diff options
author | Hristo Venev <hristo@venev.name> | 2022-05-16 21:40:16 +0300 |
---|---|---|
committer | Hristo Venev <hristo@venev.name> | 2022-05-16 21:40:16 +0300 |
commit | 66b975426601138cef52fc511d5a5e49e9fd70e0 (patch) | |
tree | 7fcbb1c90dbc198682f9b1a2cee94df3440824a6 | |
parent | 861044a44a5d01b30c9ff34e21bb47324e484bb6 (diff) |
Fix signing
When a hash is included in `--mechanism`, we shouldn't hash the
document. Otherwise, with `--mechanism RSA-PKCS`, we need to prepend the
identifier of the hash function we used.
-rw-r--r-- | rebiss.py | 29 |
1 files changed, 22 insertions, 7 deletions
@@ -16,17 +16,22 @@ import OpenSSL.crypto as cr class HashAlg: - __slots__ = ('len', 'hashlib_name', 'mech') + __slots__ = ('len', 'hashlib_name', 'mech', 'ident') - def __init__(self, len, hashlib_name, mech): + def __init__(self, len, hashlib_name, mech, ident): self.len = len self.hashlib_name = hashlib_name self.mech = mech + self.ident = ident + +# TODO: autodetect? +USE_RSA_PKCS = True HASH_ALG = { - 'SHA256': HashAlg(32, 'sha256', 'SHA256-RSA-PKCS'), - 'SHA384': HashAlg(48, 'sha384', 'SHA384-RSA-PKCS'), - 'SHA512': HashAlg(64, 'sha512', 'SHA512-RSA-PKCS'), + 'SHA1': HashAlg(20, 'sha1', 'SHA1-RSA-PKCS', b'\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14'), + 'SHA256': HashAlg(32, 'sha256', 'SHA256-RSA-PKCS', b'\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20'), + 'SHA384': HashAlg(48, 'sha384', 'SHA384-RSA-PKCS', b'\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02\x05\x00\x04\x30'), + 'SHA512': HashAlg(64, 'sha512', 'SHA512-RSA-PKCS', b'\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03\x05\x00\x04\x40'), } @@ -54,12 +59,22 @@ def pkcs11_list(): return certs def pkcs11_sign(key, msg, hash_alg, pin): - hash_val = hashlib.new(hash_alg.hashlib_name, msg).digest() + if USE_RSA_PKCS: + mech = 'RSA-PKCS' + msg = hash_alg.ident + hashlib.new(hash_alg.hashlib_name, msg).digest() + else: + mech = hash_alg.mech reader,kid = key env = os.environ.copy() env['PIN'] = pin - proc = subprocess.run(['pkcs11-tool', '--slot', reader, '--id', kid, '-m', hash_alg.mech, '--pin', 'env:PIN', '--sign'], input=hash_val, stdout=subprocess.PIPE, env=env, check=True) + proc = subprocess.run( + cmd = ['pkcs11-tool', '--slot', reader, '--id', kid, '-m', mech, '--pin', 'env:PIN', '--sign'], + input = msg, + stdout = subprocess.PIPE, + env = env, + check = True, + ) return proc.stdout |