Yasuke/moto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

KMS: Add RSASSA_PKCS1_V1_5_SHA_256, 384, 512 signing algorithms (#6729)

Browse Source
This commit is contained in:
Akira Noda 2023-08-26 16:18:00 +09:00 committed by GitHub
parent fedca69991
commit 866c28a309
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 33 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
moto/kms/utils.py
View File

@ -11,6 +11,7 @@ from cryptography.exceptions import InvalidSignature
from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.ciphers import algorithms, Cipher, modes from cryptography.hazmat.primitives.ciphers import algorithms, Cipher, modes
from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding
from cryptography.hazmat.primitives.asymmetric import rsa, padding from cryptography.hazmat.primitives.asymmetric import rsa, padding
@ -181,52 +182,50 @@ class RSAPrivateKey(AbstractPrivateKey):
public_exponent=65537, key_size=self.key_size public_exponent=65537, key_size=self.key_size
) )
def sign(self, message: bytes, signing_algorithm: str) -> bytes: def __padding_and_hash_algorithm(
validate_signing_algorithm( self, signing_algorithm: str
signing_algorithm, SigningAlgorithm.rsa_signing_algorithms() ) -> Tuple[AsymmetricPadding, hashes.HashAlgorithm]:
)
if signing_algorithm == SigningAlgorithm.RSASSA_PSS_SHA_256: if signing_algorithm == SigningAlgorithm.RSASSA_PSS_SHA_256:
pad = padding.PSS( pad = padding.PSS(
mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH
) ) # type: AsymmetricPadding
algorithm = hashes.SHA256() # type: Any algorithm = hashes.SHA256() # type: Any
elif signing_algorithm == SigningAlgorithm.RSASSA_PSS_SHA_384: elif signing_algorithm == SigningAlgorithm.RSASSA_PSS_SHA_384:
pad = padding.PSS( pad = padding.PSS(
mgf=padding.MGF1(hashes.SHA384()), salt_length=padding.PSS.MAX_LENGTH mgf=padding.MGF1(hashes.SHA384()), salt_length=padding.PSS.MAX_LENGTH
) )
algorithm = hashes.SHA384() algorithm = hashes.SHA384()
else: elif signing_algorithm == SigningAlgorithm.RSASSA_PSS_SHA_512:
pad = padding.PSS( pad = padding.PSS(
mgf=padding.MGF1(hashes.SHA512()), salt_length=padding.PSS.MAX_LENGTH mgf=padding.MGF1(hashes.SHA512()), salt_length=padding.PSS.MAX_LENGTH
) )
algorithm = hashes.SHA512() algorithm = hashes.SHA512()
return self.private_key.sign(message, pad, algorithm) elif signing_algorithm == SigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_256:
pad = padding.PKCS1v15()
algorithm = hashes.SHA256()
elif signing_algorithm == SigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_384:
pad = padding.PKCS1v15()
algorithm = hashes.SHA384()
else:
pad = padding.PKCS1v15()
algorithm = hashes.SHA512()
return pad, algorithm
def sign(self, message: bytes, signing_algorithm: str) -> bytes:
validate_signing_algorithm(
signing_algorithm, SigningAlgorithm.rsa_signing_algorithms()
)
pad, hash_algorithm = self.__padding_and_hash_algorithm(signing_algorithm)
return self.private_key.sign(message, pad, hash_algorithm)
def verify(self, message: bytes, signature: bytes, signing_algorithm: str) -> bool: def verify(self, message: bytes, signature: bytes, signing_algorithm: str) -> bool:
validate_signing_algorithm( validate_signing_algorithm(
signing_algorithm, SigningAlgorithm.rsa_signing_algorithms() signing_algorithm, SigningAlgorithm.rsa_signing_algorithms()
) )
pad, hash_algorithm = self.__padding_and_hash_algorithm(signing_algorithm)
if signing_algorithm == SigningAlgorithm.RSASSA_PSS_SHA_256:
pad = padding.PSS(
mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH
)
algorithm = hashes.SHA256() # type: Any
elif signing_algorithm == SigningAlgorithm.RSASSA_PSS_SHA_384:
pad = padding.PSS(
mgf=padding.MGF1(hashes.SHA384()), salt_length=padding.PSS.MAX_LENGTH
)
algorithm = hashes.SHA384()
else:
pad = padding.PSS(
mgf=padding.MGF1(hashes.SHA512()), salt_length=padding.PSS.MAX_LENGTH
)
algorithm = hashes.SHA512()
public_key = self.private_key.public_key() public_key = self.private_key.public_key()
try: try:
public_key.verify(signature, message, pad, algorithm) public_key.verify(signature, message, pad, hash_algorithm)
return True return True
except InvalidSignature: except InvalidSignature:
return False return False

9
tests/test_kms/test_kms_boto3.py
View File

@ -1170,7 +1170,14 @@ def test_sign_and_verify_ignoring_grant_tokens():
list( list(
itertools.product( itertools.product(
["RSA_2048", "RSA_3072", "RSA_4096"], ["RSA_2048", "RSA_3072", "RSA_4096"],
["RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512"], [
"RSASSA_PSS_SHA_256",
"RSASSA_PSS_SHA_384",
"RSASSA_PSS_SHA_512",
"RSASSA_PKCS1_V1_5_SHA_256",
"RSASSA_PKCS1_V1_5_SHA_384",
"RSASSA_PKCS1_V1_5_SHA_512",
],
) )
), ),
) )