PKCS#1 PSS (RSA)¶
A probabilistic digital signature scheme based on RSA.
It is more formally called RSASSA-PSS
in Section 8.1 of RFC8017.
The following example shows how the sender can use its own private key (loaded from a file) to create the signature of a message:
>>> from Crypto.Signature import pss
>>> from Crypto.Hash import SHA256
>>> from Crypto.PublicKey import RSA
>>> from Crypto import Random
>>>
>>> message = 'To be signed'
>>> key = RSA.import_key(open('privkey.der').read())
>>> h = SHA256.new(message)
>>> signature = pss.new(key).sign(h)
At the receiver side, the matching public RSA key is used to verify authenticity of the incoming message:
>>> key = RSA.import_key(open('pubkey.der').read())
>>> h = SHA256.new(message)
>>> verifier = pss.new(key)
>>> try:
>>> verifier.verify(h, signature):
>>> print "The signature is authentic."
>>> except (ValueError, TypeError):
>>> print "The signature is not authentic."
-
Crypto.Signature.pss.
MGF1
(mgfSeed, maskLen, hash_gen)¶ Mask Generation Function, described in B.2.1 of RFC8017.
Parameters: - mfgSeed (byte string) – seed from which the mask is generated
- maskLen (integer) – intended length in bytes of the mask
- hash_gen – A module or a hash object from
Crypto.Hash
Returns: the mask, as a byte string
-
class
Crypto.Signature.pss.
PSS_SigScheme
(key, mgfunc, saltLen, randfunc)¶ A signature object for
RSASSA-PSS
. Do not instantiate directly. UseCrypto.Signature.pss.new()
.-
can_sign
()¶ Return
True
if this object can be used to sign messages.
-
sign
(msg_hash)¶ Create the PKCS#1 PSS signature of a message.
This function is also called
RSASSA-PSS-SIGN
and it is specified in section 8.1.1 of RFC8017.Parameters: msg_hash (hash object) – This is an object from the
Crypto.Hash
package. It has been used to digest the message to sign.Returns: the signature encoded as a byte string.
Raises: - ValueError – if the RSA key is not long enough for the given hash algorithm.
- TypeError – if the RSA key has no private half.
-
verify
(msg_hash, signature)¶ Check if the PKCS#1 PSS signature over a message is valid.
This function is also called
RSASSA-PSS-VERIFY
and it is specified in section 8.1.2 of RFC8037.Parameters: - msg_hash – The hash that was carried out over the message. This is an object
belonging to the
Crypto.Hash
module. - signature (byte string) – The signature that needs to be validated.
Raises: ValueError – if the signature is not valid.
- msg_hash – The hash that was carried out over the message. This is an object
belonging to the
-
-
Crypto.Signature.pss.
new
(rsa_key, **kwargs)¶ Create a signature object for creating or verifying PKCS#1 PSS signatures.
Parameters: rsa_key (RSA object) – The RSA key to use for signing or verifying the message. This is a
Crypto.PublicKey.RSA
object. Signing is only possible whenrsa_key
is a private RSA key.Keyword Arguments: - mask_func (
callable
) – A mask generation function that accepts two parameters: a string to use as seed, and the length of the mask in bytes to generate. If not specified, the standardMGF1()
is used. - salt_bytes (
integer
) – Length of the salt, in bytes. If not specified, it matches the output size of the hash function. If zero, the signature scheme becomes deterministic. - rand_func (
callable
) – A function that returns random byte string, given the desired length. The default isCrypto.Random.get_random_bytes()
.
Returns: a
PSS_SigScheme
signature object- mask_func (