summaryrefslogtreecommitdiff
path: root/tools/certtools.py
diff options
context:
space:
mode:
Diffstat (limited to 'tools/certtools.py')
-rw-r--r--tools/certtools.py19
1 files changed, 15 insertions, 4 deletions
diff --git a/tools/certtools.py b/tools/certtools.py
index 6dd97c4..beb2812 100644
--- a/tools/certtools.py
+++ b/tools/certtools.py
@@ -18,6 +18,10 @@ import zipfile
import shutil
from certkeys import publickeys
+from Crypto.Hash import SHA256
+import Crypto.PublicKey.RSA as RSA
+from Crypto.Signature import PKCS1_v1_5
+
def get_cert_info(s):
p = subprocess.Popen(
["openssl", "x509", "-noout", "-subject", "-issuer", "-inform", "der"],
@@ -257,12 +261,19 @@ def check_signature(baseurl, signature, data, publickey=None):
(hash_alg, signature_alg, unpacked_signature) = decode_signature(signature)
assert hash_alg == 4, \
"hash_alg is %d, expected 4" % (hash_alg,) # sha256
- assert signature_alg == 3, \
- "signature_alg is %d, expected 3" % (signature_alg,) # ecdsa
+ assert (signature_alg == 3 or signature_alg == 1), \
+ "signature_alg is %d, expected 1 or 3" % (signature_alg,) # ecdsa
- vk = ecdsa.VerifyingKey.from_der(publickey)
- vk.verify(unpacked_signature, data, hashfunc=hashlib.sha256,
+ if signature_alg == 3:
+ vk = ecdsa.VerifyingKey.from_der(publickey)
+ vk.verify(unpacked_signature, data, hashfunc=hashlib.sha256,
sigdecode=ecdsa.util.sigdecode_der)
+ else:
+ h = SHA256.new(data)
+ rsa_key = RSA.importKey(publickey)
+ verifier = PKCS1_v1_5.new(rsa_key)
+ assert verifier.verify(h, unpacked_signature), \
+ "could not verify RSA signature"
def parse_auth_header(authheader):
splittedheader = authheader.split(";")
generated by cgit v1.1 at 2025-07-11 18:20:58 +0000