Example #1
1
//VerifySignature verifies the signature of a message
func (rsaKey *RsaKey) VerifySignature(message string, signature string) (err error) {
	hashAlgorithm := crypto.SHA256
	if rsaKey.privateKey == nil {
		err = errors.New("privateKey is nil")
		return
	}
	messageBytes := bytes.NewBufferString(message)

	//hash
	pssh := hashAlgorithm.New()
	pssh.Write(messageBytes.Bytes())
	messageHash := pssh.Sum(nil)

	var signatureBytes []byte
	signatureBytes, err = base64.StdEncoding.DecodeString(signature)
	if err != nil {
		return
	}

	//Verify signature
	var opts rsa.PSSOptions
	opts.SaltLength = rsa.PSSSaltLengthAuto
	err = rsa.VerifyPSS(&rsaKey.privateKey.PublicKey, hashAlgorithm, messageHash, signatureBytes, &opts)

	return
}
Example #2
1
// Verify the given payload
func (ctx rsaEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
	var hash crypto.Hash

	switch alg {
	case RS256, PS256:
		hash = crypto.SHA256
	case RS384, PS384:
		hash = crypto.SHA384
	case RS512, PS512:
		hash = crypto.SHA512
	default:
		return ErrUnsupportedAlgorithm
	}

	hasher := hash.New()

	// According to documentation, Write() on hash never fails
	_, _ = hasher.Write(payload)
	hashed := hasher.Sum(nil)

	switch alg {
	case RS256, RS384, RS512:
		return rsa.VerifyPKCS1v15(ctx.publicKey, hash, hashed, signature)
	case PS256, PS384, PS512:
		return rsa.VerifyPSS(ctx.publicKey, hash, hashed, signature, nil)
	}

	return ErrUnsupportedAlgorithm
}
Example #3
0
// Implements the Verify method from SigningMethod
// For this verify method, key must be an rsa.PublicKey struct
func (m *SigningMethodRSAPSS) Verify(signingString, signature string, key interface{}) error {
	var err error

	// Decode the signature
	var sig []byte
	if sig, err = DecodeSegment(signature); err != nil {
		return err
	}

	var rsaKey *rsa.PublicKey
	switch k := key.(type) {
	case *rsa.PublicKey:
		rsaKey = k
	default:
		return ErrInvalidKey
	}

	// Create hasher
	if !m.Hash.Available() {
		return ErrHashUnavailable
	}
	hasher := m.Hash.New()
	hasher.Write([]byte(signingString))

	return rsa.VerifyPSS(rsaKey, m.Hash, hasher.Sum(nil), sig, m.Options)
}
Example #4
0
func (alg *RsaPssUsingSha) Verify(securedInput, signature []byte, key interface{}) error {
	if pubKey, ok := key.(*rsa.PublicKey); ok {
		return rsa.VerifyPSS(pubKey, hashFunc(alg.keySizeBits), sha(alg.keySizeBits, securedInput), signature, &rsa.PSSOptions{SaltLength: alg.saltSizeBytes})
	}

	return errors.New("RsaPssUsingSha.Verify(): expects key to be '*rsa.PublicKey'")
}
Example #5
0
func verify(pub *rsa.PublicKey, msg string, signature string) (err error) {
	sig, _ := decodeBase64(signature)
	h := sha256.New()
	h.Write([]byte(msg))
	d := h.Sum(nil)
	return rsa.VerifyPSS(pub, crypto.SHA256, d, sig, nil)
}
Example #6
0
// Verify implements the Verify method from SigningMethod.
// For this verify method, key must be an *rsa.PublicKey.
func (m *SigningMethodRSAPSS) Verify(raw []byte, signature Signature, key interface{}) error {
	rsaKey, ok := key.(*rsa.PublicKey)
	if !ok {
		return ErrInvalidKey
	}
	return rsa.VerifyPSS(rsaKey, m.Hash, m.sum(raw), signature, m.Options)
}
Example #7
0
func ValidateSignatureForMessage(msg string, sig []byte, pub *rsa.PublicKey) (err error) {
	hashFunction := sha256.New()
	io.WriteString(hashFunction, msg)
	hashSum := hashFunction.Sum(nil)

