charm-crypto-framework 0.61.1__cp313-cp313-macosx_10_13_universal2.whl

charm/toolbox/paddingschemes.py

@@ -0,0 +1,423 @@
+'''A collection of encryption and signature padding schemes'''
+from charm.toolbox.bitstring import Bytes,py3
+from charm.toolbox.securerandom import SecureRandomFactory
+import charm.core.crypto.cryptobase
+import hashlib
+import math
+import struct
+import sys
+
+debug = False
+
+
+class OAEPEncryptionPadding:
+    '''
+    :Authors: Gary Belvin
+    
+    OAEPEncryptionPadding
+    
+    Implements the OAEP padding scheme.  Appropriate for RSA-OAEP encryption.
+    Implemented according to PKCS#1 v2.1 Section 7 ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf
+    '''
+    def __init__(self, _hash_type ='sha1'):
+        self.name = "OAEPEncryptionPadding"
+        self.hashFn = hashFunc(_hash_type)
+        self.hashFnOutputBytes = len(hashlib.new(_hash_type).digest())
+        
+    # outputBytes - the length in octets of the RSA modulus used
+    #             - the intended length of the encoded message 
+    # emLen = the length of the rsa modulus in bits
+    def encode(self, message, emLen, label="", seed=None):
+        ''':Return: a Bytes object'''
+        # Skipped: label input length checking. (L must be less than 2^61 octets for SHA1)
+        # First, make sure the message isn't too long.    emLen
+        hLen = self.hashFnOutputBytes
+        if (len(message) > (emLen - (2 * hLen) - 2)):
+            assert False, "message too long"
+        
+        if py3: lHash = self.hashFn(Bytes(label, 'utf8'))
+        else: lHash = self.hashFn(Bytes(label))  
+              
+        # Let PS be a string of length (emLen - mLen - 2hLen - 2) containing only zero octets.
+        # Compute DB = lHash || PS || 0x01 || M.
+        PS = Bytes.fill(b'\x00', emLen - len(message) - (2 * hLen) - 2)
+        DB = lHash + PS + b'\x01' + bytes(message)
+        
+        # Generate a random octet string seed of length hLen and compute 
+        # maskedDB = MGF1(seed, emLen - self.hashFnOutputBytes - 1)
+        if (seed is None):
+            rand = SecureRandomFactory.getInstance()
+            seed = rand.getRandomBytes(hLen)
+            
+        dbMask = MGF1(seed, len(DB), self.hashFn, hLen)
+
+        maskedDB = DB ^ dbMask
+        
+        # Let seedMask = MGF(maskedDB, self.hashFnOutputBytes) and
+        # maskedSeed = seedMask XOR seed
+        seedMask = MGF1(maskedDB, len(seed), self.hashFn, hLen)        
+        maskedSeed = seedMask ^ seed
+        if(debug):
+            print("Encoding")
+            print("label    =>", label)
+            print("lhash    =>", lHash)
+            print("seed     =>", seed)
+            print("db       =>", DB)
+            print("db len   =>", len(DB))
+            print("db mask  =>", dbMask)
+            print("maskedDB =>", maskedDB)
+            print("seedMask =>", seedMask)
+            print("maskedSed=>", maskedSeed)
+      
+        return Bytes(b'\x00') + maskedSeed + maskedDB
+    
+    def decode(self, encMessage, label=""):
+        hLen = self.hashFnOutputBytes
+        # Make sure the encoded string is at least L bytes long
+        if len(encMessage) < (2 * hLen + 2):
+            assert False, "encoded string not long enough."
+        if py3: lHash = self.hashFn(Bytes(label, 'utf-8'))
+        else: lHash = self.hashFn(Bytes(label))
+        # Parse the encoded string as (0x00 || maskedSeed || maskedDB)
+        #Y = encMessage[0]
+        maskedSeed = Bytes(encMessage[1:(1+hLen)])
+        maskedDB = Bytes(encMessage[(1+hLen):])
+
+        # Set seedMask = MGF1(maskedDB, hashFnOutputSize)
+        seedMask = MGF1(maskedDB, len(maskedSeed), self.hashFn, hLen)
+        seed = maskedSeed ^ seedMask           
+        
+        # Set dbMask = MGF(seed, k - hLen - 1) and
+        #     DB = maskedDB \xor dbMask.
