commit f8f434d5cc65460de98c41672476c4b2b6707bc0 Author: Damian Johnson atagar@torproject.org Date: Mon Jun 19 13:12:20 2017 -0700
Generate signature with PKCS1 padding
Blindly followed the cryptography module's example to start with but turns out it does PKCS1 padding for us. This gets us further with validation but still not working just yet. Oh, and also lets us drop our manual PKCS1 padding. --- stem/descriptor/server_descriptor.py | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/stem/descriptor/server_descriptor.py b/stem/descriptor/server_descriptor.py index 30599a8..a0759b1 100644 --- a/stem/descriptor/server_descriptor.py +++ b/stem/descriptor/server_descriptor.py @@ -52,9 +52,6 @@ from stem.util import str_type from stem.descriptor import ( CRYPTO_BLOB, PGP_BLOCK_END, - DIGEST_TYPE_INFO, - DIGEST_PADDING, - DIGEST_SEPARATOR, Descriptor, _descriptor_content, _descriptor_components, @@ -234,7 +231,7 @@ def _generate_signing_key():
public_key = private_key.public_key()
- pem = '\n' + public_key.public_bytes( + pem = public_key.public_bytes( encoding = serialization.Encoding.PEM, format = serialization.PublicFormat.PKCS1, ).strip() @@ -252,13 +249,8 @@ def _generate_signature(content, signing_key): from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import padding
- # generate the digest with required PKCS1 padding so it's 128 bytes - digest = hashlib.sha1(content).hexdigest().decode('hex_codec') - digest = DIGEST_TYPE_INFO + (DIGEST_PADDING * (125 - len(digest))) + DIGEST_SEPARATOR + digest - - padding = padding.PSS(mgf = padding.MGF1(hashes.SHA256()), salt_length = padding.PSS.MAX_LENGTH) - signature = base64.b64encode(signing_key.private.sign(digest, padding, hashes.SHA256())) + signature = base64.b64encode(signing_key.private.sign(digest, padding.PKCS1v15(), hashes.SHA1())) return '-----BEGIN SIGNATURE-----\n' + '\n'.join(stem.util.str_tools._split_by_length(signature, 64)) + '\n-----END SIGNATURE-----\n'
@@ -884,7 +876,7 @@ class RelayDescriptor(ServerDescriptor): # appending the content signature
signing_key = _generate_signing_key() - attr['signing-key'] = signing_key.descriptor_signing_key + attr['signing-key'] = '\n' + signing_key.descriptor_signing_key content = _descriptor_content(attr, exclude, sign, RELAY_SERVER_HEADER) + '\nrouter-signature\n'
return content + _generate_signature(content, signing_key)