	err = rsa.VerifyPSS(pub, crypto.SHA256, hashSum, sig, nil)
	return
}
Example #8
0
func BenchmarkRsaVerify(b *testing.B) {
	key, _ := rsa.GenerateKey(rand.Reader, 2048)
	val := sha256.Sum256(make([]byte, 32, 32))
	sig, _ := rsa.SignPSS(rand.Reader, key, crypto.SHA256, val[:], nil)

	b.ResetTimer()
	for i := 0; i < b.N; i++ {
		rsa.VerifyPSS(&key.PublicKey, crypto.SHA256, val[:], sig, nil)
	}
}
Example #9
0
func (r *rsaPSSSigner) verifyMessage(key crypto.PublicKey, msg, sig []byte) error {
	rsaKey, ok := key.(*rsa.PublicKey)
	if !ok {
		return errors.New("invalid key type for RSA-PSS")
	}

	h := r.hash.New()
	h.Write(msg)
	return rsa.VerifyPSS(rsaKey, r.hash, h.Sum(nil), sig, &pssOptions)
}
Example #10
0
func VerifyMessage(pmsg PeerMessage) error {
	if pmsg.Body.Action != "NewPeer" {
		newhash := crypto.SHA1
		peer_pbkey := myPeerKeys.m[pmsg.Addr]
		err := rsa.VerifyPSS(&peer_pbkey, newhash, pmsg.Hashed, pmsg.Sig, nil)
		return err
	} else {
		return nil
	}
}
func VerifySenderMessage(senderPublicKey *rsa.PublicKey, plainText, signature []byte) error {
	pssh := newhash.New()
	_, err := pssh.Write(plainText)
	if err != nil {
		return err
	}

	hashed := pssh.Sum(nil)

	return rsa.VerifyPSS(senderPublicKey, newhash, hashed, signature, opts)
}
Example #12
0
func verifyPSS(key interface{}, digest, sig []byte) error {
	rsaPub, ok := key.(*rsa.PublicKey)
	if !ok {
		logrus.Infof("value was not an RSA public key")
		return ErrInvalid
	}

	opts := rsa.PSSOptions{SaltLength: sha256.Size, Hash: crypto.SHA256}
	if err := rsa.VerifyPSS(rsaPub, crypto.SHA256, digest[:], sig, &opts); err != nil {
		logrus.Infof("failed RSAPSS verification: %s", err)
		return ErrInvalid
	}
	return nil
}
Example #13
0
func main() {
	priv, err := rsa.GenerateKey(rand.Reader, 2048)
	checkFatal(err)

	message := []byte("Binding contractual agreement...")

	h := sha256.New()
	h.Write(message)
	digest := h.Sum(nil)
	sig, err := rsa.SignPSS(rand.Reader, priv, crypto.SHA256, digest, nil)
	checkFatal(err)

	fmt.Printf("Signature: %x\n", sig)
	err = rsa.VerifyPSS(&priv.PublicKey, crypto.SHA256, digest, sig, nil)
	fmt.Printf("Signature OK: %v\n", err == nil)
}
Example #14
0
// VerifySignature validates the signature string
func VerifySignature(key *rsa.PublicKey, signed []byte, signature string) error {
	dec, err := base64.URLEncoding.DecodeString(signature)
	if err != nil {
		return errors.New("Could not decode signature string")
	}

	h := sha256.New()
	h.Write(signed)
	d := h.Sum(nil)

	err = rsa.VerifyPSS(key, crypto.SHA256, d, dec, nil)