+        dbMask = MGF1(seed, len(maskedDB), self.hashFn, hLen)
+        DB = dbMask ^ maskedDB
+        if(debug):
+            print("decoding:")
+            print("MaskedSeed => ", maskedSeed)
+            print("maskedDB   => ", maskedDB)
+            print("r seed =>", seed)
+            print("r DB   =>", DB)
+                
+        # Parse DB as:
+        #   DB = lHash' || PS || 0x01 || M.
+        # Check that lHash' == lHash, Y == 0x00 and there is an 0x01 after PS
+        lHashPrime = DB[0 : hLen]        
+        M = DB[DB.find(b'\x01')+1 : ]
+        return M
+
+#def MGF1(seed:Bytes, maskBytes:int, hashFn, hLen:int):
+def MGF1(seed, maskBytes, hashFn, hLen):
+    ''' MGF1 Mask Generation Function
+    
+    Implemented according to PKCS #1 specification, see appendix B.2.1:
+    
+    :Parameters:
+       - ``hLen``: is the output length of the hash function
+       - ``maskBytes``: the number of mask bytes to return
+    '''
+    debug = False
+    # Skipped output size checking.  Must be less than 2^32 * hLen
+    ran = range(int(math.ceil(maskBytes / float(hLen))))
+    if debug:
+        print("calc =>", math.ceil(maskBytes / float(hLen)))
+        print("Range =>", ran)
+    test = [hashFn(struct.pack(">%dsI" % (len(seed)), seed, i)) for i in ran]
+    if debug: 
+        print("test =>", test)
+    result = b''.join(test)
+    return Bytes(result[0:maskBytes])
+
+class hashFunc:
+    def __init__(self, _hash_type=None):
+        if _hash_type == None:
+            self.hashObj = hashlib.new('sha1')  # nosec B324 - SHA1 default for historical compatibility
+        else:
+            self.hashObj = hashlib.new(_hash_type)
+        
+    #message must be a binary string
+    def __call__(self, message):
+        h = self.hashObj.copy()
+        if type(message) == str:
+            h.update(bytes(message))
+        elif type(message) in [bytes, Bytes]:
+            h.update(bytes(message)) # bytes or custom Bytes
+        return Bytes(h.digest())  
+    
+class PSSPadding:
+    '''
+    :Authors: Gary Belvin
+    
+    PSSSignaturePadding
+    
+    Implements the PSS signature padding scheme.  Appropriate for RSA-PSS signing. 
+    Implemented according to section 8 of ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf.
+    '''
+    def __init__(self, _hash_type ='sha1'):
+        self.hashFn = hashFunc(_hash_type)
+        self.hLen = len(hashlib.new(_hash_type).digest())
+        self.sLen = self.hLen # The length of the default salt
+    
+    def encode(self, M, emBits=None, salt=None):
+        '''Encodes a message with PSS padding
+        emLen will be set to the minimum allowed length if not explicitly set
+        '''
+        # assert len(M) < (2^61 -1), Message too long
+        
+        #Let H' = Hash (M'), an octet string of length hLen.
+        #Max length of output message
+        if emBits is None:
+            emBits =  8*self.hLen + 8 * self.sLen + 9
+            #Round to the next byte
+            emBits = int(math.ceil(emBits / 8.0)) * 8
+        assert emBits >= 8*self.hLen + 8 * self.sLen + 9, "Not enough emBits"
+        
+        #Make sure the the message is long enough to be valid
+        emLen = int(math.ceil(emBits / 8.0))        
+        assert emLen >= self.hLen + self.sLen + 2, "emLen too small"
+        
+        if salt is None:
+            if self.sLen > 0: 
+                salt = SecureRandomFactory.getInstance().getRandomBytes(self.sLen)
+            else:
+                salt = b''
+        assert len(salt) == self.sLen, "Salt wrong size"
+        
+        #Let M' = (0x)00 00 00 00 00 00 00 00 || mHash || salt;
+        eightzerobytes = Bytes.fill(b'\x00', 8)
+        mHash = self.hashFn(M)        
+        Mprime = eightzerobytes + mHash + salt
+        
+        #Let H = Hash (M'), an octet string of length hLen.
