# Verify CSR signature script
This script verifies the signature of a signed SCMS (Certificated Signing Request) CSR.
The CSR is also known as enrollment request in SCMS. The signature uses ECDSA and SECP256R1 elliptic curve.

## Import libraries

In [1]:
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec, utils

## Input parameters

In [2]:
pubKeyStr = '02309e49889406da9d903caa89026708bc71230a9eb66649869025a3201cd4b4f9' # compressed-y-1 0x03
rStr = 'E74FE3DFC871A7DCB85C48F003DD87EC89BDE939DCF0FD41B16F7DC619FF4515' # compressed-y-1 0x03
sStr = '5D275DC37FDBA78ED5C3C8476F759BECA8A9F814CC95C68ABC000832BF263AAB'
data_oer = '018180000160D29D484481057273655F31000000000460D29D488600028301018003480101E0800103000182000320409500032040970100010080808082309e49889406da9d903caa89026708bc71230a9eb66649869025a3201cd4b4f9'

## Create public key object

create a public key object using the hex-string provided as input

In [3]:
pubKey = ec.EllipticCurvePublicKey.from_encoded_point(ec.SECP256R1(), bytes.fromhex(pubKeyStr))

## Create the signature object

Create the signature object using raw r and s values

In [4]:
r = int(rStr, 16)
s = int(sStr, 16)
signature = utils.encode_dss_signature(r,s)

## Finally verify the signature
Prepare variables for verification. Convert data from string hex to byte array (note python 3 method is different from python 2).

In [5]:
# note it is mentioned it is suppose to be in DER encoding/format
data = bytes.fromhex(data_oer)
pubKey.verify(signature, data, ec.ECDSA(hashes.SHA256()))
print("verified!")

verified!
