def _encode_sth_input(self, sth_response): if len(sth_response.sha256_root_hash) != 32: raise error.EncodingError("Wrong hash length: expected 32, got %d" % len(sth_response.sha256_root_hash)) return struct.pack(">BBQQ32s", ct_pb2.V1, ct_pb2.TREE_HEAD, sth_response.timestamp, sth_response.tree_size, sth_response.sha256_root_hash)
def verify(self, signature_input, signature): """Verifies the signature was created by the owner of the public key. Args: - signature_input: The data that was originally signed. - signature: An ECDSA SHA256 signature. Returns: - True if the signature verifies. Raises: - error.EncodingError: If the signature encoding is invalid. - error.SignatureError: If the signature fails verification. """ try: _ECDSASignature.decode(signature) return self.__key.verify(signature, signature_input, hashfunc=hashlib.sha256, sigdecode=ecdsa.util.sigdecode_der) except (ecdsa.der.UnexpectedDER, error.ASN1Error) as e: raise error.EncodingError("Invalid DER encoding for signature %s", signature.encode("hex"), e) except ecdsa.keys.BadSignatureError: raise error.SignatureError("Signature did not verify: %s", signature.encode("hex"))
def _verify(self, signature_input, signature): try: return self.__pubkey.verify(signature, signature_input, hashfunc=hashlib.sha256, sigdecode=ecdsa.util.sigdecode_der) except ecdsa.der.UnexpectedDER: raise error.EncodingError("Invalid DER encoding for signature %s", signature.encode("hex")) except ecdsa.keys.BadSignatureError: raise error.SignatureError("Signature did not verify: %s", signature.encode("hex"))
def __init__(self, key_info, merkle_verifier=merkle.MerkleVerifier()): """Initialize from KeyInfo protocol buffer and a MerkleVerifier.""" self.__merkle_verifier = merkle_verifier if key_info.type != client_pb2.KeyInfo.ECDSA: raise error.UnsupportedAlgorithmError("Key type %d not supported" % key_info.type) # Will raise a PemError on invalid encoding self.__der, _ = pem.from_pem(key_info.pem_key, LogVerifier.__ECDSA_READ_MARKERS) try: self.__pubkey = ecdsa.VerifyingKey.from_der(self.__der) except ecdsa.der.UnexpectedDER as e: raise error.EncodingError(e)
def decode_signature(signature): """Decode the TLS-encoded serialized signature. Args: signature: TLS-encoded signature. Returns: a tuple of (hash algorithm, signature algorithm, signature data) Raises: ct.crypto.error.EncodingError: invalid TLS encoding. """ sig_stream = io.BytesIO(signature) sig_prefix = sig_stream.read(2) if len(sig_prefix) != 2: raise error.EncodingError("Invalid algorithm prefix %s" % sig_prefix.encode("hex")) hash_algo, sig_algo = struct.unpack(">BB", sig_prefix) if (hash_algo != ct_pb2.DigitallySigned.SHA256 or sig_algo != ct_pb2.DigitallySigned.ECDSA): raise error.EncodingError("Invalid algorithm(s) %d, %d" % (hash_algo, sig_algo)) length_prefix = sig_stream.read(2) if len(length_prefix) != 2: raise error.EncodingError("Invalid signature length prefix %s" % length_prefix.encode("hex")) sig_length, = struct.unpack(">H", length_prefix) remaining = sig_stream.read() if len(remaining) != sig_length: raise error.EncodingError( "Invalid signature length %d for " "signature %s with length %d" % (sig_length, remaining.encode("hex"), len(remaining))) return (hash_algo, sig_algo, remaining)
def __init__(self, key_info): """Creates a verifier that uses a PEM-encoded ECDSA public key. Args: - key_info: KeyInfo protobuf message Raises: - PemError: If the key has an invalid encoding """ if (key_info.type != client_pb2.KeyInfo.ECDSA): raise error.UnsupportedAlgorithmError( "Expected ECDSA key, but got key type %d" % key_info.type) # Will raise a PemError on invalid encoding self.__der, _ = pem.from_pem(key_info.pem_key, self.__READ_MARKERS) try: self.__key = ecdsa.VerifyingKey.from_der(self.__der) except ecdsa.der.UnexpectedDER as e: raise error.EncodingError(e)
def __init__(self, key_info): """Creates a verifier that uses a PEM-encoded RSA public key. Args: - key_info: KeyInfo protobuf message Raises: - PemError: If the key has an invalid encoding """ if (key_info.type != client_pb2.KeyInfo.RSA): raise error.UnsupportedAlgorithmError( "Expected RSA key, but got key type %d" % key_info.type) # Will raise a PemError on invalid encoding self.__der, _ = pem.from_pem(key_info.pem_key, self.__READ_MARKERS) try: self.__key = Crypto.PublicKey.RSA.importKey(self.__der) except (ValueError, IndexError, TypeError) as e: raise error.EncodingError(e)