+        H = self.hashFn(Mprime)
+        
+        #Generate an octet string PS consisting of emLen - sLen - hLen - 2 zero octets.
+        #The length of PS may be 0.
+        pslen = emLen - self.sLen - self.hLen - 2
+        ps = Bytes.fill(b'\x00', pslen)        
+        
+        #Let DB = PS || 0x01 || salt; DB is an octet string of length emLen - hLen - 1.
+        DB = ps + Bytes(b'\x01') + salt
+
+        #Let dbMask = MGF (H, emLen - hLen - 1).
+        masklen = emLen - self.hLen - 1
+        dbMask = MGF1(H, masklen, self.hashFn, self.hLen)
+        #Let maskedDB = DB ^ dbMask.
+        maskedDB = DB ^ dbMask
+        
+        #Set the leftmost 8emLen - emBits bits of the leftmost octet in maskedDB to zero
+        numzeros = 8 * emLen - emBits
+        bitmask  = int('0'*numzeros + '1'*(8-numzeros), 2)
+        ba = bytearray(maskedDB)
+        ba[0] &= bitmask
+        maskedDB = Bytes(ba)
+        
+        EM = maskedDB + H + Bytes(b'\xbc')
+        
+        if debug:
+            print("PSS Encoding:")
+            print("M     =>", M) 
+            print("mHash =>", mHash)
+            print("salt  =>", salt)
+            print("M'    =>", Mprime)
+            print("H     =>", H)
+            print("DB    =>", DB)
+            print("dbmask=>", dbMask)
+            print("masked=>", maskedDB)
+            print("EM    =>", EM)
+        return EM
+    
+    def verify(self, M, EM, emBits=None):
+        '''
+        Verifies that EM is a correct encoding for M
+        
+        :Parameters:
+           - M - the message to verify
+           - EM - the encoded message
+        :Return: true for 'consistent' or false for 'inconsistent'
+        '''
+        if debug: print("PSS Decoding:")
+        
+        #Preconditions
+        if emBits == None:
+            emBits = 8 * len(EM)
+        assert emBits >= 8* self.hLen + 8* self.sLen + 9, "Not enough emBits"
+        
+        emLen = int(math.ceil(emBits / 8.0))
+        assert len(EM) == emLen, "EM length not equivalent to bits provided"
+        
+        # assert len(M) < (2^61 -1), Message too long
+        
+        #Let mHash = Hash (M), an octet string of length hLen
+        mHash = self.hashFn(M)
+        
+        #if emLen < hLen + sLen + 2, output 'inconsistent' and stop.
+        if emLen < self.hLen + self.sLen + 2:
+            if debug: print("emLen too short") 
+            return False
+        
+        #If the rightmost octet of EM does not have hexadecimal value 0xbc, output
+        #'inconsistent' and stop.
+        if EM[len(EM)-1:] != b'\xbc':
+            if debug: print("0xbc not found") 
+            return False
+        
+        #Let maskedDB be the leftmost emLen - hLen - 1 octets of EM, and let H be the
+        #next hLen octets.
+        maskeDBlen = emLen - self.hLen - 1
+        maskedDB = Bytes(EM[:maskeDBlen])
+        H = EM[maskeDBlen:maskeDBlen+self.hLen]
+        
+        #If the leftmost 8emLen - emBits bits of the leftmost octet in maskedDB are not all
+        #equal to zero, output 'inconsistent' and stop.
+        numzeros = 8 * emLen - emBits
+        bitmask  = int('1'*numzeros + '0'*(8-numzeros), 2)
+        _mask_check = maskedDB[0]
+        if not py3: _mask_check = ord(_mask_check)
+        if (_mask_check & bitmask != 0):
+            if debug: print("right % bits of masked db not zero, found %" % (numzeros, bin(maskedDB[0])))
+            return False 
+        
+        #Let dbMask = MGF (H, emLen - hLen - 1).
