def __menu_handler(args): if not Path(args.module).is_file(): print("(-p11) path does not exist") exit() # test to see if the user provided a pss salt length for a PSS algorithm if "PSS" in args.mech and args.pssSaltLength is None: print("-pss-length must be provided when a PSS mechanism is specified") return else: if args.pssSaltLength is None: args.pssSaltLength = 0 with HsmClient(slot=args.slot, pin=args.pin, pkcs11_lib=args.module) as c: result = c.verify(handle=args.keyHandle, data=hex_to_bytes(args.data), signature=hex_to_bytes(args.sig), mechanism=HsmMech[args.mech], pss_salt_length=args.pssSaltLength) print("Sig Verify Result: {}".format(str(result)))
def sign(self, handle, sigreq): logging.debug(f'Signing with HSM client:') logging.debug(f' Slot = {self.hsm_slot}') logging.debug(f' lib = {self.hsm_libfile}') logging.debug(f' handle = {handle}') with HsmClient(slot=self.hsm_slot, pin=self.hsm_pin, pkcs11_lib=self.hsm_libfile) as c: hashed_data = blake2b(hex_to_bytes(sigreq.get_payload()), digest_size=32).digest() logging.debug(f'Hashed data to sign: {hashed_data}') sig = c.sign(handle=handle, data=hashed_data, mechanism=HsmMech.ECDSA) logging.debug(f'Raw signature: {sig}') encoded_sig = Signer.b58encode_signature(sig) logging.debug(f'Base58-encoded signature: {encoded_sig}') return encoded_sig
def sign(self, handle, test_mode=False): encoded_sig = '' data_to_sign = self.payload logging.info('About to sign {} with key handle {}'.format( data_to_sign, handle)) if self.valid_block_format(data_to_sign): logging.info('Block format is valid') if self.is_block() or self.is_endorsement(): logging.info('Preamble is valid') if self.is_within_level_threshold(): logging.info('Block level is valid') if test_mode: return self.TEST_SIGNATURE else: logging.info( 'About to sign with HSM client. Slot = {}, lib = {}, handle = {}' .format(self.hsm_slot, self.hsm_libfile, handle)) with HsmClient(slot=self.hsm_slot, pin=self.hsm_pin, pkcs11_lib=self.hsm_libfile) as c: hashed_data = blake2b(hex_to_bytes(data_to_sign), digest_size=32).digest() logging.info( 'Hashed data to sign: {}'.format(hashed_data)) sig = c.sign(handle=handle, data=hashed_data, mechanism=HsmMech.ECDSA) logging.info('Raw signature: {}'.format(sig)) encoded_sig = RemoteSigner.b58encode_signature(sig) logging.info('Base58-encoded signature: {}'.format( encoded_sig)) else: logging.error('Invalid level') raise Exception('Invalid level') else: logging.error('Invalid preamble') raise Exception('Invalid preamble') else: logging.error('Invalid payload') raise Exception('Invalid payload') return encoded_sig
def sign(self, handle, test_mode=False): # This code acquires a mutex lock using https://github.com/chiradeep/dyndb-mutex # generate a unique name for this process/thread ddb_region = environ['REGION'] my_name = str(uuid.uuid4()).split("-")[0] if self.is_block(): sig_type = 'Baking' else: sig_type = 'Endorsement' m = DynamoDbMutex(sig_type, holder=my_name, timeoutms=60 * 1000, region_name=ddb_region) locked = m.lock() # attempt to acquire the lock if locked: encoded_sig = '' data_to_sign = self.payload logging.info('About to sign {} with key handle {}'.format( data_to_sign, handle)) if self.valid_block_format(data_to_sign): logging.info('Block format is valid') if self.is_block() or self.is_endorsement(): logging.info('Preamble is valid') if self.not_already_signed(): if test_mode: return self.TEST_SIGNATURE else: logging.info( 'About to sign with HSM client. Slot = {}, lib = {}, handle = {}' .format(self.hsm_slot, self.hsm_libfile, handle)) with HsmClient(slot=self.hsm_slot, pin=self.hsm_pin, pkcs11_lib=self.hsm_libfile) as c: hashed_data = blake2b( hex_to_bytes(data_to_sign), digest_size=32).digest() logging.info('Hashed data to sign: {}'.format( hashed_data)) sig = c.sign(handle=handle, data=hashed_data, mechanism=HsmMech.ECDSA) logging.info('Raw signature: {}'.format(sig)) encoded_sig = RemoteSigner.b58encode_signature( sig) logging.info( 'Base58-encoded signature: {}'.format( encoded_sig)) else: logging.error('Invalid level') m.release() # release the lock raise Exception('Invalid level') else: logging.error('Invalid preamble') m.release() # release the lock raise Exception('Invalid preamble') else: logging.error('Invalid payload') m.release() # release the lock raise Exception('Invalid payload') m.release() # release the lock return encoded_sig else: # lock could not be acquired logging.error('Could not acquire lock') raise Exception('Could not acquire lock')