ó õùPc@sÞdZddlmZdZddgZddlTejddkreejd d kreddlTndd l Z dd l m Z m Z m Z dd lmZddd „ƒYZd„Zd„Zd„Zd d d„Zd S(s‘RSA digital signature protocol with appendix according to PKCS#1 PSS. See RFC3447__ or the `original RSA Labs specification`__. This scheme is more properly called ``RSASSA-PSS``. For example, a sender may authenticate a message using SHA-1 and PSS like this: >>> from Crypto.Signature import PKCS1_PSS >>> from Crypto.Hash import SHA >>> from Crypto.PublicKey import RSA >>> from Crypto import Random >>> >>> message = 'To be signed' >>> key = RSA.importKey(open('privkey.der').read()) >>> h = SHA.new() >>> h.update(message) >>> signer = PKCS1_PSS.new(key) >>> signature = PKCS1_PSS.sign(key) At the receiver side, verification can be done like using the public part of the RSA key: >>> key = RSA.importKey(open('pubkey.der').read()) >>> h = SHA.new() >>> h.update(message) >>> verifier = PKCS1_PSS.new(key) >>> if verifier.verify(h, signature): >>> print "The signature is authentic." >>> else: >>> print "The signature is not authentic." :undocumented: __revision__, __package__ .. __: http://www.ietf.org/rfc/rfc3447.txt .. __: http://www.rsa.com/rsalabs/node.asp?id=2125 iÿÿÿÿ(t nested_scopess$Id$tnewt PSS_SigScheme(t*iiiN(t ceil_shifttceil_divt long_to_bytes(tstrxorcBs2eZdZd„Zd„Zd„Zd„ZRS(sKThis signature scheme can perform PKCS#1 PSS RSA signature or verification.cCs||_||_||_dS(s!Initialize this PKCS#1 PSS signature scheme object. :Parameters: key : an RSA key object If a private half is given, both signature and verification are possible. If a public half is given, only verification is possible. mgfunc : callable A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes. saltLen : int Length of the salt, in bytes. N(t_keyt_saltLent_mgfunc(tselftkeytmgfunctsaltLen((s5..\python\site-packages\Crypto\Signature\PKCS1_PSS.pyt__init__Os  cCs |jjƒS(sCReturn True if this cipher object can be used for signing messages.(Rt has_private(R ((s5..\python\site-packages\Crypto\Signature\PKCS1_PSS.pytcan_sign`sc sÎ|jj}|jdkr'ˆj}n |j}|jrE|j}n‡fd†}tjjj |jj ƒ}t |dƒ}t ˆ|d|||ƒ}|jj |ƒ}tdƒ|t|ƒ|} | S(sBProduce the PKCS#1 PSS signature of a message. This function is named ``RSASSA-PSS-SIGN``, and is specified in section 8.1.1 of RFC3447. :Parameters: mhash : hash object The hash that was carried out over the message. This is an object belonging to the `Crypto.Hash` module. :Return: The PSS signature encoded as a string. :Raise ValueError: If the RSA key length is not sufficiently long to deal with the given hash algorithm. :Raise TypeError: If the RSA key has no private half. :attention: Modify the salt length and the mask generation function only if you know what you are doing. The receiver must use the same parameters too. cst||ˆƒS(N(tMGF1(txty(tmhash(s5..\python\site-packages\Crypto\Signature\PKCS1_PSS.pyt†siiiN(Rt _randfuncR tNonet digest_sizeR tCryptotUtiltnumbertsizetnRtEMSA_PSS_ENCODEtdecrypttbchrtlen( R RtrandfunctsLentmgftmodBitstktemtmtS((Rs5..\python\site-packages\Crypto\Signature\PKCS1_PSS.pytsignds     c s |jdkrˆj}n |j}|jr9|j}n‡fd†}tjjj|jj ƒ}t |dƒ}t |ƒ|krˆt S|jj |dƒd}t |ddƒ}tdƒ|t |ƒ|}y tˆ||d||ƒ} Wntk rt SX| S(sVerify that a certain PKCS#1 PSS signature is authentic. This function checks if the party holding the private half of the given RSA key has really signed the message. This function is called ``RSASSA-PSS-VERIFY``, and is specified in section 8.1.2 of RFC3447. :Parameters: mhash : hash object The hash that was carried out over the message. This is an object belonging to the `Crypto.Hash` module. S : string The signature that needs to be validated. :Return: True if verification is correct. False otherwise. cst||ˆƒS(N(R(RR(R(s5..