PSS RSA verification

0

hi all can you provide a source code to verify a RSA-PSS signature using the skdms

Comments

1 comment
  • Hi Roee,
    Here is the sample code to generate the RSA-SSS mode signature & verification using SDKMS.

    #!/usr/bin/python


    import argparse
    import base64
    import os
    import sys
    import sdkms
    import json
    import hashlib

    import sdkms.v1


    from sdkms.v1.models.object_type import ObjectType
    from sdkms.v1.models.digest_algorithm import DigestAlgorithm
    from sdkms.v1.models.signature_mode import SignatureMode
    from sdkms.v1.models.mgf import Mgf
    from sdkms.v1.models.mgf_mgf1 import MgfMgf1
    from sdkms.v1.models.rsa_signature_padding_pss import RsaSignaturePaddingPSS

    DEFAULT_API_ENDPOINT = "https://apps.smartkey.io"

    ca_certificate = None

    # Global API instance dict.
    api_instances = {}

    # Unique ID to append to key names to make sure they're unique.
    my_unique_id = base64.b64encode(bytearray(os.urandom(16))).decode('ascii')

    # Global set of keys created by the test, will be cleaned up automatically.
    keys = []

    iv = bytearray(os.urandom(16))
    plain = bytearray("Fortanix".encode('utf-8'))

    def print_debug(*args, **kwargs):
    if cl_args.debug:
    print(*args, **kwargs)

    def get_api_instance(name):
    return api_instances[name]

    def parse_arguments():
    parser = argparse.ArgumentParser(description='SDKMS API perf/stress test')

    # This construction allows us to use the API endpoint if it's specified
    # on the command-line, then use the environment variable if it's set,
    # then use the program-default endpoint if neither is set.
    parser.add_argument('--api-endpoint',
    default=os.getenv('FORTANIX_API_ENDPOINT',
    DEFAULT_API_ENDPOINT))

    parser.add_argument('--api-key',
    default=os.getenv('FORTANIX_API_KEY', None))
    parser.add_argument('--debug', default=False, action='store_true',
    help='enable debug logging')
    parser.add_argument('--no-verify-ssl', default=True, action='store_false',
    dest='verify_ssl',
    help='Disables SSL verification. Useful for '
    'locally running SDKMS')
    parser.add_argument('--ca-certificate', help='Set the CA certificate to be'
    'used for the TLS root of trust')

    global cl_args
    cl_args = parser.parse_args()

    if cl_args.api_key is None:
    print('No API key specified.')
    print('Please specify an API key via the --api-key option or '
    'FORTANIX_API_KEY')
    print('environment variable')
    exit(1)

    global ca_certificate
    if cl_args.ca_certificate:
    ca_certificate = cl_args.ca_certificate

    def initialize_api_clients():
    # TODO: We should have a separate auth endpoint for API keys, so we
    # don't need to do this parsing in the client code.
    api_key = base64.b64decode(cl_args.api_key).decode('ascii')
    print_debug('Using API key {}'.format(api_key))
    parts = api_key.split(':')
    if len(parts) != 2:
    print('Invalid API key provided')
    exit(1)

    config = sdkms.v1.configuration.Configuration()
    config.username = parts[0]
    config.password = parts[1]
    config.debug = cl_args.debug
    if ca_certificate:
    config.ssl_ca_cert = ca_certificate

    print_debug('API key components: {} {}'.format(config.username,
    config.password))

    config.verify_ssl = cl_args.verify_ssl

    print_debug('Using API endpoint {}'.format(cl_args.api_endpoint))
    config.host = cl_args.api_endpoint

    client = sdkms.v1.ApiClient(configuration=config)

    client.configuration.debug = True

    auth_instance = sdkms.v1.AuthenticationApi(api_client=client)
    auth = auth_instance.authorize()
    print_debug(auth)

