From 82b698a7823d5293a457b52a7d4774e6e513e70a Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Sat, 29 Oct 2016 19:29:31 -0400 Subject: Mixed mode needs to support PKCS #1.5 DigestInfo for RSA. --- libhal.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libhal.py b/libhal.py index e02f1fa..41fb799 100644 --- a/libhal.py +++ b/libhal.py @@ -327,6 +327,14 @@ class LocalDigest(object): def finalize(self, length = None): return self._context.digest() + def finalize_padded(self, pkey): + if pkey.key_type not in (HAL_KEY_TYPE_RSA_PRIVATE, HAL_KEY_TYPE_RSA_PUBLIC): + return self.finalize() + # PKCS #1.5 requires the digest to be wrapped up in an ASN.1 DigestInfo object. + from Crypto.Util.asn1 import DerSequence, DerNull, DerOctetString + return DerSequence([DerSequence([self._context.oid, DerNull().encode()]).encode(), + DerOctetString(self.finalize()).encode()]).encode() + class PKey(Handle): @@ -557,7 +565,7 @@ class HSM(object): with self.rpc(RPC_FUNC_PKEY_FIND, session, uuid, flags, client = client) as r: return PKey(self, r.unpack_uint(), uuid) - def pkey_generate_rsa(self, keylen, exponent, flags = 0, client = 0, session = 0): + def pkey_generate_rsa(self, keylen, exponent = "\x01\x00\x01", flags = 0, client = 0, session = 0): with self.rpc(RPC_FUNC_PKEY_GENERATE_RSA, session, keylen, exponent, flags, client = client) as r: return PKey(self, r.unpack_uint(), UUID(bytes = r.unpack_bytes())) @@ -594,14 +602,14 @@ class HSM(object): def pkey_sign(self, pkey, hash = 0, data = "", length = 1024): assert not hash or not data if isinstance(hash, LocalDigest): - hash, data = 0, hash.finalize() + hash, data = 0, hash.finalize_padded(pkey) with self.rpc(RPC_FUNC_PKEY_SIGN, pkey, hash, data, length) as r: return r.unpack_bytes() def pkey_verify(self, pkey, hash = 0, data = "", signature = None): assert not hash or not data if isinstance(hash, LocalDigest): - hash, data = 0, hash.finalize() + hash, data = 0, hash.finalize_padded(pkey) with self.rpc(RPC_FUNC_PKEY_VERIFY, pkey, hash, data, signature): return -- cgit v1.2.3