def verify(self, signature, payload):
k = self.key
if isinstance(self.key, rsa.RSAPrivateKey):
k = self.key.public_key()
return k.verify(signature=signature, data=payload,
padding=PSS(mgf=MGF1(SHA256()), salt_length=32),
algorithm=SHA256())
def sign(self, payload):
# The verification code only allows the salt length to be the
# same as the hash length, 32.
return self.key.sign(
data=payload,
padding=PSS(mgf=MGF1(SHA256()), salt_length=32),
algorithm=SHA256())
def sign(self, message):
signature = self.private_key.sign(
message,
PSS(mgf=MGF1(hashes.SHA256()),
salt_length=PSS.MAX_LENGTH),
hashes.SHA256())
return signature
def rsa_sign(self, msg, user_pri_key):
signer = user_pri_key.signer(
PSS(mgf=MGF1(SHA512()), salt_length=PSS.MAX_LENGTH), SHA512())
signer.update(msg)
signature = signer.finalize()
sig_length = (len(signature)).to_bytes(4, byteorder='big')
return sig_length + signature + msg
def verify(self, message, signature):
self.client_public_key.verify(
signature,
message,
PSS(mgf=MGF1(hashes.SHA256()),
salt_length=PSS.MAX_LENGTH),
hashes.SHA256())
def test_sign(self, sign_key):
# create signature
message = b"Hello World"
digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
digest.update(message)
digest = digest.finalize()
signature, key_public_pem, cert_pem = self.fapi.sign(
path=sign_key, digest=digest
)
assert type(signature) == bytes
assert type(key_public_pem) == bytes
assert type(cert_pem) == bytes
# verify via fapi
self.fapi.verify_signature(sign_key, digest, signature)
# verify via openssl
public_key = serialization.load_pem_public_key(
key_public_pem, backend=default_backend()
)
public_key.verify(
signature,
message,
PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=32),
hashes.SHA256(),
)
def asymmetric_sign(msg, sign_key):
"""Asymmetrically signs a message"""
signer = sign_key.signer(
PSS(mgf=MGF1(SHA256()), salt_length=PSS.MAX_LENGTH), SHA256())
if isinstance(msg, str):
msg = bytes(msg, encoding='utf-8')
elif isinstance(msg, bytearray):
msg = bytes(msg)
signer.update(msg)
return signer.finalize()
def test_sig(self):
k = RSA2048.generate()
buf = b'This is the message'
sig = k.sign(buf)
# The code doesn't have any verification, so verify this
# manually.
k.key.public_key().verify(signature=sig,
data=buf,
padding=PSS(mgf=MGF1(SHA256()),
salt_length=32),
algorithm=SHA256())
