From 66b975426601138cef52fc511d5a5e49e9fd70e0 Mon Sep 17 00:00:00 2001 From: Hristo Venev Date: Mon, 16 May 2022 21:40:16 +0300 Subject: Fix signing When a hash is included in `--mechanism`, we shouldn't hash the document. Otherwise, with `--mechanism RSA-PKCS`, we need to prepend the identifier of the hash function we used. --- rebiss.py | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/rebiss.py b/rebiss.py index 28a3e44..4541574 100644 --- a/rebiss.py +++ b/rebiss.py @@ -16,17 +16,22 @@ import OpenSSL.crypto as cr class HashAlg: - __slots__ = ('len', 'hashlib_name', 'mech') + __slots__ = ('len', 'hashlib_name', 'mech', 'ident') - def __init__(self, len, hashlib_name, mech): + def __init__(self, len, hashlib_name, mech, ident): self.len = len self.hashlib_name = hashlib_name self.mech = mech + self.ident = ident + +# TODO: autodetect? +USE_RSA_PKCS = True HASH_ALG = { - 'SHA256': HashAlg(32, 'sha256', 'SHA256-RSA-PKCS'), - 'SHA384': HashAlg(48, 'sha384', 'SHA384-RSA-PKCS'), - 'SHA512': HashAlg(64, 'sha512', 'SHA512-RSA-PKCS'), + 'SHA1': HashAlg(20, 'sha1', 'SHA1-RSA-PKCS', b'\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14'), + 'SHA256': HashAlg(32, 'sha256', 'SHA256-RSA-PKCS', b'\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20'), + 'SHA384': HashAlg(48, 'sha384', 'SHA384-RSA-PKCS', b'\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02\x05\x00\x04\x30'), + 'SHA512': HashAlg(64, 'sha512', 'SHA512-RSA-PKCS', b'\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03\x05\x00\x04\x40'), } @@ -54,12 +59,22 @@ def pkcs11_list(): return certs def pkcs11_sign(key, msg, hash_alg, pin): - hash_val = hashlib.new(hash_alg.hashlib_name, msg).digest() + if USE_RSA_PKCS: + mech = 'RSA-PKCS' + msg = hash_alg.ident + hashlib.new(hash_alg.hashlib_name, msg).digest() + else: + mech = hash_alg.mech reader,kid = key env = os.environ.copy() env['PIN'] = pin - proc = subprocess.run(['pkcs11-tool', '--slot', reader, '--id', kid, '-m', hash_alg.mech, '--pin', 'env:PIN', '--sign'], input=hash_val, stdout=subprocess.PIPE, env=env, check=True) + proc = subprocess.run( + cmd = ['pkcs11-tool', '--slot', reader, '--id', kid, '-m', mech, '--pin', 'env:PIN', '--sign'], + input = msg, + stdout = subprocess.PIPE, + env = env, + check = True, + ) return proc.stdout -- cgit