def verify(self, message, signature): # First convert (r||s) raw signature to ASN1 encoded signature. sig_bytes = _helpers.to_bytes(signature) if len(sig_bytes) != 64: return False r = utils.int_from_bytes(sig_bytes[:32], byteorder="big") s = utils.int_from_bytes(sig_bytes[32:], byteorder="big") asn1_sig = encode_dss_signature(r, s) message = _helpers.to_bytes(message) try: self._pubkey.verify(asn1_sig, message, ec.ECDSA(hashes.SHA256())) return True except (ValueError, cryptography.exceptions.InvalidSignature): return False
def from_string(cls, public_key): """Construct an Verifier instance from a public key or public certificate string. Args: public_key (Union[str, bytes]): The public key in PEM format or the x509 public key certificate. Returns: Verifier: The constructed verifier. Raises: ValueError: If the public_key can't be parsed. """ public_key = _helpers.to_bytes(public_key) is_x509_cert = _CERTIFICATE_MARKER in public_key # If this is a certificate, extract the public key info. if is_x509_cert: der = rsa.pem.load_pem(public_key, "CERTIFICATE") asn1_cert, remaining = decoder.decode(der, asn1Spec=Certificate()) if remaining != b"": raise ValueError("Unused bytes", remaining) cert_info = asn1_cert["tbsCertificate"]["subjectPublicKeyInfo"] key_bytes = _bit_list_to_bytes(cert_info["subjectPublicKey"]) pubkey = rsa.PublicKey.load_pkcs1(key_bytes, "DER") else: pubkey = rsa.PublicKey.load_pkcs1(public_key, "PEM") return cls(pubkey)
def from_string(cls, public_key): """Construct an Verifier instance from a public key or public certificate string. Args: public_key (Union[str, bytes]): The public key in PEM format or the x509 public key certificate. Returns: Verifier: The constructed verifier. Raises: ValueError: If the public key can't be parsed. """ public_key_data = _helpers.to_bytes(public_key) if _CERTIFICATE_MARKER in public_key_data: cert = cryptography.x509.load_pem_x509_certificate( public_key_data, _BACKEND ) pubkey = cert.public_key() else: pubkey = serialization.load_pem_public_key(public_key_data, _BACKEND) return cls(pubkey)
def sign(self, message): message = _helpers.to_bytes(message) asn1_signature = self._key.sign(message, ec.ECDSA(hashes.SHA256())) # Convert ASN1 encoded signature to (r||s) raw signature. (r, s) = decode_dss_signature(asn1_signature) return utils.int_to_bytes(r, 32) + utils.int_to_bytes(s, 32)
def _unverified_decode(token): """Decodes a token and does no verification. Args: token (Union[str, bytes]): The encoded JWT. Returns: Tuple[str, str, str, str]: header, payload, signed_section, and signature. Raises: ValueError: if there are an incorrect amount of segments in the token. """ token = _helpers.to_bytes(token) if token.count(b".") != 2: raise ValueError( "Wrong number of segments in token: {0}".format(token)) encoded_header, encoded_payload, signature = token.split(b".") signed_section = encoded_header + b"." + encoded_payload signature = _helpers.padded_urlsafe_b64decode(signature) # Parse segments header = _decode_jwt_segment(encoded_header) payload = _decode_jwt_segment(encoded_payload) return header, payload, signed_section, signature
def verify(self, message, signature): message = _helpers.to_bytes(message) try: self._pubkey.verify(signature, message, _PADDING, _SHA256) return True except (ValueError, cryptography.exceptions.InvalidSignature): return False
def from_string(cls, key, key_id=None): """Construct a RSASigner from a private key in PEM format. Args: key (Union[bytes, str]): Private key in PEM format. key_id (str): An optional key id used to identify the private key. Returns: google.auth.crypt._cryptography_rsa.RSASigner: The constructed signer. Raises: ValueError: If ``key`` is not ``bytes`` or ``str`` (unicode). UnicodeDecodeError: If ``key`` is ``bytes`` but cannot be decoded into a UTF-8 ``str``. ValueError: If ``cryptography`` "Could not deserialize key data." """ key = _helpers.to_bytes(key) private_key = serialization.load_pem_private_key( key, password=None, backend=_BACKEND ) return cls(private_key, key_id=key_id)
def verify(self, message, signature): message = _helpers.to_bytes(message) try: return rsa.pkcs1.verify(message, signature, self._pubkey) except (ValueError, rsa.pkcs1.VerificationError): return False
def sign(self, message): message = _helpers.to_bytes(message) return rsa.pkcs1.sign(message, self._key, "SHA-256")
def test_to_bytes_with_nonstring_type(): with pytest.raises(ValueError): _helpers.to_bytes(object())
def test_to_bytes_with_unicode(): value = u"string-val" encoded_value = b"string-val" assert _helpers.to_bytes(value) == encoded_value
def test_to_bytes_with_bytes(): value = b"bytes-val" assert _helpers.to_bytes(value) == value
def sign(self, message): message = _helpers.to_bytes(message) return self._key.sign(message, _PADDING, _SHA256)