def test_basic_ops(self):
msg = 'this is a message'
priv = signer.generate_privkey()
pub = signer.generate_pubkey(priv)
sig = signer.sign(msg, priv)
ver = signer.verify(msg, sig, pub)
self.assertTrue(ver)
def validate_batch(batch):
# validate batch signature
header = BatchHeader()
header.ParseFromString(batch.header)
valid = signing.verify(batch.header, batch.header_signature,
header.signer_pubkey)
if not valid:
LOGGER.debug("batch failed signature validation: %s",
batch.header_signature)
# validate all transactions in batch
total = len(batch.transactions)
index = 0
while valid and index < total:
txn = batch.transactions[index]
valid = validate_transaction(txn)
if valid:
txn_header = TransactionHeader()
txn_header.ParseFromString(txn.header)
if txn_header.batcher_pubkey != header.signer_pubkey:
LOGGER.debug(
"txn batcher pubkey does not match signer"
"pubkey for batch: %s txn: %s", batch.header_signature,
txn.header_signature)
valid = False
index += 1
return valid
def _verify_block_signature(self, blkw):
""" Verify a block is properly signed.
:param blkw: the block to verify
:return: Boolean - True on success.
"""
return signing.verify(blkw.block.header, blkw.block.header_signature,
blkw.header.signer_pubkey)
def test_invalid_signature(self):
msg = "This is a message"
priv = signer.generate_privkey()
priv2 = signer.generate_privkey()
sig = signer.sign(msg, priv)
pub = signer.generate_pubkey(priv2)
ver = signer.verify(msg, sig, pub)
self.assertFalse(ver)
def validate_transaction(txn):
# validate transactions signature
header = TransactionHeader()
header.ParseFromString(txn.header)
valid = signing.verify(txn.header, txn.header_signature,
header.signer_pubkey)
if not valid:
LOGGER.debug("transaction signature invalid for txn: %s",
txn.header_signature)
return valid
def verify_wait_certificate(cls, certificate, poet_public_key):
# Since the signing module uses a hex-encoded string as the canonical
# format for public keys and we should be handed a public key that was
# part of signup information created by us, don't bother decoding
# the public key.
if not \
signing.verify(
certificate.serialize(),
certificate.signature,
poet_public_key):
raise ValueError('Wait certificate signature does not match')
def deserialize_wait_timer(cls, serialized_timer, signature):
with cls._lock:
# Verify the signature before trying to deserialize
if not signing.verify(serialized_timer, signature,
cls._poet_public_key):
return None
return \
EnclaveWaitTimer.wait_timer_from_serialized(
serialized_timer=serialized_timer,
signature=signature)
def verify_wait_certificate(cls, certificate, poet_public_key):
# Reconstitute the PoET public key and check the signature over the
# serialized wait certificate.
decoded_poet_public_key = \
signing.decode_pubkey(poet_public_key, 'hex')
if not \
signing.verify(
certificate.serialize(),
certificate.signature,
decoded_poet_public_key):
raise ValueError('Wait certificate signature does not match')
def validate_block(block):
# validate block signature
header = BlockHeader()
header.ParseFromString(block.header)
valid = signing.verify(block.header, block.header_signature,
header.signer_pubkey)
# validate all batches in block. These are not all batches in the
# batch_ids stored in the block header, only those sent with the block.
total = len(block.batches)
index = 0
while valid and index < total:
valid = validate_batch(block.batches[index])
index += 1
return valid
def _verify_block_signature(self, blkw):
""" Verify a block is properly signed.
:param blkw: the block to verify
:return: Boolean - True on success.
"""
try:
return signing.verify(blkw.block.header,
blkw.block.header_signature,
blkw.header.signer_pubkey)
# To be on the safe side, assume any exception thrown
# during signature validation means the signature
# is invalid.
# pylint: disable=broad-except
except Exception:
return False
def verify_signature(message, signature, public_key):
# Signature verification based on message and public key
verifystatus = signing.verify(message, signature, public_key)
return verifystatus
def verify_signup_info(cls,
signup_info,
originator_public_key_hash,
most_recent_wait_certificate_id):
# Verify the attestation verification report signature
proof_data_dict = json2dict(signup_info.proof_data)
verification_report = proof_data_dict.get('verification_report')
if verification_report is None:
raise ValueError('Verification report is missing from proof data')
signature = proof_data_dict.get('signature')
if signature is None:
raise ValueError('Signature is missing from proof data')
if not signing.verify(
verification_report,
signature,
cls._report_public_key):
raise ValueError('Verification report signature is invalid')
verification_report_dict = json2dict(verification_report)
# Verify that the verification report contains a PSE manifest status
# and it is OK
pse_manifest_status = \
verification_report_dict.get('pseManifestStatus')
if pse_manifest_status is None:
raise \
ValueError(
'Verification report does not contain a PSE manifest '
'status')
if pse_manifest_status != 'OK':
raise \
ValueError(
'PSE manifest status is {} (i.e., not OK)'.format(
pse_manifest_status))
# Verify that the verification report contains a PSE manifest hash
# and it is the value we expect
pse_manifest_hash = \
verification_report_dict.get('pseManifestHash')
if pse_manifest_hash is None:
raise \
ValueError(
'Verification report does not contain a PSE manifest '
'hash')
expected_pse_manifest_hash = \
base64.b64encode(
hashlib.sha256(
bytes(b'Do you believe in '
b'manifest destiny?')).hexdigest()
.encode()).decode()
if pse_manifest_hash != expected_pse_manifest_hash:
raise \
ValueError(
'PSE manifest hash {0} does not match {1}'.format(
pse_manifest_hash,
expected_pse_manifest_hash))
# Verify that the verification report contains an enclave quote and
# that its status is OK
enclave_quote_status = \
verification_report_dict.get('isvEnclaveQuoteStatus')
if enclave_quote_status is None:
raise \
ValueError(
'Verification report does not contain an enclave quote '
'status')
if enclave_quote_status != 'OK':
raise \
ValueError(
'Enclave quote status is {} (i.e., not OK)'.format(
enclave_quote_status))
enclave_quote = verification_report_dict.get('isvEnclaveQuoteBody')
if enclave_quote is None:
raise \
ValueError(
'Verification report does not contain an enclave quote')
# Verify that the enclave quote contains a report body with the value
# we expect (i.e., SHA256(SHA256(OPK)|PPK)
report_data = '{0}{1}'.format(
originator_public_key_hash.upper(),
signup_info.poet_public_key.upper()
)
expected_report_body = hashlib.sha256(
dict2json(report_data).encode()).hexdigest()
enclave_quote_dict = \
json2dict(base64.b64decode(enclave_quote).decode())
report_body = enclave_quote_dict.get('report_body')
if report_body is None:
raise ValueError('Enclave quote does not contain a report body')
if report_body != expected_report_body:
raise \
ValueError(
'Enclave quote report body {0} does not match {1}'.format(
report_body,
expected_report_body))
# Verify that the wait certificate ID in the verification report
# matches the provided wait certificate ID. The wait certificate ID
# is stored in the nonce field.
nonce = verification_report_dict.get('nonce')
if nonce is None:
raise \
ValueError(
'Verification report does not have a nonce')
