[tests] Fix signature length calculation in sgx_sign tests

[mkow]

Description of the changes

Incorrect signature length calculation could cause an InvalidSignature exception if the signature happened to start with a 0x00 byte, resulting in random CI failures.

Fixes #1689.

How to test this PR?

Run while true; python3 -m pytest -v -k 'test_sign_from_pem_path' tests/; or break; end in Gramine root and wait. Without this PR it fails after ~64 loop iterations with:

tests/test_sgx_sign.py:64: in test_sign_from_pem_path
    verify_signature(data, exponent, modulus, signature, key_file)
tests/test_sgx_sign.py:50: in verify_signature
    public_key.verify(signature_bytes, data, padding.PKCS1v15(), hashes.SHA256())
/usr/local/lib/python3.8/dist-packages/cryptography/hazmat/backends/openssl/rsa.py:550: in verify
    _rsa_sig_verify(
/usr/local/lib/python3.8/dist-packages/cryptography/hazmat/backends/openssl/rsa.py:325: in _rsa_sig_verify
    raise InvalidSignature
E   cryptography.exceptions.InvalidSignature

---

This change is 

[kailun-qin]

Reviewed 1 of 1 files at r1, all commit messages.
Reviewable status: all files reviewed, all discussions resolved, not enough approvals from maintainers (1 more required)

[dimakuv]

Reviewed 1 of 1 files at r1, all commit messages.
Reviewable status: all files reviewed, 2 unresolved discussions, not enough approvals from maintainers (1 more required) (waiting on @mkow)

---

-- commits line 5 at r1:
What's the problem of a signature starting with a zero byte?

---

tests/test_sgx_sign.py line 47 at r1 (raw file):

    assert numbers.e == exponent
    assert numbers.n == modulus
    signature_bytes = signature.to_bytes((modulus.bit_length() + 7) // 8, byteorder='big')

I don't understand this change. Could you explain a bit? Why signature length is wrong here?

[mkow]

Reviewable status: all files reviewed, 2 unresolved discussions, not enough approvals from maintainers (1 more required) (waiting on @dimakuv)

---

-- commits line 5 at r1:

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

What's the problem of a signature starting with a zero byte?

See below.

---

tests/test_sgx_sign.py line 47 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

I don't understand this change. Could you explain a bit? Why signature length is wrong here?

public_key.verify() expects a specific byte sequence as a correct signature, not a number (and that's also what the original signing function returns, but our wrapper converts it to a number, because that's needed for SGX stuff: https://github.com/gramineproject/gramine/blob/master/python/graminelibos/sgx_sign.py#L666). Here we're trying to convert it back, but incorrectly.

The problem here is that this "serialization" here produces different lengths depending on the signature. If it happens to start with 0x00, then the resulting bytes array is shorter than expected and the verification fails. Example: with the SGX signing parameters the key signature should always have 384 bytes (3072/8), regardless of it's specific value.

[dimakuv]

Reviewable status: complete! all files reviewed, all discussions resolved

[dimakuv]

Reviewed 1 of 1 files at r1.
Reviewable status: complete! all files reviewed, all discussions resolved

[kailun-qin]

Reviewed 1 of 1 files at r1, all commit messages.
Reviewable status: complete! all files reviewed, all discussions resolved