# Modify the message to make sure the signature fails.
self.assertRaises(InvalidSignature,
k.key.public_key().verify,
signature=sig,
data=b'This is thE message',
padding=PSS(mgf=MGF1(SHA256()), salt_length=32),
algorithm=SHA256())
def rsa_verify(self, msg, user_pub_key):
sig_length_bytes = msg[:4]
sig_length = int.from_bytes(sig_length_bytes, byteorder='big')
signature = msg[4:4 + sig_length]
s = msg[4 + sig_length:]
verifier = user_pub_key.verifier(
signature, PSS(mgf=MGF1(SHA512()), salt_length=PSS.MAX_LENGTH),
SHA512())
verifier.update(s)
verifier.verify()
return s
def sign(self, payload):
if sign_rsa_pss:
signature = self.key.sign(data=bytes(payload),
padding=PSS(mgf=MGF1(SHA256()),
salt_length=32),
algorithm=SHA256())
else:
signature = self.key.sign(data=bytes(payload),
padding=PKCS1v15(),
algorithm=SHA256())
assert len(signature) == self.sig_len()
return signature
def compune_commit(cec_1_0, cec_5_0, cec_10_0, n):
global my_info, keys
identitate = b"netflix.com"
identitate = add_bytes(identitate, 32)
date = str(datetime.datetime.now().date()).encode("utf-8")
lenght = str(n).encode("utf-8")
commit = my_info.get(
"certificat"
) + cec_1_0 + cec_5_0 + cec_10_0 + identitate + date + lenght
signature = keys["private_key"].sign(
commit, PSS(mgf=MGF1(hashes.SHA256()), salt_length=PSS.MAX_LENGTH),
hashes.SHA256())
return signature + commit #256biti semnatura
def asymmetric_verify(signature, plaintext, public_key):
"""Verifies an asymmetrically signed message"""
try:
if isinstance(plaintext, str):
plaintext = bytes(plaintext, encoding='utf-8')
elif isinstance(plaintext, bytearray):
plaintext = bytes(plaintext)
public_key.verify(signature, plaintext,
PSS(mgf=MGF1(SHA256()), salt_length=PSS.MAX_LENGTH),
SHA256())
return True
except InvalidSignature:
return False
def verify_signature(
*,
public_key: Union[EllipticCurvePublicKey, RSAPublicKey, Ed25519PublicKey,
DSAPublicKey, Ed448PublicKey, X25519PublicKey,
X448PublicKey, ],
signature_alg: COSEAlgorithmIdentifier,
signature: bytes,
data: bytes,
) -> None:
"""Verify a signature was signed with the private key corresponding to the provided
public key.
Args:
`public_key`: A public key loaded via cryptography's `load_der_public_key`, `load_der_x509_certificate`, etc...
`signature_alg`: Algorithm ID used to sign the signature
`signature`: Signature to verify
`data`: Data signed by private key
Raises:
`webauth.helpers.exceptions.UnsupportedAlgorithm` when the algorithm is not a recognized COSE algorithm ID
`webauth.helpers.exceptions.UnsupportedPublicKey` when the public key is not a valid EC2, RSA, or OKP certificate
`cryptography.exceptions.InvalidSignature` when the signature cannot be verified
"""
if isinstance(public_key, EllipticCurvePublicKey):
public_key.verify(signature, data, get_ec2_sig_alg(signature_alg))
elif isinstance(public_key, RSAPublicKey):
if is_rsa_pkcs(signature_alg):
public_key.verify(signature, data, PKCS1v15(),
get_rsa_pkcs1_sig_alg(signature_alg))
elif is_rsa_pss(signature_alg):
rsa_alg = get_rsa_pss_sig_alg(signature_alg)
public_key.verify(
signature,
data,
PSS(mgf=MGF1(rsa_alg), salt_length=PSS.MAX_LENGTH),
rsa_alg,
)
else:
raise UnsupportedAlgorithm(
f"Unrecognized RSA signature alg {signature_alg}")
elif isinstance(public_key, Ed25519PublicKey):
public_key.verify(signature, data)
else:
raise UnsupportedPublicKey(
f"Unsupported public key for signature verification: {public_key}")
def engine_padding_pss(hsh: str, saltlen: int) -> PSS:
"""
Utility function for cryptography padding instance
:param hsh:
str the hash name
'sha1' 'sha256' etc
OpenSSL EVP_PKEY_CTX_set_rsa_padding()
:param saltlen:
int the PSS salt length
usually the hash length, e.g. 32 for sha256
cannot use OpenSSL special -1, -2 values here
OpenSSL EVP_PKEY_CTX_set_rsa_pss_saltlen()
:return:
PSS instance
"""
return PSS(MGF1(engine_hashes(hsh)), saltlen)
def DefaultSign(msg, rsaPrivKey):
