def verifyCert(cert, signCert):
"""
Verifies that a certificate has been signed with another. Note that this
function only verifies the cryptographic signature and is probably wrong and
dangerous. Do not use it to verify certificates. This function only supports
ECDSA and RSA+PKCS1 signatures, all other signature types will fail.
:param cert: The certificate whose signature we want to verify as a
cryptography certificate object.
:param signCert: The certificate that was used to sign the first certificate
as a cryptography certificate object.
:return: True if the signature is a valid ECDSA signature, False otherwise.
"""
# FIXME: This is very likely wrong and we should find a better way to verify certs.
halg = cert.signature_hash_algorithm
sig = cert.signature
data = cert.tbs_certificate_bytes
pubKey = signCert.public_key()
alg = None
# We only support ECDSA and RSA+PKCS1
if isinstance(pubKey, ec.EllipticCurvePublicKey):
alg = ec.ECDSA(halg)
ver = pubKey.verifier(sig, alg)
elif isinstance(pubKey, rsa.RSAPublicKey):
pad = padding.PKCS1v15()
ver = pubKey.verifier(sig, pad, halg)
else:
return False
ver.update(data)
try:
ver.verify()
return True
except InvalidSignature as e:
return False
python类InvalidSignature()的实例源码
def _verify_single(self, token, verifying_key):
"""
Verify a compact-formatted JWT signed by a single key
Return True if authentic
Return False if not
"""
# grab the token parts
header, payload, raw_signature, signing_input = _unpack_token_compact(token)
# load the verifying key
verifying_key = load_verifying_key(verifying_key, self.crypto_backend)
# convert the raw_signature to DER format
der_signature = raw_to_der_signature(
raw_signature, verifying_key.curve)
# initialize the verifier
verifier = self._get_verifier(verifying_key, der_signature)
verifier.update(signing_input)
# check to see whether the signature is valid
try:
verifier.verify()
except InvalidSignature:
# raise DecodeError('Signature verification failed')
return False
return True
def verify(self, signature, msg):
"""
Verify whether a given signature is correct for a message.
:param signature: the given signature
:param msg: the given message
"""
length = len(signature) / 2
r = signature[:length]
# remove all "\x00" prefixes
while r and r[0] == "\x00":
r = r[1:]
# prepend "\x00" when the most significant bit is set
if ord(r[0]) & 128:
r = "\x00" + r
s = signature[length:]
# remove all "\x00" prefixes
while s and s[0] == "\x00":
s = s[1:]
# prepend "\x00" when the most significant bit is set
if ord(s[0]) & 128:
s = "\x00" + s
# turn back into int
r = int(hexlify(r), 16)
s = int(hexlify(s), 16)
# verify
try:
self.ec.verifier(encode_dss_signature(r, s), ec.ECDSA(hashes.SHA1()))
return True
except InvalidSignature:
return False
def __verify_signature(self, signature, signer_pk, content):
""" Verify RSASSA-PSS signature
@developer: vsmysle
:param signature: signature bytes to verify
:param signer_pk: instance of cryptography.hazmat.primitives.