+        masklen = emLen - self.hLen - 1
+        dbMask = MGF1(H, masklen, self.hashFn, self.hLen)
+        #Let DB = maskedDB ^ dbMask.
+        DB = maskedDB ^ dbMask
+        
+        #Set the leftmost 8emLen - emBits bits of the leftmost octet in DB to zero.
+        numzeros = 8 * emLen - emBits
+        bitmask  = int('0'*numzeros + '1'*(8-numzeros), 2)
+        ba = bytearray(DB)
+        ba[0] &= bitmask
+        DB = Bytes(ba)
+
+        #If the emLen - hLen - sLen - 2 leftmost octets of DB are not zero
+        zerolen = emLen - self.hLen - self.sLen - 2
+        if DB[:zerolen] != Bytes.fill(b'\x00', zerolen):
+            if debug: print("DB did not start with % zero octets" % zerolen) 
+            return False
+        
+        #or if the octet at position emLen - hLen - sLen - 1 (the leftmost position is 'position 1') does not
+        #have hexadecimal value 0x01, output 'inconsistent' and stop.
+        _db_check = DB[zerolen]
+        if not py3: _db_check = ord(_db_check)
+        if _db_check != 0x01:
+            if debug: print("DB did not have 0x01 at %s, found %s instead" % (zerolen,DB[zerolen])) 
+            return False
+        
+        #Let salt be the last sLen octets of DB.
+        salt = DB[len(DB)-self.sLen:]
+        #Let M' = (0x)00 00 00 00 00 00 00 00 || mHash || salt ;
+        mPrime = Bytes.fill(b'\x00', 8) + mHash + salt
+        
+        #Let H' = Hash (M'), an octet string of length hLen.
+        HPrime = self.hashFn(mPrime)
+        
+        if debug:
+            print("M     =>", M) 
+            print("mHash =>", mHash)
+            print("salt  =>", salt)
+            print("M'    =>", mPrime)
+            print("H     =>", H)
+            print("DB    =>", DB)
+            print("dbmask=>", dbMask)
+            print("masked=>", maskedDB)
+            print("EM    =>", EM)
+        
+        #If H = H', output 'consistent'. Otherwise, output 'inconsistent'.
+        return H == HPrime
+
+class SAEPEncryptionPadding:
+    '''
+    :Authors: Christina Garman
+    
+    SAEPEncryptionPadding
+    '''
+    def __init__(self, _hash_type ='sha384'):
+        self.name = "SAEPEncryptionPadding"
+        self.hashFn = hashFunc(_hash_type)
+        self.hashFnOutputBytes = len(hashlib.new(_hash_type).digest())
+        
+    def encode(self, message, n, s0):
+        #n = m + s0 + s1
+        m = int(n/4) #usually 256 bits
+
+        if(len(message) > (m/8)):
+            assert False, "message too long"
+
+        if(len(message) != m):
+            message_ext = bytes(message) + Bytes.fill(b'\x80', 1)
+            if(len(message_ext) != m):
+                message_ext = bytes(message_ext) + Bytes.fill(b'\x00', ((m/8)-2)-len(message))
+            message_ext = bytes(message_ext) + Bytes.fill(b'\x80', 1)
+
+        s1 = n - m - s0
+        t = Bytes.fill(b'\x00', s0/8)
+
+        rand = SecureRandomFactory.getInstance()
+        r = rand.getRandomBytes(int(s1/8))
+
+        v = Bytes(bytes(message_ext) + t)
+
+        x = v ^ self.hashFn(r)
+
+        y = x + r
+
+        if(debug):
+            print("Encoding")
+            print("m        =>", m)
+            print("s0       =>", s0)
+            print("s1       =>", s1)
