B c/@sdZdZddgZddlTejddkr>> from Crypto.Signature import PKCS1_PSS >>> from Crypto.Hash import SHA >>> from Crypto.PublicKey import RSA >>> from Crypto import Random >>> >>> message = 'To be signed' >>> key = RSA.importKey(open('privkey.der').read()) >>> h = SHA.new() >>> h.update(message) >>> signer = PKCS1_PSS.new(key) >>> signature = PKCS1_PSS.sign(key) At the receiver side, verification can be done like using the public part of the RSA key: >>> key = RSA.importKey(open('pubkey.der').read()) >>> h = SHA.new() >>> h.update(message) >>> verifier = PKCS1_PSS.new(key) >>> if verifier.verify(h, signature): >>> print "The signature is authentic." >>> else: >>> print "The signature is not authentic." :undocumented: __revision__, __package__ .. __: http://www.ietf.org/rfc/rfc3447.txt .. __: http://www.rsa.com/rsalabs/node.asp?id=2125 z$Id$new PSS_SigScheme)*N) ceil_shiftceil_div long_to_bytes)strxorc@s0eZdZdZddZddZddZdd Zd S) rzKThis signature scheme can perform PKCS#1 PSS RSA signature or verification.cCs||_||_||_dS)a!Initialize this PKCS#1 PSS signature scheme object. :Parameters: key : an RSA key object If a private half is given, both signature and verification are possible. If a public half is given, only verification is possible. mgfunc : callable A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes. saltLen : int Length of the salt, in bytes. N)_key_saltLen_mgfunc)selfkeymgfuncsaltLenrM/opt/alt/python37/lib64/python3.7/site-packages/Crypto/Signature/PKCS1_PSS.py__init__Os zPSS_SigScheme.__init__cCs |jS)zCReturn True if this cipher object can be used for signing messages.)r Z has_private)rrrrcan_sign`szPSS_SigScheme.can_signc s|jj}|jdkrj}n|j}|jr.|j}n fdd}tjj|jj }t |d}t |d|||}|j |}t d|t||} | S)aBProduce the PKCS#1 PSS signature of a message. This function is named ``RSASSA-PSS-SIGN``, and is specified in section 8.1.1 of RFC3447. :Parameters: mhash : hash object The hash that was carried out over the message. This is an object belonging to the `Crypto.Hash` module. :Return: The PSS signature encoded as a string. :Raise ValueError: If the RSA key length is not sufficiently long to deal with the given hash algorithm. :Raise TypeError: If the RSA key has no private half. :attention: Modify the salt length and the mask generation function only if you know what you are doing. The receiver must use the same parameters too. Ncs t||S)N)MGF1)xy)mhashrrz$PSS_SigScheme.sign..rr)r Z _randfuncr digest_sizer CryptoUtilnumbersizenrEMSA_PSS_ENCODEZdecryptbchrlen) rrZrandfuncsLenmgfmodBitskemmSr)rrsignds    zPSS_SigScheme.signc s|jdkrj}n|j}|jr&|j}n fdd}tjj|jj}t |d}t ||kr^dS|j |dd}t |dd}t d|t ||}yt ||d||} Wntk rdSX| S)aVerify that a certain PKCS#1 PSS signature is authentic. This function checks if the party holding the private half of the given RSA key has really signed the message. This function is called ``RSASSA-PSS-VERIFY``, and is specified in section 8.1.2 of RFC3447. :Parameters: mhash : hash object The hash that was carried out over the message. This is an object belonging to the `Crypto.Hash` module. S : string The signature that needs to be validated. :Return: True if verification is correct. False otherwise. Ncs t||S)N)r)rr)rrrrrz&PSS_SigScheme.verify..rFrr)r rr rrr r!r r"rr%Zencryptr$EMSA_PSS_VERIFY ValueError) rrr,r&r'r(r)r*emLenresultr)rrverifys$    zPSS_SigScheme.verifyN)__name__ __module__ __qualname____doc__rrr-r2rrrrrLs 0cCsNtd}x8tt||jD]$}t|d}||||}qW|d|S)z,Mask Generation Function, described in B.2.1N)brangerrr rdigest)ZmgfSeedZmaskLenhashTZcountercrrrrs  rcCs t|d}d}x$td||D]}|d?dB}q W||j|dkrNtdtd}|rj|dkrj||}|tdd||} td|||jdtd|} || ||jd} t| | } tt | d|@| dd} | | td } | S) a% Implement the ``EMSA-PSS-ENCODE`` function, as defined in PKCS#1 v2.1 (RFC3447, 9.1.1). The original ``EMSA-PSS-ENCODE`` actually accepts the message ``M`` as input, and hash it internally. Here, we expect that the message has already been hashed instead. :Parameters: mhash : hash object The hash object that holds the digest of the message being signed. emBits : int Maximum length of the final encoding, in bits. randFunc : callable An RNG function that accepts as only parameter an int, and returns a string of random bytes, to be used as salt. mgf : callable A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes. sLen : int Length of the salt, in bytes. :Return: An ``emLen`` byte long string that encodes the hash (with ``emLen = \ceil(emBits/8)``). :Raise ValueError: When digest or salt length are too big. rrrrz6Digest or salt length are too long for given key size.r7N) rr:rr/r9rr$r;r bord)remBitsZrandFuncr'r&r0lmaskisalthdbdbMaskmaskedDBr*rrrr#s   & "r#cCs`t|d}d}x$td||D]}|d?dB}q W||j|dkrJdSt|ddd krbdS|d||jd}|||jdd} |t|d@rdS|| ||jd} t|| } tt| d|@| dd} | td||j|dtdsdStd } |r,| | d} | tdd| |  } | | kr\dSd S) a Implement the ``EMSA-PSS-VERIFY`` function, as defined in PKCS#1 v2.1 (RFC3447, 9.1.2). ``EMSA-PSS-VERIFY`` actually accepts the message ``M`` as input, and hash it internally. Here, we expect that the message has already been hashed instead. :Parameters: mhash : hash object The hash object that holds the digest of the message to be verified. em : string The signature to verify, therefore proving that the sender really signed the message that was received. emBits : int Length of the final encoding (em), in bits. mgf : callable A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes. sLen : int Length of the salt, in bytes. :Return: 0 if the encoding is consistent, 1 if it is inconsistent. :Raise ValueError: When digest or salt length are too big. rrrr?rFNr@r7T) rr:rordrAr r$ startswithr9rr;)rr*rBr'r&r0rCrDrIrFrHrGrEZhprrrr. s0  "*" r.cCs t|||S)aReturn a signature scheme object `PSS_SigScheme` that can be used to perform PKCS#1 PSS signature or verification. :Parameters: key : RSA key object The key to use to sign or verify the message. This is a `Crypto.PublicKey.RSA` object. Signing is only possible if *key* is a private RSA key. mgfunc : callable A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes. If not specified, the standard MGF1 is used. saltLen : int Length of the salt, in bytes. If not specified, it matches the output size of the hash function. )r)rrrrrrrQs)NN)r6Z __revision____all__ZCrypto.Util.py3compatsys version_infoZCrypto.Util.py21compatZCrypto.Util.numberrrrr ZCrypto.Util.strxorr rrr#r.rrrrr<s } ;D