rsa.RSAPublicKey that is a public key of a signer
:param content: content to verify a signature of
:return: bool verification result
"""
self.logger.debug("starting signature verification routine")
try:
signer_pk.verify(
signature,
content,
asym_padding.PSS(
mgf=asym_padding.MGF1(SHA1()),
salt_length=asym_padding.PSS.MAX_LENGTH
),
SHA1()
)
except InvalidSignature:
self.logger.warn("signature verification failed")
return False
self.logger.info("signature OK")
return True
def verify(self, msg, key, sig):
try:
key.verify(sig, msg, padding.PKCS1v15(), self.hash_alg())
return True
except InvalidSignature:
return False
def verify(self, msg, key, sig):
try:
der_sig = raw_to_der_signature(sig, key.curve)
except ValueError:
return False
try:
key.verify(der_sig, msg, ec.ECDSA(self.hash_alg()))
return True
except InvalidSignature:
return False
def verify(self, msg, key, sig):
try:
key.verify(
sig,
msg,
padding.PSS(
mgf=padding.MGF1(self.hash_alg()),
salt_length=self.hash_alg.digest_size
),
self.hash_alg()
)
return True
except InvalidSignature:
return False
def verify_ssh_sig(self, data, msg):
if len(msg.asbytes()) == 40:
# spies.com bug: signature has no header
sig = msg.asbytes()
else:
kind = msg.get_text()
if kind != 'ssh-dss':
return 0
sig = msg.get_binary()
# pull out (r, s) which are NOT encoded as mpints
sigR = util.inflate_long(sig[:20], 1)
sigS = util.inflate_long(sig[20:], 1)
signature = encode_dss_signature(sigR, sigS)
key = dsa.DSAPublicNumbers(
y=self.y,
parameter_numbers=dsa.DSAParameterNumbers(
p=self.p,
q=self.q,
g=self.g
)
).public_key(backend=default_backend())
verifier = key.verifier(signature, hashes.SHA1())
verifier.update(data)
try:
verifier.verify()
except InvalidSignature:
return False
else:
return True
def event_rsa(event_json):
"""Verifies the RSA signature of the provided event json.
Args:
event_json (dict): Event to validate.
"""
try:
rsa(util.expand_rsa_public_key(event_json['fleet_key']), event_json['signature'], util.concat_event(event_json))
except InvalidSignature:
raise Exception('Invalid RSA signature')
def verify(self, msg, sig, key=None):
if key is None:
key = self.key
try:
if isinstance(key, rsa.RSAPrivateKey):
key = key.public_key()
key.verify(sig, msg, PKCS1v15(), self.digest)
return True
except InvalidSignature:
return False
def validate(self, message):
"""Verify the signature of self RSA fulfillment.
The signature of self RSA fulfillment is verified against the
provided message and the condition's public modulus.
Args:
message (bytes): Message to verify.
Returns:
bool: Whether self fulfillment is valid.
"""
if not isinstance(message, bytes):
raise Exception(
'Message must be provided as bytes, was: ' + message)
public_numbers = RSAPublicNumbers(
PUBLIC_EXPONENT,
int.from_bytes(self.modulus, byteorder='big'),
)
public_key = public_numbers.public_key(default_backend())
verifier = public_key.verifier(
self.signature,
padding.PSS(
mgf=padding.MGF1(hashes.SHA256()),
salt_length=SALT_LENGTH,
),
hashes.SHA256()
)
verifier.update(message)
try:
verifier.verify()
except InvalidSignature as exc:
raise ValidationError('Invalid RSA signature') from exc
return True
def verify_ssh_sig(self, data, msg):
if len(msg.asbytes()) == 40:
# spies.com bug: signature has no header
sig = msg.asbytes()
else:
kind = msg.get_text()
if kind != 'ssh-dss':
return 0
sig = msg.get_binary()
# pull out (r, s) which are NOT encoded as mpints
sigR = paramiko.util.inflate_long(sig[:20], 1)
sigS = paramiko.util.inflate_long(sig[20:], 1)
signature = encode_dss_signature(sigR, sigS)
key = dsa.DSAPublicNumbers(
y=self.y,
parameter_numbers=dsa.DSAParameterNumbers(
