To simplify, no RNG needs to be provided with PKCS1 encryption: the one belonging to each RSA key is reused.

Error detection is internally implemented in a simpler (and safer) way for PKCS1 OAEP decryption. General fixes to documentation for PKCS1.
author: Legrandin <gooksankoo@hoiptorrow.mailexpire.com> 2011-10-02 22:30:07 +0200
committer: Legrandin <gooksankoo@hoiptorrow.mailexpire.com> 2011-10-02 22:37:36 +0200
commit: 9cb1a2d35d916180dee8351fe6f2ddf4f6dba72d (patch)
tree: bb891e868546746a8a756ba8052bb70e79100a16 /lib/Crypto/Signature
parent: 02103e2a5aca97b299b63723fb6752c2cbc00b23 (diff)
download: pycrypto-9cb1a2d35d916180dee8351fe6f2ddf4f6dba72d.tar.gz
3 files changed, 34 insertions, 28 deletions
diff --git a/lib/Crypto/Signature/PKCS1_PSS.py b/lib/Crypto/Signature/PKCS1_PSS.py
index 9dbeff3..4b43655 100644
--- a/lib/Crypto/Signature/PKCS1_PSS.py
+++ b/lib/Crypto/Signature/PKCS1_PSS.py
@@ -22,8 +22,7 @@
 
 """RSA digital signature protocol with appendix according to PKCS#1 PSS.
 
-See RFC3447 or the original RSA Labs specification at
-http://www.rsa.com/rsalabs/node.asp?id=2125.
+See RFC3447__ or the `original RSA Labs specification`__.
 
 This scheme is more properly called ``RSASSA-PSS``.
 
@@ -36,16 +35,15 @@ this:
     >>> from Crypto import Random
     >>>
     >>> message = 'To be signed'
-    >>> rng = Random.new().read
-    >>> key = RSA.importKey('privkey.der')
+    >>> key = RSA.importKey(open('privkey.der').read())
     >>> h = SHA.new()
     >>> h.update(message)
-    >>> signature = PKCS1_PSS.sign(h, key, rng)
+    >>> signature = PKCS1_PSS.sign(h, key)
 
 At the receiver side, verification can be done like using the public part of
 the RSA key:
 
-    >>> key = RSA.importKey('pubkey.der')
+    >>> key = RSA.importKey(open('pubkey.der').read())
     >>> h = SHA.new()
     >>> h.update(message)
     >>> if PKCS1_PSS.verify(h, key, signature):
@@ -53,6 +51,10 @@ the RSA key:
     >>> else:
     >>>     print "The signature is not authentic."
 
+:undocumented: __revision__, __package__
+
+.. __: http://www.ietf.org/rfc/rfc3447.txt
+.. __: http://www.rsa.com/rsalabs/node.asp?id=2125
 """
 
 # Allow nested scopes in Python 2.1
@@ -66,7 +68,7 @@ import Crypto.Util.number
 from Crypto.Util.number import ceil_shift, ceil_div, long_to_bytes
 from Crypto.Util.strxor import strxor
 
-def sign(mhash, key, randfunc, mgfunc=None, saltLen=None):
+def sign(mhash, key, mgfunc=None, saltLen=None):
     """Produce the PKCS#1 PSS signature of a message.
 
     This function is named ``RSASSA-PSS-SIGN``, and is specified in
@@ -79,10 +81,6 @@ def sign(mhash, key, randfunc, mgfunc=None, saltLen=None):
      key : RSA key object
             The key to use to sign the message. This is a `Crypto.PublicKey.RSA`
             object and must have its private half.
-     randfunc : callable
-            An RNG function that accepts as only parameter an int, and returns
-            a string of random bytes, to be used as salt.
-            This parameter is ignored if salt length is zero.
      mgfunc : callable
             A mask generation function that accepts two parameters: a string to
             use as seed, and the lenth of the mask to generate, in bytes.
@@ -104,6 +102,8 @@ def sign(mhash, key, randfunc, mgfunc=None, saltLen=None):
     """
     # TODO: Verify the key is RSA
 
