Package Crypto :: Package Signature :: Module PKCS1_PSS

Module PKCS1_PSS

RSA digital signature protocol with appendix according to PKCS#1 PSS.

See RFC3447 or the original RSA Labs specification.

This scheme is more properly called RSASSA-PSS.

For example, a sender may authenticate a message using SHA-1 and PSS like this:

>>> from Crypto.Signature import PKCS1_PSS
>>> from Crypto.Hash import SHA
>>> from Crypto.PublicKey import RSA
>>> from Crypto import Random
>>>
>>> message = 'To be signed'
>>> key = RSA.importKey(open('privkey.der').read())
>>> h = SHA.new()
>>> h.update(message)
>>> signer = PKCS1_PSS.new(key)
>>> signature = PKCS1_PSS.sign(key)

At the receiver side, verification can be done like using the public part of the RSA key:

>>> key = RSA.importKey(open('pubkey.der').read())
>>> h = SHA.new()
>>> h.update(message)
>>> verifier = PKCS1_PSS.new(key)
>>> if verifier.verify(h, signature):
>>>     print "The signature is authentic."
>>> else:
>>>     print "The signature is not authentic."

Classes

[hide private]

PSS_SigScheme
This signature scheme can perform PKCS#1 PSS RSA signature or verification.

Functions

[hide private]

MGF1(mgfSeed, maskLen, hash)
Mask Generation Function, described in B.2.1

EMSA_PSS_ENCODE(mhash, emBits, randFunc, mgf, sLen)
Implement the EMSA-PSS-ENCODE function, as defined in PKCS#1 v2.1 (RFC3447, 9.1.1).

EMSA_PSS_VERIFY(mhash, em, emBits, mgf, sLen)
Implement the EMSA-PSS-VERIFY function, as defined in PKCS#1 v2.1 (RFC3447, 9.1.2).

new(key, mgfunc=None, saltLen=None)
Return a signature scheme object PSS_SigScheme that can be used to perform PKCS#1 PSS signature or verification.

Function Details

[hide private]

EMSA_PSS_ENCODE(mhash, emBits, randFunc, mgf, sLen)

Implement the EMSA-PSS-ENCODE function, as defined in PKCS#1 v2.1 (RFC3447, 9.1.1).

The original EMSA-PSS-ENCODE actually accepts the message M as input, and hash it internally. Here, we expect that the message has already been hashed instead.

Parameters:

mhash (hash object) - The hash object that holds the digest of the message being signed.
emBits (int) - Maximum length of the final encoding, in bits.
randFunc (callable) - An RNG function that accepts as only parameter an int, and returns a string of random bytes, to be used as salt.
mgf (callable) - A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes.
sLen (int) - Length of the salt, in bytes.

Returns:

An emLen byte long string that encodes the hash (with emLen = \ceil(emBits/8)).

Raises:

ValueError - When digest or salt length are too big.

EMSA_PSS_VERIFY(mhash, em, emBits, mgf, sLen)

Implement the EMSA-PSS-VERIFY function, as defined in PKCS#1 v2.1 (RFC3447, 9.1.2).

EMSA-PSS-VERIFY actually accepts the message M as input, and hash it internally. Here, we expect that the message has already been hashed instead.

Parameters:

mhash (hash object) - The hash object that holds the digest of the message to be verified.
em (string) - The signature to verify, therefore proving that the sender really signed the message that was received.
emBits (int) - Length of the final encoding (em), in bits.
mgf (callable) - A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes.
sLen (int) - Length of the salt, in bytes.

Returns:

0 if the encoding is consistent, 1 if it is inconsistent.

Raises:

ValueError - When digest or salt length are too big.

new(key, mgfunc=None, saltLen=None)

Return a signature scheme object PSS_SigScheme that can be used to perform PKCS#1 PSS signature or verification.

Parameters:

key (RSA key object) - The key to use to sign or verify the message. This is a Crypto.PublicKey.RSA object. Signing is only possible if key is a private RSA key.
mgfunc (callable) - A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes. If not specified, the standard MGF1 is used.
saltLen (int) - Length of the salt, in bytes. If not specified, it matches the output size of the hash function.