| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175 |
- # Copyright 2017 Google Inc.
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # http://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
- """ECDSA (ES256) verifier and signer that use the ``cryptography`` library.
- """
- from cryptography import utils # type: ignore
- import cryptography.exceptions
- from cryptography.hazmat import backends
- from cryptography.hazmat.primitives import hashes
- from cryptography.hazmat.primitives import serialization
- from cryptography.hazmat.primitives.asymmetric import ec
- from cryptography.hazmat.primitives.asymmetric import padding
- from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
- from cryptography.hazmat.primitives.asymmetric.utils import encode_dss_signature
- import cryptography.x509
- from google.auth import _helpers
- from google.auth.crypt import base
- _CERTIFICATE_MARKER = b"-----BEGIN CERTIFICATE-----"
- _BACKEND = backends.default_backend()
- _PADDING = padding.PKCS1v15()
- class ES256Verifier(base.Verifier):
- """Verifies ECDSA cryptographic signatures using public keys.
- Args:
- public_key (
- cryptography.hazmat.primitives.asymmetric.ec.ECDSAPublicKey):
- The public key used to verify signatures.
- """
- def __init__(self, public_key):
- self._pubkey = public_key
- @_helpers.copy_docstring(base.Verifier)
- def verify(self, message, signature):
- # First convert (r||s) raw signature to ASN1 encoded signature.
- sig_bytes = _helpers.to_bytes(signature)
- if len(sig_bytes) != 64:
- return False
- r = (
- int.from_bytes(sig_bytes[:32], byteorder="big")
- if _helpers.is_python_3()
- else utils.int_from_bytes(sig_bytes[:32], byteorder="big")
- )
- s = (
- int.from_bytes(sig_bytes[32:], byteorder="big")
- if _helpers.is_python_3()
- else utils.int_from_bytes(sig_bytes[32:], byteorder="big")
- )
- asn1_sig = encode_dss_signature(r, s)
- message = _helpers.to_bytes(message)
- try:
- self._pubkey.verify(asn1_sig, message, ec.ECDSA(hashes.SHA256()))
- return True
- except (ValueError, cryptography.exceptions.InvalidSignature):
- return False
- @classmethod
- def from_string(cls, public_key):
- """Construct an Verifier instance from a public key or public
- certificate string.
- Args:
- public_key (Union[str, bytes]): The public key in PEM format or the
- x509 public key certificate.
- Returns:
- Verifier: The constructed verifier.
- Raises:
- ValueError: If the public key can't be parsed.
- """
- public_key_data = _helpers.to_bytes(public_key)
- if _CERTIFICATE_MARKER in public_key_data:
- cert = cryptography.x509.load_pem_x509_certificate(
- public_key_data, _BACKEND
- )
- pubkey = cert.public_key()
- else:
- pubkey = serialization.load_pem_public_key(public_key_data, _BACKEND)
- return cls(pubkey)
- class ES256Signer(base.Signer, base.FromServiceAccountMixin):
- """Signs messages with an ECDSA private key.
- Args:
- private_key (
- cryptography.hazmat.primitives.asymmetric.ec.ECDSAPrivateKey):
- The private key to sign with.
- key_id (str): Optional key ID used to identify this private key. This
- can be useful to associate the private key with its associated
- public key or certificate.
- """
- def __init__(self, private_key, key_id=None):
- self._key = private_key
- self._key_id = key_id
- @property # type: ignore
- @_helpers.copy_docstring(base.Signer)
- def key_id(self):
- return self._key_id
- @_helpers.copy_docstring(base.Signer)
- def sign(self, message):
- message = _helpers.to_bytes(message)
- asn1_signature = self._key.sign(message, ec.ECDSA(hashes.SHA256()))
- # Convert ASN1 encoded signature to (r||s) raw signature.
- (r, s) = decode_dss_signature(asn1_signature)
- return (
- (r.to_bytes(32, byteorder="big") + s.to_bytes(32, byteorder="big"))
- if _helpers.is_python_3()
- else (utils.int_to_bytes(r, 32) + utils.int_to_bytes(s, 32))
- )
- @classmethod
- def from_string(cls, key, key_id=None):
- """Construct a RSASigner from a private key in PEM format.
- Args:
- key (Union[bytes, str]): Private key in PEM format.
- key_id (str): An optional key id used to identify the private key.
- Returns:
- google.auth.crypt._cryptography_rsa.RSASigner: The
- constructed signer.
- Raises:
- ValueError: If ``key`` is not ``bytes`` or ``str`` (unicode).
- UnicodeDecodeError: If ``key`` is ``bytes`` but cannot be decoded
- into a UTF-8 ``str``.
- ValueError: If ``cryptography`` "Could not deserialize key data."
- """
- key = _helpers.to_bytes(key)
- private_key = serialization.load_pem_private_key(
- key, password=None, backend=_BACKEND
- )
- return cls(private_key, key_id=key_id)
- def __getstate__(self):
- """Pickle helper that serializes the _key attribute."""
- state = self.__dict__.copy()
- state["_key"] = self._key.private_bytes(
- encoding=serialization.Encoding.PEM,
- format=serialization.PrivateFormat.PKCS8,
- encryption_algorithm=serialization.NoEncryption(),
- )
- return state
- def __setstate__(self, state):
- """Pickle helper that deserializes the _key attribute."""
- state["_key"] = serialization.load_pem_private_key(state["_key"], None)
- self.__dict__.update(state)
|
