summaryrefslogtreecommitdiff
path: root/rebiss.py
diff options
context:
space:
mode:
authorHristo Venev <hristo@venev.name>2022-05-16 21:40:16 +0300
committerHristo Venev <hristo@venev.name>2022-05-16 21:40:16 +0300
commit66b975426601138cef52fc511d5a5e49e9fd70e0 (patch)
tree7fcbb1c90dbc198682f9b1a2cee94df3440824a6 /rebiss.py
parent861044a44a5d01b30c9ff34e21bb47324e484bb6 (diff)
Fix signing
When a hash is included in `--mechanism`, we shouldn't hash the document. Otherwise, with `--mechanism RSA-PKCS`, we need to prepend the identifier of the hash function we used.
Diffstat (limited to 'rebiss.py')
-rw-r--r--rebiss.py29
1 files changed, 22 insertions, 7 deletions
diff --git a/rebiss.py b/rebiss.py
index 28a3e44..4541574 100644
--- a/rebiss.py
+++ b/rebiss.py
@@ -16,17 +16,22 @@ import OpenSSL.crypto as cr
class HashAlg:
- __slots__ = ('len', 'hashlib_name', 'mech')
+ __slots__ = ('len', 'hashlib_name', 'mech', 'ident')
- def __init__(self, len, hashlib_name, mech):
+ def __init__(self, len, hashlib_name, mech, ident):
self.len = len
self.hashlib_name = hashlib_name
self.mech = mech
+ self.ident = ident
+
+# TODO: autodetect?
+USE_RSA_PKCS = True
HASH_ALG = {
- 'SHA256': HashAlg(32, 'sha256', 'SHA256-RSA-PKCS'),
- 'SHA384': HashAlg(48, 'sha384', 'SHA384-RSA-PKCS'),
- 'SHA512': HashAlg(64, 'sha512', 'SHA512-RSA-PKCS'),
+ 'SHA1': HashAlg(20, 'sha1', 'SHA1-RSA-PKCS', b'\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14'),
+ 'SHA256': HashAlg(32, 'sha256', 'SHA256-RSA-PKCS', b'\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20'),
+ 'SHA384': HashAlg(48, 'sha384', 'SHA384-RSA-PKCS', b'\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02\x05\x00\x04\x30'),
+ 'SHA512': HashAlg(64, 'sha512', 'SHA512-RSA-PKCS', b'\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03\x05\x00\x04\x40'),
}
@@ -54,12 +59,22 @@ def pkcs11_list():
return certs
def pkcs11_sign(key, msg, hash_alg, pin):
- hash_val = hashlib.new(hash_alg.hashlib_name, msg).digest()
+ if USE_RSA_PKCS:
+ mech = 'RSA-PKCS'
+ msg = hash_alg.ident + hashlib.new(hash_alg.hashlib_name, msg).digest()
+ else:
+ mech = hash_alg.mech
reader,kid = key
env = os.environ.copy()
env['PIN'] = pin
- proc = subprocess.run(['pkcs11-tool', '--slot', reader, '--id', kid, '-m', hash_alg.mech, '--pin', 'env:PIN', '--sign'], input=hash_val, stdout=subprocess.PIPE, env=env, check=True)
+ proc = subprocess.run(
+ cmd = ['pkcs11-tool', '--slot', reader, '--id', kid, '-m', mech, '--pin', 'env:PIN', '--sign'],
+ input = msg,
+ stdout = subprocess.PIPE,
+ env = env,
+ check = True,
+ )
return proc.stdout