def _encode_sth_input(self, sth_response):
if len(sth_response.sha256_root_hash) != 32:
raise error.EncodingError("Wrong hash length: expected 32, got %d" %
len(sth_response.sha256_root_hash))
return struct.pack(">BBQQ32s", ct_pb2.V1, ct_pb2.TREE_HEAD,
sth_response.timestamp, sth_response.tree_size,
sth_response.sha256_root_hash)
def verify(self, signature_input, signature):
"""Verifies the signature was created by the owner of the public key.
Args:
- signature_input: The data that was originally signed.
- signature: An ECDSA SHA256 signature.
Returns:
- True if the signature verifies.
Raises:
- error.EncodingError: If the signature encoding is invalid.
- error.SignatureError: If the signature fails verification.
"""
try:
_ECDSASignature.decode(signature)
return self.__key.verify(signature,
signature_input,
hashfunc=hashlib.sha256,
sigdecode=ecdsa.util.sigdecode_der)
except (ecdsa.der.UnexpectedDER, error.ASN1Error) as e:
raise error.EncodingError("Invalid DER encoding for signature %s",
signature.encode("hex"), e)
except ecdsa.keys.BadSignatureError:
raise error.SignatureError("Signature did not verify: %s",
signature.encode("hex"))
def _verify(self, signature_input, signature):
try:
return self.__pubkey.verify(signature, signature_input,
hashfunc=hashlib.sha256,
sigdecode=ecdsa.util.sigdecode_der)
except ecdsa.der.UnexpectedDER:
raise error.EncodingError("Invalid DER encoding for signature %s",
signature.encode("hex"))
except ecdsa.keys.BadSignatureError:
raise error.SignatureError("Signature did not verify: %s",
signature.encode("hex"))
def __init__(self, key_info, merkle_verifier=merkle.MerkleVerifier()):
"""Initialize from KeyInfo protocol buffer and a MerkleVerifier."""
self.__merkle_verifier = merkle_verifier
if key_info.type != client_pb2.KeyInfo.ECDSA:
raise error.UnsupportedAlgorithmError("Key type %d not supported" %
key_info.type)
# Will raise a PemError on invalid encoding
self.__der, _ = pem.from_pem(key_info.pem_key,
LogVerifier.__ECDSA_READ_MARKERS)
try:
self.__pubkey = ecdsa.VerifyingKey.from_der(self.__der)
except ecdsa.der.UnexpectedDER as e:
raise error.EncodingError(e)
def decode_signature(signature):
"""Decode the TLS-encoded serialized signature.
Args:
signature: TLS-encoded signature.
Returns:
a tuple of (hash algorithm, signature algorithm, signature data)
Raises:
ct.crypto.error.EncodingError: invalid TLS encoding.
"""
sig_stream = io.BytesIO(signature)
sig_prefix = sig_stream.read(2)
if len(sig_prefix) != 2:
raise error.EncodingError("Invalid algorithm prefix %s" %
sig_prefix.encode("hex"))
hash_algo, sig_algo = struct.unpack(">BB", sig_prefix)
if (hash_algo != ct_pb2.DigitallySigned.SHA256
or sig_algo != ct_pb2.DigitallySigned.ECDSA):
raise error.EncodingError("Invalid algorithm(s) %d, %d" %
(hash_algo, sig_algo))
length_prefix = sig_stream.read(2)
if len(length_prefix) != 2:
raise error.EncodingError("Invalid signature length prefix %s" %
length_prefix.encode("hex"))
sig_length, = struct.unpack(">H", length_prefix)
remaining = sig_stream.read()
if len(remaining) != sig_length:
raise error.EncodingError(
"Invalid signature length %d for "
"signature %s with length %d" %
(sig_length, remaining.encode("hex"), len(remaining)))
return (hash_algo, sig_algo, remaining)
def __init__(self, key_info):
"""Creates a verifier that uses a PEM-encoded ECDSA public key.
Args:
- key_info: KeyInfo protobuf message
Raises:
- PemError: If the key has an invalid encoding
"""
if (key_info.type != client_pb2.KeyInfo.ECDSA):
raise error.UnsupportedAlgorithmError(
"Expected ECDSA key, but got key type %d" % key_info.type)
# Will raise a PemError on invalid encoding
self.__der, _ = pem.from_pem(key_info.pem_key, self.__READ_MARKERS)
try:
self.__key = ecdsa.VerifyingKey.from_der(self.__der)
except ecdsa.der.UnexpectedDER as e:
raise error.EncodingError(e)
def __init__(self, key_info):
"""Creates a verifier that uses a PEM-encoded RSA public key.
Args:
- key_info: KeyInfo protobuf message
Raises:
- PemError: If the key has an invalid encoding
"""
if (key_info.type != client_pb2.KeyInfo.RSA):
raise error.UnsupportedAlgorithmError(
"Expected RSA key, but got key type %d" % key_info.type)
# Will raise a PemError on invalid encoding
self.__der, _ = pem.from_pem(key_info.pem_key, self.__READ_MARKERS)
try:
self.__key = Crypto.PublicKey.RSA.importKey(self.__der)
except (ValueError, IndexError, TypeError) as e:
raise error.EncodingError(e)
