rsapss

package
v0.0.0-...-0d210ac Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 30, 2021 License: MPL-2.0 Imports: 9 Imported by: 0

README 

RSA-PSS Signing
===============

**THIS SIGNER IS DEPRECATED, USE THE `genericrsa` SIGNER INSTEAD**

.. sectnum::
.. contents:: Table of Contents

This signer implements RSA-PSS signing for Widevine and possibly other
signature types in the future. It accepts 20-byte SHA1 hashes on
`/sign/hash` and data to be hashed on `/sign/data`. Both endpoints
return base64-encoded RSA-PSS signatures of the hashed data using
`rsa.PSSSaltLengthEqualsHash` padding.

Example Usage:

.. code:: bash

    # hash your input data into a separate file
    $ echo foo | sha1sum -b | cut -d ' ' -f 1 | xxd -r -p > /tmp/inputhash.bin

    # request a signature using the autograph client
    $ go run client.go -D -wa $(cat /tmp/inputhash.bin | base64) \
      -k dummyrsapss -o /tmp/sig.bin -ko /tmp/pub.key

    # format /tmp/pub.key to PEM (fold lines to 64 and add header and footer)
    $ (echo '-----BEGIN PUBLIC KEY-----'; cat /tmp/pub.key |fold -w 64; echo;echo '-----END PUBLIC KEY-----') > /tmp/pub.pem

    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtEM/Vdfd4Vl9wmeVdCYu
    WYnQl0Zc9RW5hLE4hFA+c277qanE8XCK+ap/c5so87XngLLfacB3zZhGxIOut/4S
    lEBOAUmVNCfnTO+YkRk3A8OyJ4XNqdn+/ov78ZbssGf+0zws2BcwZYwhtuTvro3y
    i62FQ7T1TpT5VjljH7sHW/iZnS/RKiY4DwqAN799gkB+Gwovtroabh2w5OX0P+PY
    yUbJLFQeo5uiAQ8cAXTlHqCkj11GYgU4ttVDuFGotKRyaRn1F+yKxE4LQcAULx7s
    0KzvS35mNU+MoywLWjy9a4TcjK0nq+BjspKX4UkNwVstvH18hQWun7E+dxTi59cR
    mwIDAQAB
    -----END PUBLIC KEY-----

    # verify the signature with openssl
    $ openssl pkeyutl -verify \
    -in /tmp/inputhash.bin \
    -sigfile /tmp/sig.bin \
    -inkey /tmp/pub.pem -pubin -keyform PEM \
    -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:-1 -pkeyopt digest:sha1

    Signature Verified Successfully

Configuration
-------------

Requires PEM encoded public and private RSA keys.

NB: if the publickey does not match the private key the monitor will
break.

For example:

.. code:: yaml

    signers:
    - id: some-rsa-key
      type: rsapss
      privatekey: |
        -----BEGIN RSA PRIVATE KEY-----
        MIIEpAIBAAKCAQEAtEM/Vdfd4Vl9wmeVdCYuWYnQl0Zc9RW5hLE4hFA+c277qanE
        ...
        TDd4Me4PP+sTZeJ3RKvArDiMzEncDeMGZZnd4dBdi3LjzCNGTANAGw==
        -----END RSA PRIVATE KEY-----
      publickey: |
        -----BEGIN PUBLIC KEY-----
        MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtEM/Vdfd4Vl9wmeVdCYu
        ...
        mwIDAQAB
        -----END PUBLIC KEY-----

Signature response
------------------

Returns base64-encoded public key (DER) and signature (hex). The
public key is from the config.

.. code:: json

    [
      {
        "ref": "29cfra8jxug9r3mzjapmlbjlp5",
        "type": "rsapss",
        "mode": "",
        "signer_id": "dummy-rsapss",
        "public_key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtEM/Vdfd4Vl9wmeVdCYuWYnQl0Zc9RW5hLE4hFA+c277qanE8XCK+ap/c5so87XngLLfacB3zZhGxIOut/4SlEBOAUmVNCfnTO+YkRk3A8OyJ4XNqdn+/ov78ZbssGf+0zws2BcwZYwhtuTvro3yi62FQ7T1TpT5VjljH7sHW/iZnS/RKiY4DwqAN799gkB+Gwovtroabh2w5OX0P+PYyUbJLFQeo5uiAQ8cAXTlHqCkj11GYgU4ttVDuFGotKRyaRn1F+yKxE4LQcAULx7s0KzvS35mNU+MoywLWjy9a4TcjK0nq+BjspKX4UkNwVstvH18hQWun7E+dxTi59cRmwIDAQAB",
        "signature": "S81qc/poBLToOIXVd8eOS6/CxXdhdsM/0Uz0q4cJWdmSKf9Iv8Eboz94xfuMgl81ybtPrEWDuZRLgY1qr4GxhShwa1Yb7rBtGxyJlseYfstnf24T7B6s4aeW3Zo5lfF2SCONbI0hLSHHyFzPPsnCHxvA2Ji5F+vDeBLpSrXhFn+mn14AGhz6smtU4k/iLPrfhocvBGscZv+7h7PI0vPs3MEckVZeSP8i0CkK4ev1QV88wrIa8estHCbiT4STu5zBHYb0LkkowEyCMW0KrQu5M2HO8yL4SSK9LHNR4WOS8BxBvKIXjmG5bjcH+g0gEK0RFSuJ3sLCNoRETGhRykufJA=="
      }
    ]

Documentation

Index

Constants

View Source 
const (
	// Type of this signer is "rsapss"
	Type = "rsapss"
)

Variables

This section is empty.

Functions

func Unmarshal 

func Unmarshal(sigstr string) (signer.Signature, error)

Unmarshal decodes a base64 signature string into a Signature

func VerifySignature 

func VerifySignature(pubKey *rsa.PublicKey, digest, sigBytes []byte) error

VerifySignature verifies a rsapss signature for the given SHA1 digest for the given RSA public and signature bytes

func VerifySignatureFromB64 

func VerifySignatureFromB64(b64Digest, b64Signature, b64PubKey string) error

VerifySignatureFromB64 verifies a signature from base64 encoded digest, signature, and public key as autograph returns from its API used in the client and monitor

Types

type Options 

type Options struct {
}

Options are not implemented for this signer

type RSAPSSSigner 

type RSAPSSSigner struct {
	signer.Configuration
	// contains filtered or unexported fields
}

RSAPSSSigner holds the configuration of the signer

func New 

func New(conf signer.Configuration) (s *RSAPSSSigner, err error)

New initializes a rsapss signer using a configuration

func (*RSAPSSSigner) Config 

func (s *RSAPSSSigner) Config() signer.Configuration

Config returns the configuration of the current signer

func (*RSAPSSSigner) GetDefaultOptions 

func (s *RSAPSSSigner) GetDefaultOptions() interface{}

GetDefaultOptions returns default options of the signer

func (*RSAPSSSigner) SignData 

func (s *RSAPSSSigner) SignData(data []byte, options interface{}) (signer.Signature, error)

SignData takes data, hashes it and returns a signed base64 encoded hash

func (*RSAPSSSigner) SignHash 

func (s *RSAPSSSigner) SignHash(digest []byte, options interface{}) (signer.Signature, error)

SignHash takes an input hash and returns a signed base64 encoded hash

type Signature 

type Signature struct {
	Data []byte
}

Signature is a rsapss signature

func (*Signature) Marshal 

func (sig *Signature) Marshal() (string, error)

Marshal returns the base64 representation of a signature

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.