+            print("t        =>", t, len(t))
+            print("r        =>", r, len(r))
+            print("v        =>", v, len(v))
+            print("x        =>", x)
+            print("y        =>", y, len(y))
+      
+        return y
+    
+    def decode(self, encMessage, n, s0):
+        m = int(n/4)
+
+        x = encMessage[:int((m+s0)/8)]
+        r = encMessage[int((m+s0)/8):int(n-m-s0)]
+
+        v = Bytes(x) ^ self.hashFn(r)
+
+        M = v[:int(m/8)]
+        t = v[int(m/8):int(m+s0/8)]
+
+        if(M[-1] == 128 and (M[-2] == 0 or M[-2] == 128)):
+            index = M[:(len(M)-1)].rindex(b'\x80')
+            M = M[:index]
+        else:
+            M = M[:len(M)-1]
+
+        if(debug):
+            print("decoding:")
+            print("x    => ", x)
+            print("r    => ", r)
+            print("v    => ", v)
+            print("M    => ", M)
+            print("t    => ", t)
+            print("r    =>" , r)
+
+        return (M, t)
+
+class PKCS7Padding(object):
+    def __init__(self,block_size = 16):
+        self.block_size = block_size
+        
+    def encode(self,_bytes,block_size = 16):
+        pad = self._padlength(_bytes)
+        return _bytes.ljust(pad+len(_bytes),bytes([pad]))
+
+    def decode(self,_bytes):
+        return _bytes[:-(_bytes[-1])]
+
+
+    def _padlength(self,_bytes):
+        ln=len(_bytes)
+        pad_bytes_needed = self.block_size - (ln % self.block_size)
+        if pad_bytes_needed == 0:
+            pad_bytes_needed = self.block_size
+        return pad_bytes_needed

charm/toolbox/paddingschemes_test.py

@@ -0,0 +1,238 @@
+'''
+:Date: Jun 17, 2011
+:Authors: Gary Belvin
+'''
+import unittest
+from  charm.toolbox.paddingschemes import OAEPEncryptionPadding, MGF1, hashFunc, PSSPadding, PKCS7Padding
+from binascii import a2b_hex
+
+debug = False
+class Test(unittest.TestCase):
+
+    def testOEAPVector1(self):
+        # OAEP Test vector taken from Appendix C 
+        #ftp://ftp.rsa.com/pub/rsalabs/rsa_algorithm/rsa-oaep_spec.pdf
+        
+        # --------------------------------------------------------------------------------
+        # Message:
+        m     = a2b_hex(bytes('d4 36 e9 95 69 fd 32 a7 c8 a0 5b bc 90 d3 2c 49'.replace(' ',''),'utf-8'))
+        label = ""
+        lhash = a2b_hex(bytes("da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09".replace(' ',""),'utf-8'))
+        DB    = a2b_hex(bytes("da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09 00 00 00 00\
+                         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\
+                         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\
+                         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 d4 36 e9 95 69\
+                         fd 32 a7 c8 a0 5b bc 90 d3 2c 49".replace(" ", ""),'utf-8'))
+ 
+        seed  = a2b_hex(bytes("aa fd 12 f6 59 ca e6 34 89 b4 79 e5 07 6d de c2 f0 6c b5 8f".replace(' ' ,''),'utf-8'))
+        #dbmask = dbMask = MGF (seed , 107):
+        dbmask= a2b_hex(bytes("06 e1 de b2 36 9a a5 a5 c7 07 d8 2c 8e 4e 93 24 8a c7 83 de e0 b2 c0 46\
+                         26 f5 af f9 3e dc fb 25 c9 c2 b3 ff 8a e1 0e 83 9a 2d db 4c dc fe 4f f4\