return rsaPrivKey.sign(
msg, PSS(mgf=MGF1(hashes.SHA256()), salt_length=PSS.MAX_LENGTH),
hashes.SHA256())
def pay_vendor():
global history
print(">> Pornim serverul TCP/IP")
connection, address = startTCP_serv(IPbanca, portBanca)
print(address)
criptotext = b""
while True:
data = connection.recv(1024)
criptotext += data
if not data: break
print(">> Am primit commitul si hasurile")
if not criptotext:
return False
commit = criptotext[:1572]
c1 = criptotext[1572:1604]
c5 = criptotext[1604:1636]
c10 = criptotext[1636:1668]
l1 = criptotext[1668:1671]
l1 = take_back_bytes(l1)
l5 = criptotext[1671:1674]
l5 = take_back_bytes(l5)
l10 = criptotext[1674:1677]
l10 = take_back_bytes(l10)
signature = commit[:256]
content = commit[256:-4]
IP = content[256:265]
public_key_B = content[265:716] #451 dimensiunea cheii publice serializate
#deserializez cheia lui B publica pt a verifica semnatura
public_key_B = serialization.load_pem_public_key(public_key_B,
backend=default_backend())
public_key_U = content[716:1167]
public_key_U = serialization.load_pem_public_key(public_key_U,
backend=default_backend())
cec_1_0 = commit[1428:1460]
cec_5_0 = commit[1460:1492]
cec_10_0 = commit[1492:1524]
indentitate = commit[1524:1556]
date = commit[1556:1566]
n = commit[1566:1568]
n = int(n.decode("utf-8"))
try: #verific certificatul folosind cheia publica a lui B
public_key_U.verify(
signature, content,
PSS(mgf=MGF1(hashes.SHA256()), salt_length=PSS.MAX_LENGTH),
hashes.SHA256())
except:
print(">> Semnatura si certificatul nu se potrivesc!!!")
return False
else: #daca nu apare nici o eroare certificatul e valid
print(">> Certificatul a fost autentificat si salvat.")
check1 = verifica_hash(c1, cec_1_0, l1)
check5 = verifica_hash(c5, cec_5_0, l5)
check10 = verifica_hash(c10, cec_10_0, l10)
if check1 != False and check5 != False and check10 != False:
print(">> Hasurile sunt bune.")
if check1 not in history and check5 not in history and check10 not in history:
history.append(check1)
history.append(check5)
history.append(check10)
print(">> Tanzactia a fost aprobata si salvata in istoric.")
suma = len(
history[0]) + 5 * len(history[1]) + 10 * len(history[2])
print(">> Vendorul primeste " + str(suma) + " lei.")
return True
else:
print(">> Tranzactia nu a fost aprobata.")
else:
print(">> Tranzactia nu a fost aprobata.")
def certificate_exchange():
global keys, user_info
print(">> Pornesc serverul TCP/IP")
#pornesc serverul TCP/IP
(connection, address) = startTCP_serv(IPbanca, portBanca)
print("Clinet:", IPclient[-1])
print(">> Se face schimbul DH")
#se face schimbul DH si salvez cheile DH si cea pt encriptia simetrica
DH, key = DHexchange(connection)
print(">> Generez cheia privata si publica")
#generez cheia privata si publica RSA
serv_private_key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
serv_public_key = serv_private_key.public_key()
#le salvez in dictionarul global keys
keys.update({
"serv_private_key": serv_private_key,
"serv_public_key": serv_public_key
})
#serializez cheia publica pentru a o putea trimite
serial_public_key = serv_public_key.public_bytes(
encoding=Encoding.PEM, format=PublicFormat.SubjectPublicKeyInfo)
#generez un IV pt encriptia simetrica
iv = generate_IV(DH, 16)
#primesc informatiile personale de la U
criptotext = bytes()
while True:
data = connection.recv(1024)
criptotext += data
break
#le decriptez si salvez
inf_personale = decriptare_simetrica_AES(criptotext, key, iv)
############ Am terminat cu canalul privat U-B ################
#desfac informatiile personale pt a compune certificatul
serial_public_key_client = inf_personale[:451]
cont_bancar = inf_personale[451:470]
nume = inf_personale[470:]
client_public_key = serialization.load_pem_public_key(
serial_public_key_client, backend=default_backend())
info = "nimic"
#salvez cheia publica a lui U
keys.update({"public_key_U": client_public_key})
print(">> Compun certificatul.")
