(OPK)|PPK) report_data = '{0}{1}'.format( originator_public_key_hash.upper(), signup_info.poet_public_key.upper() ) expected_report_body = hashlib.sha256( dict2json(report_data).encode()).hexdigest() enclave_quote_dict = \ json2dict(base64.b64decode(enclave_quote).decode()) report_body = enclave_quote_dict.get('report_body') if report_body is None: raise ValueError('Enclave quote does not contain a report body') if report_body != expected_report_body: raise \ ValueError( 'Enclave quote report body {0} does not match {1}'.format( report_body, expected_report_body)) # Verify that the wait certificate ID in the verification report # matches the provided wait certificate ID. The wait certificate ID # is stored in the nonce field. nonce = verification_report_dict.get('nonce') if nonce is None: raise \ ValueError( 'Verification report does not have a nonce')