1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
import pathlib
import platform
from collections import defaultdict
from ctypes import *
from enum import Enum
_lib_prefixes = defaultdict(lambda: "lib", {
"windows": "",
})
_lib_suffixes = defaultdict(lambda: ".so", {
"windows": ".dll",
"darwin": ".dylib",
})
_os = platform.system().lower()
_libname = f"{_lib_prefixes[_os]}eduvpn_verify{_lib_suffixes[_os]}"
_lib = cdll.LoadLibrary(str(pathlib.Path(__file__).parent / "lib" / _libname))
class GoSlice(Structure):
_fields_ = [("data", POINTER(c_char)), ("len", c_int64), ("cap", c_int64)]
@staticmethod
def make(bs: bytes) -> "GoSlice":
return GoSlice((c_char * len(bs))(*bs), len(bs), len(bs))
_lib.Verify.argtypes, _lib.Verify.restype = [GoSlice, GoSlice, GoSlice, c_uint64], c_int64
_lib.InsecureTestingSetExtraKey.argtypes, _lib.InsecureTestingSetExtraKey.restype = [GoSlice], None
class VerifyErrorCode(Enum):
ErrUnknownExpectedFileName = 1 # Expected file name is not one of the recognized values.
ErrInvalidSignature = 2 # Signature is invalid (for the expected file type).
ErrInvalidSignatureUnknownKey = 3 # Signature was created with an unknown key and has not been verified.
ErrTooOld = 4 # Signature has a timestamp lower than the specified minimum signing time.
Unknown = -1 # Other unknown error
class VerifyError(Exception):
code: VerifyErrorCode
code_int: int # Original error code also for VerifyErrorCode.Unknown
def __init__(self, err: int):
try:
self.code = VerifyErrorCode(err)
except ValueError:
self.code = VerifyErrorCode.Unknown
self.code_int = err
def __str__(self):
return \
{
VerifyErrorCode.ErrUnknownExpectedFileName: "unknown expected file name",
VerifyErrorCode.ErrInvalidSignature: "invalid signature",
VerifyErrorCode.ErrInvalidSignatureUnknownKey: "invalid signature (unknown key)",
VerifyErrorCode.ErrTooOld: "replay of previous signature (rollback)",
}[self.code] if self.code != VerifyErrorCode.Unknown else f"unknown verify error ({self.code_int})"
def verify(signature: bytes, signed_json: bytes, expected_file_name: str, min_sign_time: int) -> None:
"""
Verifies the signature on the JSON server_list.json/organization_list.json file.
If the function returns, the signature is valid for the given file type.
:param signature: .minisig signature file contents.
:param signed_json: Signed .json file contents.
:param expected_file_name: The file type to be verified, one of "server_list.json" or "organization_list.json".
:param min_sign_time: Minimum time for signature. Should be set to at least the time in a previously retrieved file.
:raises VerifyException: If signature verification fails or expectedFileName is not one of the allowed values.
"""
err = _lib.Verify(GoSlice.make(signature), GoSlice.make(signed_json),
GoSlice.make(expected_file_name.encode()), min_sign_time)
if err:
raise VerifyError(err)
def _insecure_testing_set_extra_key(key_string: str) -> None:
"""Use for testing only, see Go documentation."""
_lib.InsecureTestingSetExtraKey(GoSlice.make(key_string.encode()))
|
