我有一个python脚本,它基本上反映了Attribute Dump实现的功能。在我的2号插槽中,我有一张读卡器可以识别的智能卡。该卡包含一个RSA密钥对和一个x509证书,可以使用openssl显示。设备读取器没有问题,因为会话已打开,显示了正确的供应商信息以及找到的[1]对象。在尝试使用SHA1对消息进行签名时,尝试获取所有可用属性时,我收到一个CKR_ATTRIBUTE_TYPE_INVALID异常。我不确定坏的属性类型发生在哪里,我试图找到罪魁祸首已经有一段时间了,但是没有成功。在
print "Found %d objects: %s" % (len(objects), [x.value() for x in objects])
#-----------------------------CUTOFF FOR BAD ATTRIBUTE TYPE----------------------------
all_attributes = PyKCS11.CKA.keys()
# only use the integer values and not the strings like 'CKM_RSA_PKCS'
all_attributes = [e for e in all_attributes if isinstance(e, int)]
attributes = [
["CKA_ENCRYPT", PyKCS11.CKA_ENCRYPT],
["CKA_CLASS", PyKCS11.CKA_CLASS],
["CKA_DECRYPT", PyKCS11.CKA_DECRYPT],
["CKA_SIGN", PyKCS11.CKA_SIGN],
["CKA_VERIFY", PyKCS11.CKA_VERIFY],
["CKA_ID", PyKCS11.CKA_ID],
["CKA_MODULUS", PyKCS11.CKA_MODULUS],
["CKA_MODULUS", PyKCS11.CKA_MODULUS],
["CKA_MODULUS_BITS", PyKCS11.CKA_MODULUS_BITS],
["CKA_PUBLIC_EXPONENT", PyKCS11.CKA_PUBLIC_EXPONENT],
["CKA_PRIVATE_EXPONENT", PyKCS11.CKA_PRIVATE_EXPONENT],
]
for o in objects:
print
print (red + "==================== Object: %d ====================" + normal) % o.value()
attributes = session.getAttributeValue(o, all_attributes)
attrDict = dict(zip(all_attributes, attributes))
if attrDict[PyKCS11.CKA_CLASS] == PyKCS11.CKO_PRIVATE \
and attrDict[PyKCS11.CKA_KEY_TYPE] == PyKCS11.CKK_RSA:
m = attrDict[PyKCS11.CKA_MODULUS]
e = attrDict[PyKCS11.CKA_PUBLIC_EXPONENT]
if m and e:
mx = eval('0x%s' % ''.join(chr(c) for c in m).encode('hex'))
ex = eval('0x%s' % ''.join(chr(c) for c in e).encode('hex'))
if sign:
try:
toSign = "12345678901234567890" # 20 bytes, SHA1 digest
print "* Signing with object 0x%08X following data: %s" % (o.value(), toSign)
signature = session.sign(o, toSign)
s = ''.join(chr(c) for c in signature).encode('hex')
sx = eval('0x%s' % s)
print "Signature:"
print hexdump(''.join(map(chr, signature)), 16)
if m and e:
print "Verifying using following public key:"
print "Modulus:"
print hexdump(''.join(map(chr, m)), 16)
print "Exponent:"
print hexdump(''.join(map(chr, e)), 16)
decrypted = pow(sx, ex, mx) # RSA
print "Decrypted:"
d = hexx(decrypted).decode('hex')
print hexdump(d, 16)
if toSign == d[-20:]:
print "*** signature VERIFIED!\n"
else:
print "*** signature NOT VERIFIED; decrypted value:"
print hex(decrypted), "\n"
else:
print "Unable to verify signature: MODULUS/PUBLIC_EXP not found"
except:
print "Sign failed, exception:", str(sys.exc_info()[1])
if decrypt:
if m and e:
try:
toEncrypt = "12345678901234567890"
# note: PKCS1 BT2 padding should be random data,
# but this is just a test and we use 0xFF...
padded = "\x00\x02%s\x00%s" % ("\xFF" * (128 - (len(toEncrypt)) - 3), toEncrypt)
print "* Decrypting with 0x%08X following data: %s" % (o.value(), toEncrypt)
print "padded:\n", dump(padded, 16)
encrypted = pow(eval('0x%sL' % padded.encode('hex')), ex, mx) # RSA
encrypted1 = hexx(encrypted).decode('hex')
print "encrypted:\n", dump(encrypted1, 16)
decrypted = session.decrypt(o, encrypted1)
decrypted1 = ''.join(chr(i) for i in decrypted)
print "decrypted:\n", dump(decrypted1, 16)
if decrypted1 == toEncrypt:
print "decryption SUCCESSFULL!\n"
else:
print "decryption FAILED!\n"
except:
print "Decrypt failed, exception:", str(sys.exc_info()[1])
else:
print "ERROR: Private key don't have MODULUS/PUBLIC_EXP"
print "Dumping attributes:"
for q, a in zip(all_attributes, attributes):
if a == None:
# undefined (CKR_ATTRIBUTE_TYPE_INVALID) attribute
continue
if q == PyKCS11.CKA_CLASS:
print format_long % (PyKCS11.CKA[q], PyKCS11.CKO[a], a)
elif q == PyKCS11.CKA_CERTIFICATE_TYPE:
print format_long % (PyKCS11.CKA[q], PyKCS11.CKC[a], a)
elif q == PyKCS11.CKA_KEY_TYPE:
print format_long % (PyKCS11.CKA[q], PyKCS11.CKK[a], a)
elif session.isBin(q):
print format_binary % (PyKCS11.CKA[q], len(a))
if a:
print dump(''.join(map(chr, a)), 16),
elif q == PyKCS11.CKA_SERIAL_NUMBER:
print format_binary % (PyKCS11.CKA[q], len(a))
if a:
print hexdump(a, 16),
else:
print format_normal % (PyKCS11.CKA[q], a)
属性列表中的错误条目类型在上面的代码中。我不知道是什么原因导致了它的失败。在学习了低级API之后,我把自己弄糊涂了。在
^{pr2}$构建自己的属性列表是最好的方法吗?在
目前没有回答
相关问题 更多 >
编程相关推荐