#compun certificatul
certificat = make_certificate(IPclient[-1], serial_public_key,
serial_public_key_client, info)
#compun semnatura pe certificat
signature = serv_private_key.sign(
certificat, PSS(mgf=MGF1(hashes.SHA256()), salt_length=PSS.MAX_LENGTH),
hashes.SHA256())
#adaug semnatura la certificat
certificat = signature + certificat
#salvez datele personale ale userului intr-un dictionar
user_info.update({
"nume": nume.decode("UTF-8"),
"cont_bancar": cont_bancar.decode("UTF-8"),
"certificat": certificat,
"numeral": 1000,
"info": info
})
print(">> Trimit certificatul.")
#trimit certificatul lui U
connection.send(certificat)
#certificatul a fost trimis inchid conexiunea
connection.close()
print(
">> Certificatul a fost trimis si salvat. \n>> Am inchis conexiunea cu clientul."
)
def verify(self, public_key, m, sig):
public_key.verify(
sig, m, PSS(mgf=MGF1(hashes.SHA256()), salt_length=PSS.MAX_LENGTH),
hashes.SHA256())
def certificate_exchange():
global s, keys, my_info
print(">> Ma conextex la banca.")
#ma conectez la serverul TCP/IP
startTCP_client(IPbanca, portBanca)
print(">> Fac schimbul HD.")
#fac schimbul DH si salvez cheia master DH si cheia pt encriptia simetrica
DH, key = DHexchange()
print(">> Generez cheia privata si publica.")
#generez cheia purivata si cheia publica RSA
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
public_key = private_key.public_key()
#le salvez in dictionarul global keys
keys.update({"private_key": private_key, "public_key": public_key})
#serializez cheia publica
serial_public_key = public_key.public_bytes(
encoding=Encoding.PEM, format=PublicFormat.SubjectPublicKeyInfo)
#generez IV-ul pt ecriptia simetrica
iv = generate_IV(DH, 16)
cont_bancar = b"167 123 123 123 123"
nume = b"Anon Anonimus"
inf_personale = serial_public_key + cont_bancar + nume
#criptez cheia publica si informatiile personale
criptotext = criptare_simetrica_AES(inf_personale, key, iv)
print(">> Trimit inf personale pe canalul privat.")
#trimit cheia si informatiile personale pt generarea certificatului
s.send(criptotext)
print(">> Primesc certificatul.")
#primesc certificatul semnat
criptotext = bytes()
while True:
data = s.recv(100)
criptotext += data
if not data: break
#desfac certificatul in semnatura, cheia lui B publica si restul informatiilor
signature = criptotext[:256]
IP = criptotext[256:265]
public_key_B = criptotext[265:
716] #451 dimensiunea cheii publice serializate
#deserializez cheia lui B publica pt a verifica semnatura
public_key_B = serialization.load_pem_public_key(public_key_B,
backend=default_backend())
public_key_U = criptotext[716:1167]
info = criptotext[1167:]
keys.update({"public_key_B": public_key_B})
my_info.update({"certificat": criptotext, "numeral": 1000})
#compun certificatul fara semnatura
certificat = criptotext[256:]
print(">> Verific semnatura certificatului.")
try: #verific certificatul folosind cheia publica a lui B
public_key_B.verify(
signature, certificat,
PSS(mgf=MGF1(hashes.SHA256()), salt_length=PSS.MAX_LENGTH),
hashes.SHA256())
except:
print(">> Semnatura si certificatul nu se potrivesc")
else: #daca nu apare nici o eroare certificatul e valid
print(">> Certificatul a fost autentificat si salvat.")
s.close()
