hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 02:13:17 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
c20ee76826e10318f8f39c6fae901b743c2e8254
codeql/python/ql/test/library-tests/frameworks/cryptodome/test_ec.py
Rasmus Wriedt Larsen f8254381f3 Python: Add MISSING: CryptographicOperationAlgorithm annotations 
For RSA it's unclear what the algorithm name should even be. Signatures based on
RSA private keys with PSS scheme is ok, but with pkcs#1 v1.5 they are
weak/vulnerable. So clearly just putting RSA as the algorithm name is not enough
information...

and that problem is also why I wanted to do this commit separetely (to call
extra atten to this).
2021-04-22 14:51:18 +02:00

39 lines
1.6 KiB
Python
Raw Blame History

from Cryptodome.PublicKey import ECC
from Cryptodome.Signature import DSS
from Cryptodome.Hash import SHA256
private_key = ECC.generate(curve="P-256") # $ PublicKeyGeneration keySize=256
public_key = private_key.public_key()
# ------------------------------------------------------------------------------
# sign/verify
# ------------------------------------------------------------------------------
print("sign/verify")
message = b"message"
signer = DSS.new(private_key, mode='fips-186-3')
hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
signature = signer.sign(hasher) # $ CryptographicOperation CryptographicOperationInput=hasher # MISSING: CryptographicOperationAlgorithm=ECDSA
print("signature={}".format(signature))
print()
verifier = DSS.new(public_key, mode='fips-186-3')
hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature
print("Signature verified (as expected)")
try:
hasher = SHA256.new(b"other message") # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=b"other message"
verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature # MISSING: CryptographicOperationAlgorithm=ECDSA
raise Exception("Signature verified (unexpected)")
except ValueError:
print("Signature mismatch (as expected)")
Reference in New Issue View Git Blame Copy Permalink