	if err != nil {
		return err
	}

	return nil
}
Example #15
0
func (v RsaVerify) PayloadVerify(payload, signature []byte) error {
	pubkey := v.pubkey
	hfunc := v.hash
	h := hfunc.New()
	h.Write(payload)

	var err error
	switch v.alg {
	case jwa.RS256, jwa.RS384, jwa.RS512:
		err = rsa.VerifyPKCS1v15(pubkey, hfunc, h.Sum(nil), signature)
	case jwa.PS256, jwa.PS384, jwa.PS512:
		err = rsa.VerifyPSS(pubkey, hfunc, h.Sum(nil), signature, nil)
	}

	if err != nil {
		return err
	}
	return nil
}
Example #16
0
// Decrypt decrypts the message using the private key and verifies that
// the signature was made by the certificate.
func Decrypt(priv *rsa.PrivateKey, cert *x509.Certificate, enc []byte) ([]byte, bool) {
	var pub *rsa.PublicKey
	switch certPub := cert.PublicKey.(type) {
	case *rsa.PublicKey:
		pub = certPub
	default:
		return nil, false
	}

	var message message
	_, err := asn1.Unmarshal(enc, &message)
	if err != nil {
		return nil, false
	}

	h := sha256.New()
	key, err := rsa.DecryptOAEP(h, rand.Reader, priv, message.Key, nil)
	if err != nil {
		return nil, false
	}

	dec, ok := aesgcm.Decrypt(key, message.Signed)
	if !ok {
		return nil, false
	}

	var signed signature
	_, err = asn1.Unmarshal(dec, &signed)
	if err != nil {
		return nil, false
	}

	h.Reset()
	h.Write(signed.Message)
	err = rsa.VerifyPSS(pub, crypto.SHA256, h.Sum(nil), signed.Signature, nil)
	if err != nil {
		return nil, false
	}

	return signed.Message, true
}
Example #17
0
func (m *Msg) Message(fromkey *rsa.PublicKey, dstkey *rsa.PrivateKey) (data []byte, err error) {
	hash := crypto.SHA256
	data = make([]byte, 0)
	for i, d := range m.Data {
		plainText, err := rsa.DecryptOAEP(hash.New(), rand.Reader, dstkey, d, []byte(""))
		if err != nil {
			return nil, e.Push(err, "can't decrypt the message")
		}
		pssh := hash.New()
		pssh.Write(plainText)
		hashed := pssh.Sum(nil)
		var opts rsa.PSSOptions
		opts.SaltLength = rsa.PSSSaltLengthAuto
		err = rsa.VerifyPSS(fromkey, hash, hashed, m.Signature[i], &opts)
		if err != nil {
			return nil, e.Push(err, "can't verify the signature")
		}
		data = append(data, plainText...)
	}
	return data, nil
}
Example #18
0
// Verify does the actual check.
// N.B. We have not been able to make this work in a way that is compatible
// with PyCrypto.
func (v RSAPSSVerifier) Verify(key data.Key, sig []byte, msg []byte) error {
	digest := sha256.Sum256(msg)

	k, _ := pem.Decode([]byte(key.Public()))
	pub, err := x509.ParsePKIXPublicKey(k.Bytes)
	if err != nil {
		logrus.Infof("Failed to parse public key: %s\n", err)
		return ErrInvalid
	}

	rsaPub, ok := pub.(*rsa.PublicKey)
	if !ok {
		logrus.Infof("Value returned from ParsePKIXPublicKey was not an RSA public key")
		return ErrInvalid
	}

	opts := rsa.PSSOptions{SaltLength: sha256.Size, Hash: crypto.SHA256}
	if err = rsa.VerifyPSS(rsaPub, crypto.SHA256, digest[:], sig, &opts); err != nil {
		logrus.Infof("Failed verification: %s", err)
		return ErrInvalid
	}
	return nil
}
Example #19
0
func (job *ProofVerifyJob) CheckSignature(cert *x509.Certificate) error {
	switch pub := cert.PublicKey.(type) {
	case *rsa.PublicKey:
		// cert.CheckSignature() uses PKCS1v15, not PSS. So we cannot use that on RSA
		h := sha256.New()
		h.Write(ProofSignatureLabel)
		h.Write(job.serverConfig)