\python\site-packages\Crypto\Signature\PKCS1_PSS.pyR°siiiN(R RRR RRRRRRRR"tFalsetencryptR!tEMSA_PSS_VERIFYt ValueError( R RR*R$R%R&R'R(temLentresult((Rs5..\python\site-packages\Crypto\Signature\PKCS1_PSS.pytverify”s$      (t__name__t __module__t__doc__RRR+R2(((s5..\python\site-packages\Crypto\Signature\PKCS1_PSS.pyRLs    0cCs{tdƒ}xLtt||jƒƒD]2}t|dƒ}||j||ƒjƒ}q%Wt|ƒ|ksst‚|| S(s,Mask Generation Function, described in B.2.1ti( tbtxrangeRRRRtdigestR"tAssertionError(tmgfSeedtmaskLenthashtTtcountertc((s5..\python\site-packages\Crypto\Signature\PKCS1_PSS.pyRÉs  !cCsYt|dƒ}d}x*td||ƒD]}|d?dB}q*W||j|dkrhtdƒ‚ntdƒ}|r•|dkr•||ƒ}n|jtdƒd|jƒ|ƒ} tdƒ|||jdtdƒ|} || jƒ||jdƒ} t| | ƒ} tt | dƒ|@ƒ| d} | | jƒtdƒ} | S( s% Implement the ``EMSA-PSS-ENCODE`` function, as defined in PKCS#1 v2.1 (RFC3447, 9.1.1). The original ``EMSA-PSS-ENCODE`` actually accepts the message ``M`` as input, and hash it internally. Here, we expect that the message has already been hashed instead. :Parameters: mhash : hash object The hash object that holds the digest of the message being signed. emBits : int Maximum length of the final encoding, in bits. randFunc : callable An RNG function that accepts as only parameter an int, and returns a string of random bytes, to be used as salt. mgf : callable A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes. sLen : int Length of the salt, in bytes. :Return: An ``emLen`` byte long string that encodes the hash (with ``emLen = \ceil(emBits/8)``). :Raise ValueError: When digest or salt length are too big. iiii€is6Digest or salt length are too long for given key size.R6i¼( RR8RR/R7RR!R9Rtbord(RtemBitstrandFuncR%R$R0tlmasktitsaltthtdbtdbMasktmaskedDBR(((s5..\python\site-packages\Crypto\Signature\PKCS1_PSS.pyRÒs  '- #cCsŸt|dƒ}d}x*td||ƒD]}|d?dB}q*W||j|dkr]tSt|dƒdkrwtS|||jd }|||jdd!} |t|dƒ@r¼tS|| ||jdƒ} t|| ƒ} tt| dƒ|@ƒ| d} | jtdƒ||j|dtdƒƒs>tSt dƒ} |r^| | } n|j tdƒd|j ƒ| ƒj ƒ} | | kr›tSt S( sÜ Implement the ``EMSA-PSS-VERIFY`` function, as defined in PKCS#1 v2.1 (RFC3447, 9.1.2). ``EMSA-PSS-VERIFY`` actually accepts the message ``M`` as input, and hash it internally. Here, we expect that the message has already been hashed instead. :Parameters: mhash : hash object The hash object that holds the digest of the message to be verified. em : string The signature to verify, therefore proving that the sender really signed the message that was received. emBits : int Length of the final encoding (em), in bits. mgf : callable A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes. sLen : int Length of the salt, in bytes. :Return: 0 if the encoding is consistent, 1 if it is inconsistent. :Raise ValueError: When digest or salt length are too big. iiii€iiÿÿÿÿi¼R6( RR8RR,tordRARR!t startswithR7RR9tTrue(RR(RBR%R$R0RDRERJRGRIRHRFthp((s5..\python\site-packages\Crypto\Signature\PKCS1_PSS.pyR. s0#2 - cCst|||ƒS(sªReturn a signature scheme object `PSS_SigScheme` that can be used to perform PKCS#1 PSS signature or verification. :Parameters: key : RSA key object The key to use to sign or verify the message. This is a `Crypto.PublicKey.RSA` object. Signing is only possible if *key* is a private RSA key. mgfunc : callable A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes. If not specified, the standard MGF1 is used. saltLen : int Length of the salt, in bytes. If not specified, it matches the output size of the hash function. (R(R R R((s5..\python\site-packages\Crypto\Signature\PKCS1_PSS.pyRQs((R5t __future__Rt __revision__t__all__tCrypto.Util.py3compattsyst version_infotCrypto.Util.py21compattCrypto.Util.numberRRRRtCrypto.Util.strxorRRRRR.RR(((s5..\python\site-packages\Crypto\Signature\PKCS1_PSS.pyt<s  &  } ; D