o n~b4@szddlmZmZmZddlZddlmZmZmZddl m Z ddlm Z GdddZ dd Z d d Zd d ZddZdS))bchrbord iter_rangeN)ceil_div long_to_bytes bytes_to_long)strxor)Randomc@s0eZdZdZddZddZddZdd Zd S) PSS_SigSchemezzA signature object for ``RSASSA-PSS``. Do not instantiate directly. Use :func:`Cryptodome.Signature.pss.new`. cCs||_||_||_||_dS)atInitialize this PKCS#1 PSS signature scheme object. :Parameters: key : an RSA key object If a private half is given, both signature and verification are possible. If a public half is given, only verification is possible. mgfunc : callable A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes. saltLen : integer Length of the salt, in bytes. randfunc : callable A function that returns random bytes. N)_key_saltLen_mgfunc _randfunc)selfkeyZmgfuncZsaltLenZrandfuncrC/usr/local/lib/python3.10/dist-packages/Cryptodome/Signature/pss.py__init__/s zPSS_SigScheme.__init__cCs |jS)z`_. :parameter msg_hash: This is an object from the :mod:`Cryptodome.Hash` package. It has been used to digest the message to sign. :type msg_hash: hash object :return: the signature encoded as a *byte string*. :raise ValueError: if the RSA key is not long enough for the given hash algorithm. :raise TypeError: if the RSA key has no private half. Nc t||SNMGF1xymsg_hashrrb z$PSS_SigScheme.sign..)r digest_sizer CryptodomeUtilnumbersizer nr_EMSA_PSS_ENCODErrZ_decryptr) rrsLenmgfmodBitskemem_intZm_int signaturerrrsignJs     zPSS_SigScheme.signc s|jdur j}n|j}|jr|j}nfdd}tjj|jj}t |d}t ||kr1t dt |}|j |}t |dd} t|| } t| |d||dS)atCheck if the PKCS#1 PSS signature over a message is valid. This function is also called ``RSASSA-PSS-VERIFY`` and it is specified in `section 8.1.2 of RFC8037 `_. :parameter msg_hash: The hash that was carried out over the message. This is an object belonging to the :mod:`Cryptodome.Hash` module. :type parameter: hash object :parameter signature: The signature that needs to be validated. :type signature: bytes :raise ValueError: if the signature is not valid. Ncrrrrrrrrrz&PSS_SigScheme.verify..r Incorrect signaturer!)r r"r r#r$r%r&r r'rlen ValueErrorrZ_encryptr_EMSA_PSS_VERIFY) rrr/r)r*r+r,Z signature_intr.emLenr-rrrverifyts      zPSS_SigScheme.verifyN)__name__ __module__ __qualname____doc__rrr0r6rrrrr )s  *r cCsbd}tt||jD]}t|d}|}|||||}q t||ks+J|d|S)aMask Generation Function, described in `B.2.1 of RFC8017 `_. :param mfgSeed: seed from which the mask is generated :type mfgSeed: byte string :param maskLen: intended length in bytes of the mask :type maskLen: integer :param hash_gen: A module or a hash object from :mod:`Cryptodome.Hash` :type hash_object: :return: the mask, as a *byte string* N)rrr"rnewupdatedigestr2)ZmgfSeedZmaskLenZhash_genTcounterchobjrrrrs  rcCst|d}d}td||D]}|d?dB}q||j|dkr%td||}tdd||} |} | | td|||jd} | td|} || ||jd} t| | }tt |d|@|dd}|| td}|S) a Implement the ``EMSA-PSS-ENCODE`` function, as defined in PKCS#1 v2.1 (RFC3447, 9.1.1). The original ``EMSA-PSS-ENCODE`` actually accepts the message ``M`` as input, and hash it internally. Here, we expect that the message has already been hashed instead. :Parameters: mhash : hash object The hash object that holds the digest of the message being signed. emBits : int Maximum length of the final encoding, in bits. randFunc : callable An RNG function that accepts as only parameter an int, and returns a string of random bytes, to be used as salt. mgf : callable A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes. sLen : int Length of the salt, in bytes. :Return: An ``emLen`` byte long string that encodes the hash (with ``emLen = \ceil(emBits/8)``). :Raise ValueError: When digest or salt length are too big. r rr!z6Digest or salt length are too long for given key size.N) rrr"r3rr?r=r>rr)mhashemBitsZrandFuncr*r)r5lmaskisaltm_primehZpsdbdbMaskmaskedDBr-rrrr(s"   "r(cCs|t|d}d}td||D]}|d?dB}q||j|dkr%tdt|ddd kr3td|d||jd}|||jdd} |t|d@rUtd|| ||jd} t|| } tt| d|@| dd} | td||j|dtdstd|dkr| | d} nd } tdd| | } | }| | | }| |krtddS) a Implement the ``EMSA-PSS-VERIFY`` function, as defined in PKCS#1 v2.1 (RFC3447, 9.1.2). ``EMSA-PSS-VERIFY`` actually accepts the message ``M`` as input, and hash it internally. Here, we expect that the message has already been hashed instead. :Parameters: mhash : hash object The hash object that holds the digest of the message to be verified. em : string The signature to verify, therefore proving that the sender really signed the message that was received. emBits : int Length of the final encoding (em), in bits. mgf : callable A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes. sLen : int Length of the salt, in bytes. :Raise ValueError: When the encoding is inconsistent, or the digest or salt lengths are too big. r rr!rDrEr1NrFr;) rrr"r3ordrrr startswithr?r=r>)rGr-rHr*r)r5rIrJrPrMrOrNrKrLrChprrrr4s6  "( r4cKsX|dd}|dd}|dd}|durtj}|r%tdt|t||||S)aCreate an object for making or verifying PKCS#1 PSS signatures. :parameter rsa_key: The RSA key to use for signing or verifying the message. This is a :class:`Cryptodome.PublicKey.RSA` object. Signing is only possible when ``rsa_key`` is a **private** RSA key. :type rsa_key: RSA object :Keyword Arguments: * *mask_func* (``callable``) -- A function that returns the mask (as `bytes`). It must accept two parameters: a seed (as `bytes`) and the length of the data to return. If not specified, it will be the function :func:`MGF1` defined in `RFC8017 `_ and combined with the same hash algorithm applied to the message to sign or verify. If you want to use a different function, for instance still :func:`MGF1` but together with another hash, you can do:: from Cryptodome.Hash import SHA256 from Cryptodome.Signature.pss import MGF1 mgf = lambda x, y: MGF1(x, y, SHA256) * *salt_bytes* (``integer``) -- Length of the salt, in bytes. It is a value between 0 and ``emLen - hLen - 2``, where ``emLen`` is the size of the RSA modulus and ``hLen`` is the size of the digest applied to the message to sign or verify. The salt is generated internally, you don't need to provide it. If not specified, the salt length will be ``hLen``. If it is zero, the signature scheme becomes deterministic. Note that in some implementations such as OpenSSL the default salt length is ``emLen - hLen - 2`` (even though it is not more secure than ``hLen``). * *rand_func* (``callable``) -- A function that returns random ``bytes``, of the desired length. The default is :func:`Cryptodome.Random.get_random_bytes`. :return: a :class:`PSS_SigScheme` signature object mask_funcNZ salt_bytes rand_funczUnknown keywords: )popr Zget_random_bytesr3strkeysr )Zrsa_keykwargsrUZsalt_lenrVrrrr=Is 2  r=)ZCryptodome.Util.py3compatrrrZCryptodome.Util.numberr#rrrZCryptodome.Util.strxorrr r rr(r4r=rrrrs  z@ I