Comments (5)
If your device supported it you could load a key from the session and use the device's mechanisms, but generally speaking don't do this. Devices are traditionally very slow at crypto, much slower than your CPU and many devices don't support the public side of the cryptography (e.g. verify/encrypt).
Your code looks correct to me. You've got two specific problems with handling data in cryptography. One is the mechanisms, the other is the data format expected by the other party. Libraries can be incredibly vague on the format. I believe oscrypto uses the same format we do. Here's an example of external verification in ECDSA:
self.session.create_domain_parameters(KeyType.EC, {
Attribute.EC_PARAMS: encode_named_curve_parameters('secp256r1'),
}, local=True)\
.generate_keypair()
priv = self.session.get_key(key_type=KeyType.EC,
object_class=ObjectClass.PRIVATE_KEY)
signature = priv.sign(b'Data to sign', mechanism=Mechanism.ECDSA_SHA1)
# Encode as ASN.1
signature = encode_ecdsa_signature(signature)
from oscrypto.asymmetric import load_public_key, ecdsa_verify
pub = self.session.get_key(key_type=KeyType.EC,
object_class=ObjectClass.PUBLIC_KEY)
pub = load_public_key(encode_ec_public_key(pub))
ecdsa_verify(pub, signature, b'Data to sign', 'sha1')
from python-pkcs11.
Hi @danni , I ran this code for testing and when I print ecdsa_verify it returns None. I tried changing the content of the data to be signed to make it differente from the data to verify, and the result was
oscrypto.errors.SignatureError: Signature is invalid
So, as I could understood, None is verification successfull and the exception is verification failed, is that correct? Is the None result the really expected output when success?
from python-pkcs11.
@danni , one more question. I am writting a client-server project, in which the client has the USB token attached. Before it can perform operations on the server, it sends a POST request with it's serial number, the public key and the data being the serial number, so the server can trust in the further requests from this client.
But, the problem is the format of this public key, When it goes over the POST request, it's url encoded or something like string, I'm not sure. When it reaches the server, I can't do the verify part.
I tried some ways to decode/encode but this mix of the libraries make me very confused.
So,how can I encode this pub key to PEM format to send from client to server, and how can I decode it to the proper format to load_public_key and run ecdsa_verify ?
from python-pkcs11.
This reference code is for ECDSA, you'll need to adapt it for RSA. As to what their API returns, that's covered in their API docs :)
If you're transmitting over HTTP POST, your problem is likely the transmission of raw binary over a text protocol. I see a lot of encode
and decode
in your code. The purpose of these functions is to change binary data into text (e.g. in UTF-8). It is not to prepare binary data for transport, and encoding can result in a string that decodes legitimately differently when the same character occupies two code points. When transmitting binary data over text, use base64 or similar. In HTTP POST, you can also send MIME multipart (which is really just base64 encoding, but with more metadata).
As for your project, BE VERY CAREFUL AT INCORRECTLY REIMPLEMENTING CRYPTOGRAPHIC PROTOCOLS. Like the cryptographic primitives, incorrect implementation of cryptographic protocols can lead to less or worse security. If you want to identify a client to a server, that functionality already exists within TLS, see Client Authenticated Handshake.
from python-pkcs11.
Hi, basically you need to sign something and check in side server that your sign is correct, so you need to extract the certificate that represent your sign, so in the server side you can check that the certificate is Valid in your trusted CA and then you can verify the sign.
How to extract your certificate form device and convert to pem format
master...luisza:extract_certificates
You can send the signature in base64 and the pem certificate, then use the certificate to verify in server side, For example you have a document sha256 hashsum that you need to sign, so you send it to your client, he sign the hashsum and send you the certificate and the signed message, you get that and check the certificate if it's ok, then try to verify the signed sha256 hashsum using the storage plain hashsum and the certificate.
The server side could be something like this:
from Crypto.Hash import SHA512
from Crypto.Signature import PKCS1_v1_5
from Crypto.PublicKey import RSA
def validate_sign(public_certificate, key, cipher_text):
# check the certificate with your trusted CA
if not check_certificate(public_certificate):
raise Exception("Invalid certificate")
cipher_text = b64decode(cipher_text)
if hasattr(key, 'encode'):
key = key.encode()
digest = SHA512.new()
digest.update(key)
pub_key = RSA.importKey(public_certificate)
verifier = PKCS1_v1_5.new(pub_key)
result = verifier.verify(digest, cipher_text)
return result
from python-pkcs11.
Related Issues (20)
- Broken by unpinned Cython 0.29.31: CYTHON_ATOMICS error: lvalue required as left operand of assignment HOT 10
- OverflowError: Python int too large to convert to C ssize_t
- lack of support for generation of `CKK_GENERIC_SECRET` key type.
- Errors in _pkcs11.pyx file: change operand "is" by "=="
- Error received when installing: 'TypeError: can only concatenate tuple (not "list") to tuple' is back HOT 2
- Small Typo in _pkcs11.pyx HOT 5
- How to import X.509v3 digital certificate inside the token or hsm
- 0.7.0: issue with testing🤔 HOT 6
- Can't extract public key from Nitrokey HSM after creation HOT 3
- test opensession softhsmv2 HOT 1
- BUG: sign DATA over 512 bytes doesn't work HOT 3
- Typo in "Applied" docs - Generating Keys
- Python3.6 and earlier do not have annotations HOT 3
- Question regarding get_keys()
- New realese with support for python >= 3.10 on Windows HOT 4
- Cannot install python-pkcs11 using python 3.12 HOT 2
- New release needed HOT 6
- Unable to use 64-bit PKCS#11 libraries (drivers) HOT 2
- segfaulting only on github action
- get_objects() fails with missing enum value HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from python-pkcs11.