    # The swagger interface calls this type of authorization an 'apiKey'.
    # This is not related to the SDKMS notion of an API key. The swagger
    # apiKey is our auth token.
    config.api_key['Authorization'] = auth.access_token
    config.api_key_prefix['Authorization'] = 'Bearer'

    api_instances['auth'] = auth_instance
    api_instances['sobjects'] = sdkms.v1.SecurityObjectsApi(
    api_client=client)
    api_instances['crypto'] = sdkms.v1.EncryptionAndDecryptionApi(
    api_client=client)
    api_instances['signverify'] = sdkms.v1.SignAndVerifyApi(
    api_client=client)
    api_instances['digest'] = sdkms.v1.DigestApi(api_client=client)
    api_instances['sobjects'] = sdkms.v1.SecurityObjectsApi(
    api_client=client)

    def create_key(key_type, size, elliptic_curve=None):
    keynum = len(keys)
    request = sdkms.v1.SobjectRequest(
    name='basic-test-key-{}-{}-{}-{}'.format(my_unique_id, key_type.value, size, keynum),
    description='Generated by automatic test instance {}-{}'.format(
    my_unique_id, keynum),
    key_size=size, obj_type=key_type, elliptic_curve=elliptic_curve)
    kid = get_api_instance('sobjects').generate_security_object(request).kid
    # In addition to returning the kid, we put the key on the list of test
    # keys, so we can clean up the keys later.
    keys.append(kid)
    return kid

    def delete_key(kid):
    get_api_instance('sobjects').delete_security_object(kid)

    def get_key_id():
    api_key=get_api_instance('sobjects').get_security_objects(name='aeskey')[0].kid
    print(api_key)

    def delete_test_keys():
    # Deletes the keys that were generated during this test.
    for kid in keys:
    delete_key(kid)

    def support_crypto(object_type):
    if object_type in [ObjectType.RSA, ObjectType.AES, ObjectType.DES3, ObjectType.DES]:
    return True
    return False

    def support_sign_verify(object_type):
    if object_type in [ObjectType.RSA, ObjectType.EC]:
    return True
    return False

    def run_tests():
    #using existing key
    my_kid='87c2c3a4-5c68-46fb-8300-b4b641e96b79'
    #to create ne key
    #my_kid=create_key(ObjectType.RSA, 2048)
    mgf1 = MgfMgf1(hash=DigestAlgorithm("SHA1"))
    hashlibdigest=hashlib.sha256(plain)
    mgf = Mgf(mgf1=mgf1)
    pss = RsaSignaturePaddingPSS(mgf=mgf)
    mode = SignatureMode(pss=pss)
    print(".......Hashlib Digest Generated {}".format(bytearray(hashlibdigest.digest())))
    print(".......Hashlib Digest Generated {}".format(hashlibdigest.digest().hex()))
    print(".......Hashlib Digest Generated {}".format(base64.b64encode(hashlibdigest.digest())))
    sign_request = sdkms.v1.SignRequest(hash_alg=DigestAlgorithm.SHA256, hash=bytearray(hashlibdigest.digest()),mode=mode)
    sign_result = get_api_instance('signverify').sign(my_kid, sign_request)
    print(".......Signature {}".format(sign_result.signature.hex()))


    #verification
    hashlibdigest = hashlib.sha256(plain)
    #print(".......Hashlib Digest Generated {}".format(bytearray(hashlibdigest.digest())))
    verify_request = sdkms.v1.VerifyRequest(hash_alg=DigestAlgorithm.SHA256, hash=bytearray(hashlibdigest.digest()),
    signature=sign_result.signature,mode=mode)
    verify_result = get_api_instance('signverify').verify(my_kid, verify_request)

    if verify_result.result:
    print("DSM verified signature successfully")
    else:
    print("Signature verification failed from DSM")


    if __name__ == '__main__':
    parse_arguments()
    initialize_api_clients()

    try:
    run_tests()

    finally:
    delete_test_keys()
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post