PSS RSA verification

• 

  Dipak Nile

  August 16, 2022 08:17

  Hi Roee,
  Here is the sample code to generate the RSA-SSS mode signature & verification using SDKMS.
  
  #!/usr/bin/python
  
  
  import argparse
  import base64
  import os
  import sys
  import sdkms
  import json
  import hashlib
  
  import sdkms.v1
  
  
  from sdkms.v1.models.object_type import ObjectType
  from sdkms.v1.models.digest_algorithm import DigestAlgorithm
  from sdkms.v1.models.signature_mode import SignatureMode
  from sdkms.v1.models.mgf import Mgf
  from sdkms.v1.models.mgf_mgf1 import MgfMgf1
  from sdkms.v1.models.rsa_signature_padding_pss import RsaSignaturePaddingPSS
  
  DEFAULT_API_ENDPOINT = "https://apps.smartkey.io"
  
  ca_certificate = None
  
  # Global API instance dict.
  api_instances = {}
  
  # Unique ID to append to key names to make sure they're unique.
  my_unique_id = base64.b64encode(bytearray(os.urandom(16))).decode('ascii')
  
  # Global set of keys created by the test, will be cleaned up automatically.
  keys = []
  
  iv = bytearray(os.urandom(16))
  plain = bytearray("Fortanix".encode('utf-8'))
  
  def print_debug(*args, **kwargs):
      if cl_args.debug:
          print(*args, **kwargs)
  
  def get_api_instance(name):
      return api_instances[name]
  
  def parse_arguments():
      parser = argparse.ArgumentParser(description='SDKMS API perf/stress test')
  
      # This construction allows us to use the API endpoint if it's specified
      # on the command-line, then use the environment variable if it's set,
      # then use the program-default endpoint if neither is set.
      parser.add_argument('--api-endpoint',
                          default=os.getenv('FORTANIX_API_ENDPOINT',
                                            DEFAULT_API_ENDPOINT))
  
      parser.add_argument('--api-key',
                          default=os.getenv('FORTANIX_API_KEY', None))
      parser.add_argument('--debug', default=False, action='store_true',
                          help='enable debug logging')
      parser.add_argument('--no-verify-ssl', default=True, action='store_false',
                          dest='verify_ssl',
                          help='Disables SSL verification. Useful for '
                          'locally running SDKMS')
      parser.add_argument('--ca-certificate', help='Set the CA certificate to be'
                          'used for the TLS root of trust')
  
      global cl_args
      cl_args = parser.parse_args()
  
      if cl_args.api_key is None:
          print('No API key specified.')
          print('Please specify an API key via the --api-key option or '
                'FORTANIX_API_KEY')
          print('environment variable')
          exit(1)
  
      global ca_certificate
      if cl_args.ca_certificate:
          ca_certificate = cl_args.ca_certificate
  
  def initialize_api_clients():
      # TODO: We should have a separate auth endpoint for API keys, so we
      # don't need to do this parsing in the client code.
      api_key = base64.b64decode(cl_args.api_key).decode('ascii')
      print_debug('Using API key {}'.format(api_key))
      parts = api_key.split(':')
      if len(parts) != 2:
          print('Invalid API key provided')
          exit(1)
  
      config = sdkms.v1.configuration.Configuration()
      config.username = parts[0]
      config.password = parts[1]
      config.debug = cl_args.debug
      if ca_certificate:
          config.ssl_ca_cert = ca_certificate
  
      print_debug('API key components: {} {}'.format(config.username,
                                                     config.password))
  
      config.verify_ssl = cl_args.verify_ssl
  
      print_debug('Using API endpoint {}'.format(cl_args.api_endpoint))
      config.host = cl_args.api_endpoint
  
      client = sdkms.v1.ApiClient(configuration=config)
  
      client.configuration.debug = True
  
      auth_instance = sdkms.v1.AuthenticationApi(api_client=client)
      auth = auth_instance.authorize()
      print_debug(auth)
  