		if err := rsa.VerifyPSS(pub, crypto.SHA256, h.Sum(nil), job.signature, nil); err != nil {
			return err
		}

	case *ecdsa.PublicKey:
		// TODO(hodduc): TEST needed
		if err := cert.CheckSignature(x509.ECDSAWithSHA256, job.serverConfig, job.signature); err != nil {
			return err
		}

	default:
		return errors.New("Unsupported Public key type")
	}

	return nil
}
Example #20
0
func verifyPSS(key interface{}, digest, sig []byte) error {
	rsaPub, ok := key.(*rsa.PublicKey)
	if !ok {
		logrus.Debugf("value was not an RSA public key")
		return ErrInvalid
	}

	if rsaPub.N.BitLen() < minRSAKeySizeBit {
		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())
		return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)}
	}

	if len(sig) < minRSAKeySizeByte {
		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))
		return ErrInvalid
	}

	opts := rsa.PSSOptions{SaltLength: sha256.Size, Hash: crypto.SHA256}
	if err := rsa.VerifyPSS(rsaPub, crypto.SHA256, digest[:], sig, &opts); err != nil {
		logrus.Debugf("failed RSAPSS verification: %s", err)
		return ErrInvalid
	}
	return nil
}
Example #21
0
File: rsa.go Project: knq/jwt
var rsaMethodPKCS1v15 = rsaMethod{
	signFunc:   rsa.SignPKCS1v15,
	verifyFunc: rsa.VerifyPKCS1v15,
}

// rsaMethodPSS provides a RSA method that signs and verifies with PSS.
var rsaMethodPSS = rsaMethod{
	signFunc: func(rand io.Reader, priv *rsa.PrivateKey, hash crypto.Hash, hashed []byte) ([]byte, error) {
		return rsa.SignPSS(rand, priv, hash, hashed, &rsa.PSSOptions{
			SaltLength: rsa.PSSSaltLengthAuto,
			Hash:       hash,
		})
	},
	verifyFunc: func(pub *rsa.PublicKey, hash crypto.Hash, hashed []byte, sig []byte) error {
		return rsa.VerifyPSS(pub, hash, hashed, sig, &rsa.PSSOptions{
			SaltLength: rsa.PSSSaltLengthAuto,
			Hash:       hash,
		})
	},
}

// rsaSigner provides a RSA Signer.
type rsaSigner struct {
	alg    Algorithm
	method RSASignerVerifier
	hash   crypto.Hash
	priv   *rsa.PrivateKey
	pub    *rsa.PublicKey
}

// NewRSASigner creates an RSA Signer for the specified Algorithm and provided
// low level RSA implementation.
Example #22
0
// Verify verifies an RSA digital signature for the given public key.
func Verify(pub *rsa.PublicKey, m, sig []byte) (err error) {
	h := sha256.New()
	h.Write(m)
	d := h.Sum(nil)
	return rsa.VerifyPSS(pub, crypto.SHA256, d, sig, nil)
}
func main() {

	// Generate RSA Keys
	miryanPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048)

	if err != nil {
		fmt.Println(err.Error)
		os.Exit(1)
	}

	miryanPublicKey := &miryanPrivateKey.PublicKey

	raulPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048)

	if err != nil {
		fmt.Println(err.Error)
		os.Exit(1)
	}

	raulPublicKey := &raulPrivateKey.PublicKey

	fmt.Println("Private Key : ", miryanPrivateKey)
	fmt.Println("Public key ", miryanPublicKey)
	fmt.Println("Private Key : ", raulPrivateKey)
	fmt.Println("Public key ", raulPublicKey)