+    randfunc = key._randfunc
+
     # Set defaults for salt length and mask generation function
     if saltLen == None:
         sLen = mhash.digest_size
@@ -216,7 +216,7 @@ def EMSA_PSS_ENCODE(mhash, emBits, randFunc, mgf, sLen):
      randFunc : callable
             An RNG function that accepts as only parameter an int, and returns
             a string of random bytes, to be used as salt.
-     mfg : callable
+     mgf : callable
             A mask generation function that accepts two parameters: a string to
             use as seed, and the lenth of the mask to generate, in bytes.
      sLen : int
@@ -275,10 +275,7 @@ def EMSA_PSS_VERIFY(mhash, em, emBits, mgf, sLen):
             the message that was received.
      emBits : int
             Length of the final encoding (em), in bits.
-     randfunc : callable
-            An RNG function that accepts as only parameter an int, and returns
-            a string of random bytes, to be used as salt.
-     mfg : callable
+     mgf : callable
             A mask generation function that accepts two parameters: a string to
             use as seed, and the lenth of the mask to generate, in bytes.
      sLen : int
diff --git a/lib/Crypto/Signature/PKCS1_v1_5.py b/lib/Crypto/Signature/PKCS1_v1_5.py
index 3c8e8e3..6e0817d 100644
--- a/lib/Crypto/Signature/PKCS1_v1_5.py
+++ b/lib/Crypto/Signature/PKCS1_v1_5.py
@@ -20,10 +20,10 @@
 # SOFTWARE.
 # ===================================================================
 
-"""RSA digital signature protocol according to PKCS#1 v1.5
+"""
+RSA digital signature protocol according to PKCS#1 v1.5
 
-See RFC3447 or the original RSA Labs specification at
-http://www.rsa.com/rsalabs/node.asp?id=2125.
+See RFC3447__ or the `original RSA Labs specification`__.
 
 This scheme is more properly called ``RSASSA-PKCS1-v1_5``.
 
@@ -35,21 +35,24 @@ this:
         >>> from Crypto.PublicKey import RSA
         >>>
         >>> message = 'To be signed'
-        >>> key = RSA.importKey('key.der')
-        >>> h = SHA.new()
-        >>> h.update(message)
-        >>>> signature = PKCS1_v1_5.sign(h, key)
+        >>> key = RSA.importKey(open('privkey.der').read())
+        >>> h = SHA.new(message)
+        >>> signature = PKCS1_v1_5.sign(h, key)
 
 At the receiver side, verification can be done using the public part of
 the RSA key:
 
-        >>> key = RSA.importKey('pubkey.der')
-        >>> h = SHA.new()
-        >>> h.update(message)
+        >>> key = RSA.importKey(open('pubkey.der').read())
+        >>> h = SHA.new(message)
         >>> if PKCS.verify(h, key, signature):
         >>>    print "The signature is authentic."
         >>> else:
         >>>    print "The signature is not authentic."
+
+:undocumented: __revision__, __package__
+
+.. __: http://www.ietf.org/rfc/rfc3447.txt
+.. __: http://www.rsa.com/rsalabs/node.asp?id=2125
 """
 
 __revision__ = "$Id$"
@@ -113,7 +116,7 @@ def verify(mhash, key, S):
      S : string
             The signature that needs to be validated.
 
-    :Return: True if verification is correct. False otherwise.
+    :Return: True (1) if verification is correct. False (0) otherwise.
     """
     # TODO: Verify the key is RSA
 
@@ -137,6 +140,10 @@ def verify(mhash, key, S):
     except ValueError:
         return 0
     # Step 4
+    # By comparing the full encodings (as opposed to checking each
+    # of its components one at a time) we avoid attacks to the padding
+    # scheme like Bleichenbacher's (see http://www.mail-archive.com/cryptography@metzdowd.com/msg06537).
+    # 
     return em1==em2
 
 def EMSA_PKCS1_V1_5_ENCODE(hash, emLen):
diff --git a/lib/Crypto/Signature/__init__.py b/lib/Crypto/Signature/__init__.py
index 3104220..ed523b4 100644
--- a/lib/Crypto/Signature/__init__.py
+++ b/lib/Crypto/Signature/__init__.py
@@ -20,7 +20,9 @@
 
 """Digital signature protocols
 
-A collection of standardized protocols to carry out digital signature.
+A collection of standardized protocols to carry out digital signatures.
+
+:undocumented: __revision__, __package__
 """
 
 __all__ = [ 'PKCS1_v1_5', 'PKCS1_PSS' ]
author	Legrandin <gooksankoo@hoiptorrow.mailexpire.com>	2011-10-02 22:30:07 +0200
committer	Legrandin <gooksankoo@hoiptorrow.mailexpire.com>	2011-10-02 22:37:36 +0200
commit	9cb1a2d35d916180dee8351fe6f2ddf4f6dba72d (patch)
tree	bb891e868546746a8a756ba8052bb70e79100a16 /lib/Crypto/Signature
parent	02103e2a5aca97b299b63723fb6752c2cbc00b23 (diff)
download	pycrypto-9cb1a2d35d916180dee8351fe6f2ddf4f6dba72d.tar.gz