      # The swagger interface calls this type of authorization an 'apiKey'.
      # This is not related to the SDKMS notion of an API key. The swagger
      # apiKey is our auth token.
      config.api_key['Authorization'] = auth.access_token
      config.api_key_prefix['Authorization'] = 'Bearer'
  
      api_instances['auth'] = auth_instance
      api_instances['sobjects'] = sdkms.v1.SecurityObjectsApi(
          api_client=client)
      api_instances['crypto'] = sdkms.v1.EncryptionAndDecryptionApi(
          api_client=client)
      api_instances['signverify'] = sdkms.v1.SignAndVerifyApi(
          api_client=client)
      api_instances['digest'] = sdkms.v1.DigestApi(api_client=client)
      api_instances['sobjects'] = sdkms.v1.SecurityObjectsApi(
          api_client=client)
  
  def create_key(key_type, size, elliptic_curve=None):
      keynum = len(keys)
      request = sdkms.v1.SobjectRequest(
          name='basic-test-key-{}-{}-{}-{}'.format(my_unique_id, key_type.value, size, keynum),
          description='Generated by automatic test instance {}-{}'.format(
              my_unique_id, keynum),
          key_size=size, obj_type=key_type, elliptic_curve=elliptic_curve)
      kid = get_api_instance('sobjects').generate_security_object(request).kid
      # In addition to returning the kid, we put the key on the list of test
      # keys, so we can clean up the keys later.
      keys.append(kid)
      return kid
  
  def delete_key(kid):
      get_api_instance('sobjects').delete_security_object(kid)
  
  def get_key_id():
      api_key=get_api_instance('sobjects').get_security_objects(name='aeskey')[0].kid
      print(api_key)
  
  def delete_test_keys():
      # Deletes the keys that were generated during this test.
      for kid in keys:
          delete_key(kid)
  
  def support_crypto(object_type):
      if object_type in [ObjectType.RSA, ObjectType.AES, ObjectType.DES3, ObjectType.DES]:
          return True
      return False
  
  def support_sign_verify(object_type):
      if object_type in [ObjectType.RSA, ObjectType.EC]:
          return True
      return False
  
  def run_tests():
          #using existing key
          my_kid='87c2c3a4-5c68-46fb-8300-b4b641e96b79'
          #to create ne key
          #my_kid=create_key(ObjectType.RSA, 2048)
          mgf1 = MgfMgf1(hash=DigestAlgorithm("SHA1"))
          hashlibdigest=hashlib.sha256(plain)
          mgf = Mgf(mgf1=mgf1)
          pss = RsaSignaturePaddingPSS(mgf=mgf)
          mode = SignatureMode(pss=pss)
          print(".......Hashlib Digest Generated {}".format(bytearray(hashlibdigest.digest())))
          print(".......Hashlib Digest Generated {}".format(hashlibdigest.digest().hex()))
          print(".......Hashlib Digest Generated {}".format(base64.b64encode(hashlibdigest.digest())))
          sign_request = sdkms.v1.SignRequest(hash_alg=DigestAlgorithm.SHA256, hash=bytearray(hashlibdigest.digest()),mode=mode)
          sign_result = get_api_instance('signverify').sign(my_kid, sign_request)
          print(".......Signature {}".format(sign_result.signature.hex()))
  
  
          #verification
          hashlibdigest = hashlib.sha256(plain)
          #print(".......Hashlib Digest Generated {}".format(bytearray(hashlibdigest.digest())))
          verify_request = sdkms.v1.VerifyRequest(hash_alg=DigestAlgorithm.SHA256, hash=bytearray(hashlibdigest.digest()),
                                                  signature=sign_result.signature,mode=mode)
          verify_result = get_api_instance('signverify').verify(my_kid, verify_request)
  
          if verify_result.result:
              print("DSM verified signature successfully")
          else:
              print("Signature verification failed from DSM")
  
  
  if __name__ == '__main__':
      parse_arguments()
      initialize_api_clients()
  
      try:
          run_tests()
  
      finally:
          delete_test_keys()

  0

Please sign in to leave a comment.