def validate_sig(self, to_sign, signature, cert_chain_der):
# Check that openssl is available
try:
crypto_functions.are_available([crypto_functions.MOD_OPENSSL])
except Exception as e:
raise RuntimeError('Cannot validate signing: ' + str(e))
hmac_params = crypto_functions.get_hmacparams_from_certificate_chain(
cert_chain_der[0])
hash_algo = crypto_functions.get_hash_algorithm_from_certicate_chain(
cert_chain_der[0])
cert_chain_pem = []
for cert in cert_chain_der:
cert_chain_pem.append(crypto_functions.cert_der_to_pem(cert))
public_key = crypto_functions.get_public_key_from_cert_chain(
cert_chain_pem)
decrypted_hash = crypto_functions.decrypt_with_public_key(
signature, public_key)
hasher = Hasher()
image_hash = hasher.qcom_hmac(to_sign, hmac_params, hash_algo)
return image_hash == decrypted_hash
def validate_sig(self, to_sign, signature, cert_chain_der):
hmac_params=crypto_functions.get_hmacparams_from_certificate_chain(cert_chain_der[0])
cert_chain_pem = []
for cert in cert_chain_der:
cert_chain_pem.append(crypto_functions.cert_der_to_pem(cert))
public_key = crypto_functions.get_public_key_from_cert_chain(cert_chain_pem)
decrypted_hash = crypto_functions.decrypt_with_public_key(signature, public_key)
hasher = Hasher()
image_hash = hasher.qcom_hmac(to_sign, hmac_params)
return image_hash == decrypted_hash
def validate_sig(self, to_sign, signature, cert_chain_der):
hmac_params=crypto_functions.get_hmacparams_from_certificate_chain(cert_chain_der[0])
cert_chain_pem = []
for cert in cert_chain_der:
cert_chain_pem.append(crypto_functions.cert_der_to_pem(cert))
public_key = crypto_functions.get_public_key_from_cert_chain(cert_chain_pem)
decrypted_hash = crypto_functions.decrypt_with_public_key(signature, public_key)
hasher = Hasher()
image_hash = hasher.qcom_hmac(to_sign, hmac_params)
return image_hash == decrypted_hash
def sign(self, binary_to_sign, imageinfo, debug_dir=None, is_hash=False):
'''
This function returns a SignerOutput object which has all the security assets generated
by the signer.
'''
self.validate_config(imageinfo)
sha_algo = signerutils.get_sha_algo_from_config(
imageinfo.signing_attributes)
if is_hash:
hash_to_sign = binary_to_sign
binary_to_sign = None
else:
is_hmac = ishmac(imageinfo)
logger.info('Using ' + ('QC HMAC' if is_hmac else 'SHA') +
' for hash segment')
hmacParams = signerutils.get_hmac_params_from_config(
imageinfo.signing_attributes)
hash_to_sign = Hasher().get_hash(
binary_to_sign,
hmac_params=hmacParams if is_hmac else None,
sha_algo=sha_algo)
signer_output = self.sign_hash(hash_to_sign, imageinfo, binary_to_sign,
debug_dir, sha_algo)
# print certificate properties
attestation_cert_obj = Certificate(signer_output.attestation_cert)
logger.info('\nAttestation Certificate Properties:\n' +
str(attestation_cert_obj))
return signer_output
def validate_sig(self,
to_sign,
signature,
cert_chain_der,
signed_authority=None,
extracted_image_attributes=None,
imageinfo=None):
# Check that openssl is available
try:
crypto.are_available([crypto.modules.MOD_OPENSSL])
except Exception as e:
raise RuntimeError('Cannot validate signing: ' + str(e))
# Get the hash
if extracted_image_attributes is None:
extracted_image_attributes = self._attribute_extractor(
cert_data=cert_chain_der[0],
attributes=self.signing_attributes_class()).attributes
cert_text = extracted_image_attributes.cert_text
cert_sign_algo = crypto.cert.get_sign_algo(cert_text)
use_pss = cert_sign_algo == crypto.cert.SIGN_ALGO_RSA_PSS
use_dsa = cert_sign_algo == crypto.cert.SIGN_ALGO_ECDSA
# Get the hmac params from attestation cert or hash segment
hmac_params = self.get_hmac_params_from_cert(
extracted_attributes=extracted_image_attributes)
if use_dsa:
# RSA padding mapping cannot be used to determine
# whether HMAC was used or not, so config hmac value must be used
logger.debug(
"Signer is relying on config's hmac value to determine "
"whether signature was generated using HMAC or SHA.")
if imageinfo.signing_attributes.hmac:
logger.debug(
"Signer is assuming that signature was generated using HMAC."
)
else:
logger.debug(
"Signer is assuming that signature was generated using SHA."
)
hmac_params = None
elif use_pss:
hmac_params = None
image_hash = Hasher().get_hash(
to_sign,
hmac_params=hmac_params,
sha_algo=extracted_image_attributes.hash_algorithm)
# Validate the hash
return self.validate_sig_using_hash(
image_hash,
signature,
cert_chain_der,
signed_authority=signed_authority,
extracted_image_attributes=extracted_image_attributes)
def validate_sig(self, to_sign, signature, cert_chain_der, signed_authority=None, extracted_image_attributes=None):
# Check that openssl is available
try:
crypto.are_available([crypto.modules.MOD_OPENSSL])
except Exception as e:
raise RuntimeError('Cannot validate signing: ' + str(e))
# Get the hash
if extracted_image_attributes is None:
extracted_image_attributes = AttributeExtractor(cert_data=cert_chain_der[0], hash_segment_metadata=None).attributes
cert_text = extracted_image_attributes.cert_text
use_pss = crypto.cert.get_sign_algo(cert_text) == crypto.cert.SIGN_ALGO_RSA_PSS
# Get the hmac params from attestation cert or hash segment
hmac_params = self.get_hmac_params_from_cert(extracted_attributes=extracted_image_attributes)
hash_algo = extracted_image_attributes.hash_algorithm
image_hash = Hasher().get_hash(to_sign, hmac_params=hmac_params if not use_pss else None, sha_algo=hash_algo)
# Validate the hash
return self.validate_sig_using_hash(image_hash, signature, cert_chain_der, signed_authority=signed_authority, extracted_image_attributes=extracted_image_attributes)
def validate_sig(self, to_sign, signature, cert_chain_der):
# Check that openssl is available
try:
crypto_functions.are_available([crypto_functions.MOD_OPENSSL])
except Exception as e:
raise RuntimeError('Cannot validate signing: ' + str(e))
# Get the hash
use_pss = crypto_functions.cert_uses_pss(cert_chain_der[0], 'DER')
hmac_params = crypto_functions.get_hmacparams_from_certificate_chain(
cert_chain_der[0])
hash_algo = crypto_functions.get_hash_algorithm_from_certicate_chain(
cert_chain_der[0])
image_hash = Hasher().get_hash(
to_sign,
hmac_params=hmac_params if not use_pss else None,
sha_algo=hash_algo)
# Validate the hash
return self.validate_sig_using_hash(image_hash, signature,
cert_chain_der)