python-pkcs11
python-pkcs11 copied to clipboard
Published
20 hours ago •
pyauth
pyauth
BUG: sign DATA over 512 bytes doesn't work
I have the following python script:
#! /usr/bin/env python3
import os
import pkcs11
from Crypto.Hash import SHA256
from Crypto.PublicKey import ECC
from Crypto.Signature import DSS
from pkcs11 import KeyType, ObjectClass, Mechanism
from pkcs11.util.ec import encode_ec_public_key
lib = pkcs11.lib(os.environ['PKCS11_MODULE'])
token = lib.get_token(token_label='SmartCard-HSM (UserPIN)')
with token.open(rw=True, user_pin='123456') as session:
priv = session.get_key(label='testkeyEC666', key_type=KeyType.EC, object_class=ObjectClass.PRIVATE_KEY)
pubkey = session.get_key(label='testkeyEC666', key_type=KeyType.EC, object_class=ObjectClass.PUBLIC_KEY)
with open('somefile.bin', 'rb') as f:
data = bytearray(f.read())
signature = priv.sign(bytes(data), mechanism=Mechanism.ECDSA_SHA256)
h = SHA256.new(data)
verifier = DSS.new(ECC.import_key(encode_ec_public_key(pubkey)), 'fips-186-3')
try:
verifier.verify(h, signature)
print("signature ok.")
except ValueError:
print("signature not ok!")
It throws me the following error:
Traceback (most recent call last):
File "/home/Projects/Playground/python-pkcs11/./pkcs11-sign.py", line 30, in <module>
signature = priv.sign(bytes(data), mechanism=Mechanism.ECDSA_SHA256)
File "/usr/local/lib/python3.10/dist-packages/pkcs11/types.py", line 939, in sign
return self._sign(data, **kwargs)
File "pkcs11/_pkcs11.pyx", line 1072, in pkcs11._pkcs11.SignMixin._sign
File "pkcs11/_pkcs11.pyx", line 1083, in pkcs11._pkcs11.SignMixin._sign
File "pkcs11/_errors.pyx", line 88, in pkcs11._pkcs11.assertRV
pkcs11.exceptions.DataLenRange
after some testing it looks like there is a threshold at 512 bytes:
$ dd if=/dev/urandom of=somefile.bin bs=1 count=512
512+0 records in
512+0 records out
512 bytes copied, 0,00262404 s, 195 kB/s
$ ./pkcs11-sign.py
signature ok.
$ dd if=/dev/urandom of=somefile.bin bs=1 count=513
513+0 records in
513+0 records out
513 bytes copied, 0,00251812 s, 204 kB/s
$ ./pkcs11-sign.py
Traceback (most recent call last):
File "/home/Projects/Playground/python-pkcs11/./pkcs11-sign.py", line 30, in <module>
signature = priv.sign(bytes(data), mechanism=Mechanism.ECDSA_SHA256)
File "/usr/local/lib/python3.10/dist-packages/pkcs11/types.py", line 939, in sign
return self._sign(data, **kwargs)
File "pkcs11/_pkcs11.pyx", line 1072, in pkcs11._pkcs11.SignMixin._sign
File "pkcs11/_pkcs11.pyx", line 1083, in pkcs11._pkcs11.SignMixin._sign
File "pkcs11/_errors.pyx", line 88, in pkcs11._pkcs11.assertRV
pkcs11.exceptions.DataLenRange
For the sake of comparison I checked sign/verification using Pycryptodome using plain keys:
#! /usr/bin/env python3
from Crypto.Hash import SHA256
from Crypto.PublicKey import ECC
from Crypto.Signature import DSS
with open('somefile.bin', 'rb') as f:
data = bytearray(f.read())
privkey = ECC.import_key(open('key.pem').read())
pubkey = ECC.import_key(open('cert.pem').read())
h = SHA256.new(bytes(data))
signer = DSS.new(privkey, 'fips-186-3')
signature = signer.sign(h)
verifier = DSS.new(pubkey, 'fips-186-3')
try:
verifier.verify(h, signature)
print("signature ok.")
except ValueError:
print("signature not ok!")
there is no limit on the input file size (1MB here):
$ dd if=/dev/urandom of=somefile.bin bs=1k count=1024
1024+0 records in
1024+0 records out
1048576 bytes (1,0 MB, 1,0 MiB) copied, 0,0126692 s, 82,8 MB/s
$ ./ecdsa.py
signature ok.