Merge pull request #636 from reaperhulk/rsa-signature-loader
Expand PKCS1 loader to load PKCS1 v1.5 and PSS signature examples
diff --git a/cryptography/hazmat/backends/interfaces.py b/cryptography/hazmat/backends/interfaces.py
index b867f26..a543ba1 100644
--- a/cryptography/hazmat/backends/interfaces.py
+++ b/cryptography/hazmat/backends/interfaces.py
@@ -90,3 +90,18 @@
Generate an RSAPrivateKey instance with public_exponent and a modulus
of key_size bits.
"""
+
+ @abc.abstractmethod
+ def create_rsa_signature_ctx(self, private_key, padding, algorithm):
+ """
+ Returns an object conforming to the AsymmetricSignatureContext
+ interface.
+ """
+
+ @abc.abstractmethod
+ def create_rsa_verification_ctx(self, public_key, signature, padding,
+ algorithm):
+ """
+ Returns an object conforming to the AsymmetricVerificationContext
+ interface.
+ """
diff --git a/cryptography/hazmat/bindings/openssl/rsa.py b/cryptography/hazmat/bindings/openssl/rsa.py
index b6f7d04..359305c 100644
--- a/cryptography/hazmat/bindings/openssl/rsa.py
+++ b/cryptography/hazmat/bindings/openssl/rsa.py
@@ -33,7 +33,10 @@
static const int RSA_NO_PADDING;
static const int RSA_PKCS1_OAEP_PADDING;
static const int RSA_X931_PADDING;
+static const int RSA_PKCS1_PSS_PADDING;
static const int RSA_F4;
+
+static const int Cryptography_HAS_PSS_PADDING;
"""
FUNCTIONS = """
@@ -70,10 +73,14 @@
"""
CUSTOMIZATIONS = """
-#if OPENSSL_VERSION_NUMBER < 0x10000000
+#if OPENSSL_VERSION_NUMBER >= 0x10000000
+static const long Cryptography_HAS_PSS_PADDING = 1;
+#else
// see evp.py for the definition of Cryptography_HAS_PKEY_CTX
+static const long Cryptography_HAS_PSS_PADDING = 0;
int (*EVP_PKEY_CTX_set_rsa_padding)(EVP_PKEY_CTX *, int) = NULL;
int (*EVP_PKEY_CTX_set_rsa_pss_saltlen)(EVP_PKEY_CTX *, int) = NULL;
+static const long RSA_PKCS1_PSS_PADDING = 0;
#endif
"""
@@ -81,5 +88,8 @@
"Cryptography_HAS_PKEY_CTX": [
"EVP_PKEY_CTX_set_rsa_padding",
"EVP_PKEY_CTX_set_rsa_pss_saltlen",
- ]
+ ],
+ "Cryptography_HAS_PSS_PADDING": [
+ "RSA_PKCS1_PSS_PADDING",
+ ],
}
diff --git a/cryptography/hazmat/primitives/interfaces.py b/cryptography/hazmat/primitives/interfaces.py
index 5ef469d..1169616 100644
--- a/cryptography/hazmat/primitives/interfaces.py
+++ b/cryptography/hazmat/primitives/interfaces.py
@@ -287,6 +287,43 @@
"""
+class AsymmetricSignatureContext(six.with_metaclass(abc.ABCMeta)):
+ @abc.abstractmethod
+ def update(self, data):
+ """
+ Processes the provided bytes and returns nothing.
+ """
+
+ @abc.abstractmethod
+ def finalize(self):
+ """
+ Returns the signature as bytes.
+ """
+
+
+class AsymmetricVerificationContext(six.with_metaclass(abc.ABCMeta)):
+ @abc.abstractmethod
+ def update(self, data):
+ """
+ Processes the provided bytes and returns nothing.
+ """
+
+ @abc.abstractmethod
+ def verify(self):
+ """
+ Raises an exception if the bytes provided to update do not match the
+ signature or the signature does not match the public key.
+ """
+
+
+class AsymmetricPadding(six.with_metaclass(abc.ABCMeta)):
+ @abc.abstractproperty
+ def name(self):
+ """
+ A string naming this padding (e.g. "PSS", "PKCS1").
+ """
+
+
class KeyDerivationFunction(six.with_metaclass(abc.ABCMeta)):
@abc.abstractmethod
def derive(self, key_material):
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index 97b5c34..f47f08d 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -58,6 +58,12 @@
* CAST5 (CBC, CFB, OFB) generated by this project.
See: :doc:`/development/custom-vectors/cast5`
+Two Factor Authentication
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* HOTP from :rfc:`4226`
+* TOTP from :rfc:`6238` (Note that an `errata`_ for the test vectors in RFC 6238 exists)
+
Creating Test Vectors
---------------------
@@ -93,3 +99,4 @@
.. _`RIPEMD website`: http://homes.esat.kuleuven.be/~bosselae/ripemd160.html
.. _`Whirlpool website`: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
.. _`Specification repository`: https://github.com/fernet/spec
+.. _`errata`: http://www.rfc-editor.org/errata_search.php?rfc=6238
diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst
index e6bf8f6..bd38ed5 100644
--- a/docs/hazmat/backends/interfaces.rst
+++ b/docs/hazmat/backends/interfaces.rst
@@ -212,3 +212,39 @@
provider.
:raises ValueError: If the public_exponent is not valid.
+
+ .. method:: create_rsa_signature_ctx(private_key, padding, algorithm)
+
+ :param private_key: An instance of an
+ :class:`~cryptography.hazmat.primitives.interfaces.RSAPrivateKey`
+ provider.