+                         77 28 b4 a1 b7 c1 36 2b aa d2 9a b4 8d 28 69 d5 02 41 21 43 58 11 59 1b\
+                         e3 92 f9 82 fb 3e 87 d0 95 ae b4 04 48 db 97 2f 3a c1 4e af f4 9c 8c 3b\
+                         7c fc 95 1a 51 ec d1 dd e6 12 64".replace(" ",""),'utf-8'))
+        #maskedDB
+        #seedMask = M GF (maskedDB, 20):
+        seedMask = a2b_hex(bytes("41 87 0b 5a b0 29 e6 57 d9 57 50 b5 4c 28 3c 08 72 5d be a9".replace(' ',''),'utf-8'))
+        maskedSeed= a2b_hex(bytes("eb 7a 19 ac e9 e3 00 63 50 e3 29 50 4b 45 e2 ca 82 31 0b 26".replace(' ',''),'utf-8'))
+
+        #EM = maskedSeed maskedDB
+        EM       = a2b_hex(bytes("00 eb 7a 19 ac e9 e3 00 63 50 e3 29 50 4b 45 e2 ca 82 31 0b 26 dc d8 7d 5c\
+                            68 f1 ee a8 f5 52 67 c3 1b 2e 8b b4 25 1f 84 d7 e0 b2 c0 46 26 f5 af f9\
+                            3e dc fb 25 c9 c2 b3 ff 8a e1 0e 83 9a 2d db 4c dc fe 4f f4 77 28 b4 a1\
+                            b7 c1 36 2b aa d2 9a b4 8d 28 69 d5 02 41 21 43 58 11 59 1b e3 92 f9 82\
+                            fb 3e 87 d0 95 ae b4 04 48 db 97 2f 3a c1 4f 7b c2 75 19 52 81 ce 32 d2\
+                            f1 b7 6d 4d 35 3e 2d".replace(" ",''),'utf-8')) 
+
+        if debug:
+            print("Test Vector 1:")
+            print("mesg  =>", m)
+            print("label =>", label)
+            print("lhash =>", lhash)    #Correct
+            print("DB    =>", DB)       #Correct
+            print("DBMask=>", dbmask)   #Correct
+            print("seedMask=>", seedMask)   #Correct
+            print("maskedseed=>", maskedSeed)
+
+        c = OAEPEncryptionPadding()
+        E = c.encode(m, 128,"",seed)
+        self.assertEqual(EM, E)
+    
+    def testOAEPRoundTripEquiv(self):
+        oaep = OAEPEncryptionPadding()
+        m = b'This is a test message'
+        ct = oaep.encode(m, 64)
+        pt = oaep.decode(ct)
+        self.assertEqual(m, pt, 'Decoded message is not equal to encoded message\n'\
+                         'ct: %s\nm:  %s\npt: %s' % (ct, m, pt))
+    
+    @unittest.skip("Unnecessary length test")
+    def testMFGLength(self):
+        seed = ""
+        hashFn = OAEPEncryptionPadding().hashFn
+        hLen =  OAEPEncryptionPadding().hashFnOutputBytes
+        
+        for mbytes in range(100):
+            a = MGF1(seed, mbytes, hashFn, hLen)
+            self.assertEqual(len(a), mbytes, 'MFG output wrong size')
+
+    def testMFGvector(self):
+        hashFn = OAEPEncryptionPadding().hashFn
+        hLen =  OAEPEncryptionPadding().hashFnOutputBytes
+        seed  = a2b_hex(bytes("aa fd 12 f6 59 ca e6 34 89 b4 79 e5 07 6d de c2 f0 6c b5 8f".replace(' ' ,''),'utf-8'))
+        #dbmask = dbMask = MGF (seed , 107):
+        dbmask= a2b_hex(bytes("06 e1 de b2 36 9a a5 a5 c7 07 d8 2c 8e 4e 93 24 8a c7 83 de e0 b2 c0 46\
+                         26 f5 af f9 3e dc fb 25 c9 c2 b3 ff 8a e1 0e 83 9a 2d db 4c dc fe 4f f4\
+                         77 28 b4 a1 b7 c1 36 2b aa d2 9a b4 8d 28 69 d5 02 41 21 43 58 11 59 1b\
+                         e3 92 f9 82 fb 3e 87 d0 95 ae b4 04 48 db 97 2f 3a c1 4e af f4 9c 8c 3b\
+                         7c fc 95 1a 51 ec d1 dd e6 12 64".replace(" ",""),'utf-8'))
+        a = MGF1(seed, 107, hashFn, hLen)
+        self.assertEqual(dbmask, a)
