From 3e8a3d9559943759b038ff573908177ec1681a0c Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Mon, 6 Apr 2020 17:51:26 +0200 Subject: [PATCH] Use hash algo per ecdsa curve and add nistp384 This commit adds support for verifying ecdsa signature on the nistp384 curve with sha384 digests to the internal ecdsa_keys module. It does so by adding module global helper dictionary to map schemes to hash algorithms. Note: This commit tries to blend in with the current sslib design. In future work we should: - define securesystemslib-wide constants instead of hardcoding strings over and over again (see item 3 in #183) --- securesystemslib/ecdsa_keys.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/securesystemslib/ecdsa_keys.py b/securesystemslib/ecdsa_keys.py index 51f8810e..aae23641 100755 --- a/securesystemslib/ecdsa_keys.py +++ b/securesystemslib/ecdsa_keys.py @@ -57,6 +57,12 @@ from cryptography.hazmat.primitives.serialization import load_pem_private_key import cryptography.exceptions + + _SCHEME_HASHER = { + 'ecdsa-sha2-nistp256': ec.ECDSA(hashes.SHA256()), + 'ecdsa-sha2-nistp384': ec.ECDSA(hashes.SHA384()) + } + except ImportError: CRYPTO = False @@ -331,7 +337,7 @@ def verify_signature(public_key, scheme, signature, data): # verify() raises an 'InvalidSignature' exception if 'signature' # is invalid. try: - ecdsa_key.verify(signature, data, ec.ECDSA(hashes.SHA256())) + ecdsa_key.verify(signature, data, _SCHEME_HASHER[scheme]) return True except (TypeError, cryptography.exceptions.InvalidSignature):