From b2d078eec6758c3794ffc41db46e15e2ac7f6da1 Mon Sep 17 00:00:00 2001 From: Roman Zeyde Date: Mon, 18 Apr 2016 21:55:23 +0300 Subject: [PATCH] simplify signer usage and make less INFO loggin --- gpg/check.py | 1 + gpg/decode.py | 4 ++-- gpg/demo.sh | 4 ++-- gpg/signer.py | 31 +++++++++++++++---------------- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/gpg/check.py b/gpg/check.py index db4e0e1..ab2937d 100755 --- a/gpg/check.py +++ b/gpg/check.py @@ -40,6 +40,7 @@ def main(): args = p.parse_args() check(pubkey=decode.load_public_key(open(args.pubkey, 'rb')), sig_file=args.signature) + log.info('OK') if __name__ == '__main__': main() diff --git a/gpg/decode.py b/gpg/decode.py index c936c03..494af6c 100644 --- a/gpg/decode.py +++ b/gpg/decode.py @@ -227,7 +227,7 @@ class Parser(object): def load_public_key(stream): parser = Parser(Reader(stream)) pubkey, userid, signature = list(parser) - log.info('loaded %s public key', userid['value']) + log.debug('loaded public key "%s"', userid['value']) verify_digest(pubkey=pubkey, digest=signature['digest'], signature=signature['sig'], label='GPG public key') return pubkey @@ -244,7 +244,7 @@ def verify_digest(pubkey, digest, signature, label): v.verify_digest(signature=signature, digest=digest, sigdecode=lambda rs, order: rs) - log.info('%s is OK', label) + log.debug('%s is OK', label) except ecdsa.keys.BadSignatureError: log.error('Bad %s!', label) raise diff --git a/gpg/demo.sh b/gpg/demo.sh index a012157..655a547 100755 --- a/gpg/demo.sh +++ b/gpg/demo.sh @@ -5,14 +5,14 @@ NAME="trezor_key" # will be used as GPG user id and public key name echo "Hello GPG World!" > EXAMPLE # Create, sign and export the public key -./signer.py $NAME --time $CREATED --public-key --verbose +./signer.py $NAME --time $CREATED # Install GPG v2.1 (modern) and import the public key gpg2 --import $NAME.pub gpg2 --list-keys $NAME # Perform actual GPG signature using TREZOR -./signer.py $NAME --file EXAMPLE --verbose +./signer.py $NAME EXAMPLE ./check.py $NAME.pub EXAMPLE.sig # pure Python verification # gpg2 --edit-key trezor_key trust # optional: mark it as trusted diff --git a/gpg/signer.py b/gpg/signer.py index 16bf610..bbeaa7f 100755 --- a/gpg/signer.py +++ b/gpg/signer.py @@ -104,10 +104,10 @@ class Signer(object): # https://tools.ietf.org/html/rfc6637#section-11 (NIST P-256 OID) oid = prefix_len('>B', b'\x2A\x86\x48\xCE\x3D\x03\x01\x07') - point = verifying_key.pubkey.point + self._point = verifying_key.pubkey.point self.pubkey_data = header + oid + mpi((4 << 512) | - (point.x() << 256) | - (point.y())) + (self._point.x() << 256) | + (self._point.y())) self.data_to_hash = b'\x99' + prefix_len('>H', self.pubkey_data) fingerprint = hashlib.sha1(self.data_to_hash).digest() @@ -125,15 +125,15 @@ class Signer(object): user_id_to_hash = user_id_packet[:1] + prefix_len('>L', self.user_id) data_to_sign = self.data_to_hash + user_id_to_hash - log.info('signing user_id: %r', self.user_id.decode('ascii')) + key_id = hexlify(self.key_id[-4:]) + log.info('signing public key "%s": %s', self.user_id, key_id) hashed_subpackets = [ subpacket_time(self.created), # signature creaion time subpacket_byte(0x1B, 1 | 2), # key flags (certify & sign) subpacket_byte(0x15, 8), # preferred hash (SHA256) subpacket_byte(0x16, 0), # preferred compression (none) subpacket_byte(0x17, 0x80)] # key server prefs (no-modify) - visual = hexlify(self.key_id[-4:]) - signature = self._make_signature(visual=visual, + signature = self._make_signature(visual=key_id, data_to_sign=data_to_sign, sig_type=0x13, # user id & public key hashed_subpackets=hashed_subpackets) @@ -148,9 +148,9 @@ class Signer(object): log.info('signing message %r at %s', msg, time_format(sign_time)) hashed_subpackets = [subpacket_time(sign_time)] - visual = hexlify(self.key_id[-4:]) + key_id = hexlify(self.key_id[-4:]) blob = self._make_signature( - visual=visual, + visual=key_id, data_to_sign=msg, hashed_subpackets=hashed_subpackets) return packet(tag=2, blob=blob) @@ -173,13 +173,16 @@ class Signer(object): result = self.client_wrapper.connection.sign_identity( identity=self.identity, - challenge_hidden=hashlib.sha256(data_to_hash).digest(), + challenge_hidden=digest, challenge_visual=visual, ecdsa_curve_name=self.ecdsa_curve_name) assert result.signature[:1] == b'\x00' sig = result.signature[1:] sig = [trezor_agent.util.bytes2num(sig[:32]), trezor_agent.util.bytes2num(sig[32:])] + decode.verify_digest(pubkey={'point': (self._point.x(), self._point.y())}, + digest=digest, + signature=sig, label='GPG signature') hash_prefix = digest[:2] # used for decoder's sanity check signature = mpi(sig[0]) + mpi(sig[1]) # actual ECDSA signature @@ -210,19 +213,16 @@ def load_from_gpg(user_id): def main(): p = argparse.ArgumentParser() p.add_argument('user_id') + p.add_argument('filename', nargs='?', ) p.add_argument('-t', '--time', type=int, default=int(time.time())) p.add_argument('-a', '--armor', action='store_true', default=False) p.add_argument('-v', '--verbose', action='store_true', default=False) - g = p.add_mutually_exclusive_group() - g.add_argument('-f', '--filename', help='File to sign') - g.add_argument('-p', '--public-key', action='store_true', default=False) - args = p.parse_args() logging.basicConfig(level=logging.DEBUG if args.verbose else logging.INFO, format='%(asctime)s %(levelname)-10s %(message)s') user_id = args.user_id.encode('ascii') - if args.public_key: + if not args.filename: s = Signer(user_id=user_id, created=args.time) pubkey = s.export() ext = '.pub' @@ -230,8 +230,7 @@ def main(): pubkey = armor(pubkey, 'PUBLIC KEY BLOCK') ext = '.asc' open(args.user_id + ext, 'wb').write(pubkey) - - elif args.filename: + else: pubkey = load_from_gpg(args.user_id) s = Signer(user_id=user_id, created=pubkey['created']) assert s.key_id == pubkey['key_id']