p=self.p,
q=self.q,
g=self.g
)
).public_key(backend=default_backend())
verifier = key.verifier(signature, hashes.SHA1())
verifier.update(data)
try:
verifier.verify()
except InvalidSignature:
return False
else:
return True
def verify(self, message, signature, hash_algorithm=None):
if hash_algorithm is None:
hash_algorithm = hashes.SHA256()
padding_algorithm = padding.PKCS1v15()
try:
verifyer = self._value.verifier(signature, padding_algorithm,
hash_algorithm)
verifyer.update(message)
verifyer.verify()
return True
except exceptions.InvalidSignature as e:
pass
raise VerificationError(e)
def verify(self, msg, key, sig):
verifier = key.verifier(
sig,
padding.PKCS1v15(),
self.hash_alg()
)
verifier.update(msg)
try:
verifier.verify()
return True
except InvalidSignature:
return False
def verify(self, msg, key, sig):
try:
der_sig = raw_to_der_signature(sig, key.curve)
except ValueError:
return False
verifier = key.verifier(der_sig, ec.ECDSA(self.hash_alg()))
verifier.update(msg)
try:
verifier.verify()
return True
except InvalidSignature:
return False
def verify_ssh_sig(self, data, msg):
if len(msg.asbytes()) == 40:
# spies.com bug: signature has no header
sig = msg.asbytes()
else:
kind = msg.get_text()
if kind != 'ssh-dss':
return 0
sig = msg.get_binary()
# pull out (r, s) which are NOT encoded as mpints
sigR = util.inflate_long(sig[:20], 1)
sigS = util.inflate_long(sig[20:], 1)
signature = encode_dss_signature(sigR, sigS)
key = dsa.DSAPublicNumbers(
y=self.y,
parameter_numbers=dsa.DSAParameterNumbers(
p=self.p,
q=self.q,
g=self.g
)
).public_key(backend=default_backend())
verifier = key.verifier(signature, hashes.SHA1())
verifier.update(data)
try:
verifier.verify()
except InvalidSignature:
return False
else:
return True
def verify(self, caller: NodeId, signature: str, message: bytes, sender_id: NodeId) -> bool:
public_key = self._private_keys[sender_id].public_key()
try:
public_key.verify(
base64.b64decode(signature),
message,
padding.PSS(
mgf=padding.MGF1(hashes.SHA256()),
salt_length=padding.PSS.MAX_LENGTH
),
hashes.SHA256()
)
return True
except InvalidSignature:
return False
def verifyMac(self, data, checkMac):
try:
self.verifier(
checkMac,
data,
# PSS(
# mgf=MGF1(hashes.SHA256()),
# salt_length=PSS.MAX_LENGTH
# ),
PKCS1v15(),
hashes.SHA256()
)
return True
except InvalidSignature:
return False
test_signature_utils.py 文件源码
项目:Trusted-Platform-Module-nova
作者: BU-NU-CLOUD-SP16
项目源码
文件源码
阅读 27
收藏 0
点赞 0
评论 0
def test_verify_signature_bad_signature(self, mock_get_pub_key):
data = b'224626ae19824466f2a7f39ab7b80f7f'
mock_get_pub_key.return_value = TEST_RSA_PRIVATE_KEY.public_key()
img_sig_cert_uuid = 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693'
verifier = signature_utils.get_verifier(None, img_sig_cert_uuid,
'SHA-256', 'BLAH',
signature_utils.RSA_PSS)
verifier.update(data)
self.assertRaises(crypto_exceptions.InvalidSignature,
verifier.verify)
def verify_ssh_sig(self, data, msg):
if len(msg.asbytes()) == 40:
# spies.com bug: signature has no header
sig = msg.asbytes()
else:
kind = msg.get_text()
if kind != 'ssh-dss':
return 0
sig = msg.get_binary()
# pull out (r, s) which are NOT encoded as mpints
sigR = util.inflate_long(sig[:20], 1)
sigS = util.inflate_long(sig[20:], 1)
signature = encode_dss_signature(sigR, sigS)
key = dsa.DSAPublicNumbers(
y=self.y,
parameter_numbers=dsa.DSAParameterNumbers(
p=self.p,
q=self.q,
g=self.g
)
).public_key(backend=default_backend())
verifier = key.verifier(signature, hashes.SHA1())
verifier.update(data)
try:
verifier.verify()
except InvalidSignature:
return False
else:
return True
