add support for prehashing in ECDSA sign/verify (#3267)

* add support for prehashing in ECDSA sign/verify * move signature_algorithm check to its own function
author: Paul Kehrer <paul.l.kehrer@gmail.com> 2016-11-21 00:20:52 +0800
committer: Alex Gaynor <alex.gaynor@gmail.com> 2016-11-20 11:20:52 -0500
commit: 80ec631601a79fef5bd137a895cd70162ff6b4ca (patch)
tree: 3068e39bd74bc215bb59bb3bade0d334ffca3267 /src
parent: 6012ccff0d709a80259f93a406eca5d133b40108 (diff)
download: cryptography-80ec631601a79fef5bd137a895cd70162ff6b4ca.tar.gz
cryptography-80ec631601a79fef5bd137a895cd70162ff6b4ca.tar.bz2
cryptography-80ec631601a79fef5bd137a895cd70162ff6b4ca.zip
1 files changed, 34 insertions, 23 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py
index 0c8716f5..5969f2a3 100644
--- a/src/cryptography/hazmat/backends/openssl/ec.py
+++ b/src/cryptography/hazmat/backends/openssl/ec.py
@@ -8,7 +8,9 @@ from cryptography import utils
 from cryptography.exceptions import (
     InvalidSignature, UnsupportedAlgorithm, _Reasons
 )
-from cryptography.hazmat.backends.openssl.utils import _truncate_digest
+from cryptography.hazmat.backends.openssl.utils import (
+    _calculate_digest_and_algorithm, _truncate_digest
+)
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import (
     AsymmetricSignatureContext, AsymmetricVerificationContext, ec
@@ -40,6 +42,13 @@ def _truncate_digest_for_ecdsa(ec_key_cdata, digest, backend):
     return _truncate_digest(digest, order_bits)
 
 
+def _check_signature_algorithm(signature_algorithm):
+    if not isinstance(signature_algorithm, ec.ECDSA):
+        raise UnsupportedAlgorithm(
+            "Unsupported elliptic curve signature algorithm.",
+            _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM)
+
+
 def _ec_key_curve_sn(backend, ec_key):
     group = backend._lib.EC_KEY_get0_group(ec_key)
     backend.openssl_assert(group != backend._ffi.NULL)
@@ -159,14 +168,10 @@ class _EllipticCurvePrivateKey(object):
     curve = utils.read_only_property("_curve")
 
     def signer(self, signature_algorithm):
-        if isinstance(signature_algorithm, ec.ECDSA):
-            return _ECDSASignatureContext(
-                self._backend, self, signature_algorithm.algorithm
-            )
-        else:
-            raise UnsupportedAlgorithm(
-                "Unsupported elliptic curve signature algorithm.",
-                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM)
+        _check_signature_algorithm(signature_algorithm)
+        return _ECDSASignatureContext(
+            self._backend, self, signature_algorithm.algorithm
+        )
 
     def exchange(self, algorithm, peer_public_key):
         if not (
@@ -238,9 +243,14 @@ class _EllipticCurvePrivateKey(object):
         )
 
     def sign(self, data, signature_algorithm):
-        signer = self.signer(signature_algorithm)
-        signer.update(data)
-        return signer.finalize()
+        _check_signature_algorithm(signature_algorithm)
+        data, algorithm = _calculate_digest_and_algorithm(
+            self._backend, data, signature_algorithm._algorithm
+        )
+        data = _truncate_digest_for_ecdsa(
+            self._ec_key, data, self._backend
+        )
+        return _ecdsa_sig_sign(self._backend, self, data)
 
 
 @utils.register_interface(ec.EllipticCurvePublicKeyWithSerialization)
@@ -260,14 +270,10 @@ class _EllipticCurvePublicKey(object):
         if not isinstance(signature, bytes):
             raise TypeError("signature must be bytes.")
 
-        if isinstance(signature_algorithm, ec.ECDSA):
-            return _ECDSAVerificationContext(
-                self._backend, self, signature, signature_algorithm.algorithm
-            )
-        else:
-            raise UnsupportedAlgorithm(
-                "Unsupported elliptic curve signature algorithm.",
-                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM)
+        _check_signature_algorithm(signature_algorithm)
+        return _ECDSAVerificationContext(
+            self._backend, self, signature, signature_algorithm.algorithm
+        )
 
     def public_numbers(self):
         set_func, get_func, group = (
@@ -307,6 +313,11 @@ class _EllipticCurvePublicKey(object):
         )
 
     def verify(self, signature, data, signature_algorithm):
-        verifier = self.verifier(signature, signature_algorithm)
-        verifier.update(data)
-        verifier.verify()
+        _check_signature_algorithm(signature_algorithm)
+        data, algorithm = _calculate_digest_and_algorithm(
+            self._backend, data, signature_algorithm._algorithm
+        )
+        data = _truncate_digest_for_ecdsa(
+            self._ec_key, data, self._backend
+        )
+        return _ecdsa_sig_verify(self._backend, self, signature, data)
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2016-11-21 00:20:52 +0800
committer	Alex Gaynor <alex.gaynor@gmail.com>	2016-11-20 11:20:52 -0500
commit	80ec631601a79fef5bd137a895cd70162ff6b4ca (patch)
tree	3068e39bd74bc215bb59bb3bade0d334ffca3267 /src
parent	6012ccff0d709a80259f93a406eca5d133b40108 (diff)
download	cryptography-80ec631601a79fef5bd137a895cd70162ff6b4ca.tar.gz cryptography-80ec631601a79fef5bd137a895cd70162ff6b4ca.tar.bz2 cryptography-80ec631601a79fef5bd137a895cd70162ff6b4ca.zip