+
+ :param padding: An instance of an
+ :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricPadding`
+ provider.
+
+ :param algorithm: An instance of a
+ :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
+ provider.
+
+ :returns:
+ :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricSignatureContext`
+
+ .. method:: create_rsa_verification_ctx(public_key, signature, padding, algorithm)
+
+ :param public_key: An instance of a
+ :class:`~cryptography.hazmat.primitives.interfaces.RSAPublicKey`
+ provider.
+
+ :param bytes signature: The signature to verify.
+
+ :param padding: An instance of an
+ :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricPadding`
+ provider.
+
+ :param algorithm: An instance of a
+ :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
+ provider.
+
+ :returns:
+ :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricVerificationContext`
diff --git a/docs/hazmat/primitives/interfaces.rst b/docs/hazmat/primitives/interfaces.rst
index df17e59..5be3dd9 100644
--- a/docs/hazmat/primitives/interfaces.rst
+++ b/docs/hazmat/primitives/interfaces.rst
@@ -231,6 +231,39 @@
The public exponent. Alias for :attr:`public_exponent`.
+.. class:: AsymmetricSignatureContext
+
+ .. versionadded:: 0.2
+
+ .. method:: update(data)
+
+ :param bytes data: The data you want to sign.
+
+ .. method:: finalize()
+
+ :return bytes signature: The signature.
+
+
+.. class:: AsymmetricVerificationContext
+
+ .. versionadded:: 0.2
+
+ .. method:: update(data)
+
+ :param bytes data: The data you wish to verify using the signature.
+
+ .. method:: verify()
+
+ :raises cryptography.exceptions.InvalidSignature: If signature does not
+ validate.
+
+
+.. class:: AsymmetricPadding
+
+ .. versionadded:: 0.2
+
+ .. attribute:: name
+
Hash Algorithms
~~~~~~~~~~~~~~~
diff --git a/tests/hazmat/primitives/vectors/oath/rfc-4226.txt b/tests/hazmat/primitives/vectors/twofactor/rfc-4226.txt
similarity index 100%
rename from tests/hazmat/primitives/vectors/oath/rfc-4226.txt
rename to tests/hazmat/primitives/vectors/twofactor/rfc-4226.txt
diff --git a/tests/hazmat/primitives/vectors/oath/rfc-6238.txt b/tests/hazmat/primitives/vectors/twofactor/rfc-6238.txt
similarity index 64%
rename from tests/hazmat/primitives/vectors/oath/rfc-6238.txt
rename to tests/hazmat/primitives/vectors/twofactor/rfc-6238.txt
index cc20995..5a47326 100644
--- a/tests/hazmat/primitives/vectors/oath/rfc-6238.txt
+++ b/tests/hazmat/primitives/vectors/twofactor/rfc-6238.txt
@@ -11,13 +11,13 @@
TIME = 59
TOTP = 46119246
MODE = SHA256
-SECRET = 12345678901234567890
+SECRET = 12345678901234567890123456789012
COUNT = 2
TIME = 59
TOTP = 90693936
MODE = SHA512
-SECRET = 12345678901234567890
+SECRET = 1234567890123456789012345678901234567890123456789012345678901234
COUNT = 3
TIME = 1111111109
@@ -29,13 +29,13 @@
TIME = 1111111109
TOTP = 68084774
MODE = SHA256
-SECRET = 12345678901234567890
+SECRET = 12345678901234567890123456789012
COUNT = 5
TIME = 1111111109
TOTP = 25091201
MODE = SHA512
-SECRET = 12345678901234567890
+SECRET = 1234567890123456789012345678901234567890123456789012345678901234
COUNT = 6
TIME = 1111111111
@@ -47,13 +47,13 @@
TIME = 1111111111
TOTP = 67062674
MODE = SHA256
-SECRET = 12345678901234567890
+SECRET = 12345678901234567890123456789012
COUNT = 8
TIME = 1111111111
TOTP = 99943326
MODE = SHA512
-SECRET = 12345678901234567890
+SECRET = 1234567890123456789012345678901234567890123456789012345678901234
COUNT = 9
TIME = 1234567890
@@ -65,13 +65,13 @@
TIME = 1234567890
TOTP = 91819424
MODE = SHA256
-SECRET = 12345678901234567890
+SECRET = 12345678901234567890123456789012
COUNT = 11
TIME = 1234567890
TOTP = 93441116
MODE = SHA512
-SECRET = 12345678901234567890
+SECRET = 1234567890123456789012345678901234567890123456789012345678901234
COUNT = 12
TIME = 2000000000
@@ -83,13 +83,13 @@
TIME = 2000000000
TOTP = 90698825
MODE = SHA256
-SECRET = 12345678901234567890
+SECRET = 12345678901234567890123456789012
COUNT = 14
TIME = 2000000000
TOTP = 38618901
MODE = SHA512
-SECRET = 12345678901234567890
+SECRET = 1234567890123456789012345678901234567890123456789012345678901234
COUNT = 15
TIME = 20000000000
@@ -101,10 +101,10 @@
TIME = 20000000000
TOTP = 77737706
MODE = SHA256
-SECRET = 12345678901234567890
+SECRET = 12345678901234567890123456789012
COUNT = 17
TIME = 20000000000
TOTP = 47863826
MODE = SHA512
-SECRET = 12345678901234567890
+SECRET = 1234567890123456789012345678901234567890123456789012345678901234