	//Encrypt Miryan Message
	message := []byte("the code must be like a piece of music")
	label := []byte("")
	hash := sha256.New()

	ciphertext, err := rsa.EncryptOAEP(hash, rand.Reader, raulPublicKey, message, label)

	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	fmt.Printf("OAEP encrypted [%s] to \n[%x]\n", string(message), ciphertext)
	fmt.Println()

	// Message - Signature
	var opts rsa.PSSOptions
	opts.SaltLength = rsa.PSSSaltLengthAuto // for simple example
	PSSmessage := message
	newhash := crypto.SHA256
	pssh := newhash.New()
	pssh.Write(PSSmessage)
	hashed := pssh.Sum(nil)

	signature, err := rsa.SignPSS(rand.Reader, miryanPrivateKey, newhash, hashed, &opts)

	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	fmt.Printf("PSS Signature : %x\n", signature)

	// Decrypt Message
	plainText, err := rsa.DecryptOAEP(hash, rand.Reader, raulPrivateKey, ciphertext, label)

	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	fmt.Printf("OAEP decrypted [%x] to \n[%s]\n", ciphertext, plainText)

	//Verify Signature
	err = rsa.VerifyPSS(miryanPublicKey, newhash, hashed, signature, &opts)

	if err != nil {
		fmt.Println("Who are U? Verify Signature failed")
		os.Exit(1)
	} else {
		fmt.Println("Verify Signature successful")
	}

}
Example #24
0
// Verify verifies signature against key k and digest
func (csp *impl) Verify(k bccsp.Key, signature, digest []byte, opts bccsp.SignerOpts) (valid bool, err error) {
	// Validate arguments
	if k == nil {
		return false, errors.New("Invalid Key. It must not be nil.")
	}
	if len(signature) == 0 {
		return false, errors.New("Invalid signature. Cannot be empty.")
	}
	if len(digest) == 0 {
		return false, errors.New("Invalid digest. Cannot be empty.")
	}

	// Check key type
	switch k.(type) {
	case *ecdsaPrivateKey:
		ecdsaSignature := new(ecdsaSignature)
		_, err := asn1.Unmarshal(signature, ecdsaSignature)
		if err != nil {
			return false, fmt.Errorf("Failed unmashalling signature [%s]", err)
		}

		return ecdsa.Verify(&(k.(*ecdsaPrivateKey).privKey.PublicKey), digest, ecdsaSignature.R, ecdsaSignature.S), nil
	case *ecdsaPublicKey:
		ecdsaSignature := new(ecdsaSignature)
		_, err := asn1.Unmarshal(signature, ecdsaSignature)
		if err != nil {
			return false, fmt.Errorf("Failed unmashalling signature [%s]", err)
		}

		return ecdsa.Verify(k.(*ecdsaPublicKey).pubKey, digest, ecdsaSignature.R, ecdsaSignature.S), nil
	case *rsaPrivateKey:
		if opts == nil {
			return false, errors.New("Invalid options. It must not be nil.")
		}
		switch opts.(type) {
		case *rsa.PSSOptions:
			err := rsa.VerifyPSS(&(k.(*rsaPrivateKey).privKey.PublicKey),
				(opts.(*rsa.PSSOptions)).Hash,
				digest, signature, opts.(*rsa.PSSOptions))

			return err == nil, err
		default:
			return false, fmt.Errorf("Opts type not recognized [%s]", opts)
		}
	case *rsaPublicKey:
		if opts == nil {
			return false, errors.New("Invalid options. It must not be nil.")
		}
		switch opts.(type) {
		case *rsa.PSSOptions:
			err := rsa.VerifyPSS(k.(*rsaPublicKey).pubKey,
				(opts.(*rsa.PSSOptions)).Hash,
				digest, signature, opts.(*rsa.PSSOptions))

			return err == nil, err
		default:
			return false, fmt.Errorf("Opts type not recognized [%s]", opts)
		}
	default:
		return false, fmt.Errorf("Key type not recognized [%s]", k)
	}
}