+        
+    def testSHA1Vector(self):
+        hashFn = hashFunc('sha1')
+        V0 = (b"", a2b_hex(bytes("da39a3ee5e6b4b0d3255bfef95601890afd80709",'utf-8')))
+        V1 = (bytes("The quick brown fox jumps over the lazy dog", 'utf-8'), a2b_hex(bytes("2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",'utf-8'))) #ASCII encoding
+        V2 = (b'The quick brown fox jumps over the lazy dog', a2b_hex(bytes("2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",'utf-8'))) #binary data
+        #print("str => ", V2[0])
+        #print("H(s)=> ", hashFn(V2[0]))
+        #print("stnd=> ", V2[1])
+        
+        self.assertEqual(hashFn(V0[0]), V0[1], 'empty string')
+        self.assertEqual(hashFn(V1[0]), V1[1], 'quick fox')
+        self.assertEqual(hashFn(V2[0]), V2[1])
+    
+    
+    def testPSSRountTripEquiv(self):
+        pss = PSSPadding()
+        m = b'This is a test message'
+        em = pss.encode(m)
+        self.assertTrue(pss.verify(m, em))
+    
+    def testPSSTestVector(self):
+        # Test vector taken from http://www.rsa.com/rsalabs/node.asp?id=2125
+        # ---------------------------------
+        # Step-by-step RSASSA-PSS Signature
+        # ---------------------------------
+        
+        # Message M to be signed:
+        m = a2b_hex(bytes('85 9e ef 2f d7 8a ca 00 30 8b dc 47 11 93 bf 55\
+        bf 9d 78 db 8f 8a 67 2b 48 46 34 f3 c9 c2 6e 64\
+        78 ae 10 26 0f e0 dd 8c 08 2e 53 a5 29 3a f2 17\
+        3c d5 0c 6d 5d 35 4f eb f7 8b 26 02 1c 25 c0 27\
+        12 e7 8c d4 69 4c 9f 46 97 77 e4 51 e7 f8 e9 e0\
+        4c d3 73 9c 6b bf ed ae 48 7f b5 56 44 e9 ca 74\
+        ff 77 a5 3c b7 29 80 2f 6e d4 a5 ff a8 ba 15 98\
+        90 fc'.replace(" ", ""),'utf-8'))
+
+        # mHash    = Hash(M)
+        # salt     = random string of octets
+        # M'       = Padding || mHash || salt
+        # H        = Hash(M')
+        # DB       = Padding || salt 
+        # dbMask   = MGF(H, length(DB))
+        # maskedDB = DB xor dbMask (leftmost bit set to
+        #            zero)
+        # EM       = maskedDB || H || 0xbc
+        
+        # mHash:
+        mHash = a2b_hex(bytes('37 b6 6a e0 44 58 43 35 3d 47 ec b0 b4 fd 14 c1\
+        10 e6 2d 6a'.replace(" ", ""),'utf-8'))
+        
+        # salt:
+        salt = a2b_hex(bytes('e3 b5 d5 d0 02 c1 bc e5 0c 2b 65 ef 88 a1 88 d8\
+        3b ce 7e 61'.replace(" ", ""),'utf-8'))
+        
+        # M':
+        mPrime = a2b_hex(bytes('00 00 00 00 00 00 00 00 37 b6 6a e0 44 58 43 35\
+        3d 47 ec b0 b4 fd 14 c1 10 e6 2d 6a e3 b5 d5 d0\
+        02 c1 bc e5 0c 2b 65 ef 88 a1 88 d8 3b ce 7e 61'.replace(" ", ""),'utf-8'))
+        
+        # H:
+        H = a2b_hex(bytes('df 1a 89 6f 9d 8b c8 16 d9 7c d7 a2 c4 3b ad 54\
+        6f be 8c fe'.replace(" ", ""),'utf-8'))
+        
+        # DB:
+        DB = a2b_hex(bytes('00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\
+        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\
+        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\
+        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\
+        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\
+        00 00 00 00 00 00 01 e3 b5 d5 d0 02 c1 bc e5 0c\
+        2b 65 ef 88 a1 88 d8 3b ce 7e 61'.replace(" ", ""),'utf-8'))
+        
+        # dbMask:
+        dbMask = a2b_hex(bytes('66 e4 67 2e 83 6a d1 21 ba 24 4b ed 65 76 b8 67\
+        d9 a4 47 c2 8a 6e 66 a5 b8 7d ee 7f bc 7e 65 af\
+        50 57 f8 6f ae 89 84 d9 ba 7f 96 9a d6 fe 02 a4\
+        d7 5f 74 45 fe fd d8 5b 6d 3a 47 7c 28 d2 4b a1\
+        e3 75 6f 79 2d d1 dc e8 ca 94 44 0e cb 52 79 ec\
+        d3 18 3a 31 1f c8 97 39 a9 66 43 13 6e 8b 0f 46\
+        5e 87 a4 53 5c d4 c5 9b 10 02 8d'.replace(" ", ""),'utf-8'))
+        
+        # maskedDB:
+        maskedDB = a2b_hex(bytes('66 e4 67 2e 83 6a d1 21 ba 24 4b ed 65 76 b8 67\
+        d9 a4 47 c2 8a 6e 66 a5 b8 7d ee 7f bc 7e 65 af\
+        50 57 f8 6f ae 89 84 d9 ba 7f 96 9a d6 fe 02 a4\
+        d7 5f 74 45 fe fd d8 5b 6d 3a 47 7c 28 d2 4b a1\
+        e3 75 6f 79 2d d1 dc e8 ca 94 44 0e cb 52 79 ec\
+        d3 18 3a 31 1f c8 96 da 1c b3 93 11 af 37 ea 4a\
+        75 e2 4b db fd 5c 1d a0 de 7c ec'.replace(" ", ""),'utf-8'))
+        
+        # Encoded message EM:
+        EM = a2b_hex(bytes('66 e4 67 2e 83 6a d1 21 ba 24 4b ed 65 76 b8 67\
+        d9 a4 47 c2 8a 6e 66 a5 b8 7d ee 7f bc 7e 65 af\
+        50 57 f8 6f ae 89 84 d9 ba 7f 96 9a d6 fe 02 a4\
+        d7 5f 74 45 fe fd d8 5b 6d 3a 47 7c 28 d2 4b a1\
+        e3 75 6f 79 2d d1 dc e8 ca 94 44 0e cb 52 79 ec\
+        d3 18 3a 31 1f c8 96 da 1c b3 93 11 af 37 ea 4a\
+        75 e2 4b db fd 5c 1d a0 de 7c ec df 1a 89 6f 9d\
+        8b c8 16 d9 7c d7 a2 c4 3b ad 54 6f be 8c fe bc'.replace(" ", ""),'utf-8'))
+        
+        if debug:
+            print("PSS Test Vector:")
+            print("M     =>", m)
+            print("Mlen  =>", len(m))
+            print("mHash =>", mHash)
+            print("salt  =>", salt)
+            print("M'    =>", mPrime)
+            print("H     =>", H)
+            print("DB    =>", DB)
+            print("dbmask=>", dbMask)
+            print("masked=>", maskedDB)
+            print("EM    =>", EM)
+            print("EMLen =>", len(EM))
+        
+        pss = PSSPadding()
+        realEM = pss.encode(m,len(EM)*8,salt)
+        self.assertEqual(EM, realEM)
+
+    
+    @classmethod
+    def suite(self):
+        suite = unittest.TestLoader().loadTestsFromTestCase(Test)
+        return suite
+
+class TestPkcs7Padding(unittest.TestCase):
+    def setUp(self):
+        self.padder = PKCS7Padding()
+    def encodecode(self,text):
+        _bytes = bytes(text,'utf-8')
+        padded = self.padder.encode(_bytes)
+        assert _bytes == self.padder.decode(padded), 'o: =>%s\nm: =>%s' % (_bytes,padded)
+        assert len(padded) % 16 == 0 , 'invalid padding length: %s' % (len(padded))
+        assert len(padded) > 0, 'invalid padding length: %s' % (len(padded))
+        assert len(padded) > len(_bytes), 'message must allways have padding'
+        
+    def testBasic(self):
+        self.encodecode("asd")
+    def testEmpty(self):
+        self.encodecode("")
+    def testFull(self):
+        self.encodecode("sixteen byte msg")
+    def testLarge(self):
+        self.encodecode("sixteen byte msg +3")
+
+if __name__ == "__main__":
+    #import sys;sys.argv = ['', 'Test.testName']
+    unittest.main()