Package bitfrost :: Package leases :: Module crypto
[hide private]
[frames] | no frames]

Module crypto

source code

Security token verification provider.

This file implements a crypto provider that verifies a "signature" simply by checking an RSA-SHA256 signature. We also parse and verify the activation lease and developer key formats documented at: http://wiki.laptop.org/go/Firmware_Key_and_Signature_Formats

See the bitfrost.leases.keys module for a list of trusted keys for use when checking security tokens.

Functions [hide private]
 
_find_matching_key(keyid, valid_keys)
Find a matching key in valid_keys, which will be a parsed key list.
source code
 
_date_cmp(a, b)
Compare two ISO 8601 date strings, special casing the string 00000000T000000Z as "infinity".
source code
 
check_expiration_func()
Return a function which will validate a given expiration time.
source code
 
_verify_sig01(certified_data, sig, valid_keys, __)
Decode and verify a signature in the sig01 format.
source code
 
_verify_sig02(certified_data, sig, valid_keys, sn)
Decode and verify a signature in the sig01 format.
source code
 
verify_sig(certified_data, sig, valid_keys, sn)
Decode and verify a signature, in a self-versioning format.
source code
 
_verify_act01(sn, uuid, lease, valid_keys)
Decode and validate a lease in the act01 format.
source code
 
verify_act(sn, uuid, lease, valid_keys)
Decode and verify an activation lease string, in a self-versioning format.
source code
 
_verify_dev01(sn, uuid, devkey, valid_keys)
Decode and validate a developer key in the dev01 format.
source code
 
verify_dev(sn, uuid, devkey, valid_keys)
Decode and verify a developer key, in a self-versioning format.
source code
 
verify_lease(sn, uuid, lease, valid_keys)
Alias for verify_act for backwards compatibility.
source code
Function Details [hide private]

_find_matching_key(keyid, valid_keys)

source code 

Find a matching key in valid_keys, which will be a parsed key list.

For example:

>>> _find_matching_key('010203', ['key01: aabb012345\n','key01: badkey','key01: bbcc010203\n']).encode('hex')
'bbcc010203'

_date_cmp(a, b)

source code 

Compare two ISO 8601 date strings, special casing the string 00000000T000000Z as "infinity".

For example:

>>> _date_cmp("19991225T012345Z","19010203T040506Z")
1
>>> _date_cmp("00000000T000000Z","19010203T040506Z")
1
>>> _date_cmp("19010203T040506Z","00000000T000000Z")
-1
>>> _date_cmp("19010203T040506Z","19991225T012345Z")
-1
>>> _date_cmp("19010203T040506Z","19010203T040506Z")
0
>>> _date_cmp("19991225T012345Z","19991225T012345Z")
0
>>> _date_cmp("00000000T000000Z","00000000T000000Z")
0

check_expiration_func()

source code 

Return a function which will validate a given expiration time.

When this method is called, the current date and time is cached and used for all calls to the returned check function.

>>> ce = check_expiration_func()
>>> ce('00000000T000000Z')
>>> ce('19000101T000000Z')
Traceback (most recent call last):
    ...
LeaseExpired

verify_sig(certified_data, sig, valid_keys, sn)

source code 

Decode and verify a signature, in a self-versioning format.

Verify that the sig contains a valid detached signature of certified_data by any key in list valid_keys. For some signature formats, additionally verify that the given serial number sn matches the signature specified. Return the earliest expiration date, or the string "00000000T000000Z" if the signature never expires.

NOTE THAT THIS FUNCTION DOES NOT CHECK THAT THE EXPIRATION DATE IS IN THE FUTURE. Use check_expiration_func for that.

>>> sn = 'SHF725001A0'
>>> uuid = '414737D8-2312-9241-9C7B-9886CB74403C'
>>> certdata = '%s:%s:A:00000000T000000Z' % (sn, uuid)
>>> keylist = ['key01: 3082010a0282010100abc095a01ad5ee5026f89d966b1b75df8a30c9d5b9722f0caaeec20b4c9ecdf7fe645904ce7bbb69e100b7ac47831228400e9b210fbf3e7a0850e347fbce20d703af33268db2b3aa5401583a84995b98f9e3cf47476e3744646b88a036efe59db19baff5d9f505b7a49c60df3fea03077abfb26fb47b2af63dbd96d6bf43c6c9c3e3dbcad53e880ca945319201188c32fa86cd01ace4173a6f92e5f785dbb21fb2615e8db79a80fddc1bbaefbf195d705450f23bfc5d8425e51eb5b49e0ff22c72bc478c9c967643ecf9c35c03c6ecfa1d5512e01b238c1c7ce3bf5376e186ed66b80787bb8f18fbb8971dfd8f9978f1473d571eb1d7392568acb982f5cf89790203010001\n']

Let's check a standard sig01 signature on dev key data:

>>> sig01 = 'sig01: sha256 8f18fbb8971dfd8f9978f1473d571eb1d7392568acb982f5cf89790203010001 2e2ab2eae201039b9fbfc6b52429259ec5d6a4981e4a8238421991deff17fb3ce6116325767485ae00cd4fede8a5bbf1e2db78fd05f4b4eec8891f8c89e0da8e57b8b27015a03340e0510574454a3da4f3d56e6d1dcf6019cf7f55ab7af4e693acc783f8eb887a7918910cb3d3240e9d46fb8b192e301ad920d5c61d9798a3943de83312951bb4c3e2fa0ca6c7f4b046edfc105935bfe3e6a836893e7457783894c264384d7a7c72466986eee142f6bc3c38472717d1a01b2208f937c05fe511cdad282df0fa4419006c3ff50902a978f55c79bc3e26742b1479dd790f68db09868ec9e832dd47d885358e0f1ce7faf8bba027340c615e8837c1bdb552a1cc8f\n'
>>> verify_sig(certdata, sig01, keylist, sn)
'00000000T000000Z'
>>> verify_sig(certdata, sig01, ['key01: baddata']+keylist, sn)
'00000000T000000Z'

And verify that the signature doesn't validate if we screw with the certified data or the signature:

>>> verify_sig(certdata+'x', sig01, keylist, sn)
Traceback (most recent call last):
    ...
VerificationFailure
>>> verify_sig(certdata, sig01[:-2]+'e\n', keylist, sn)
Traceback (most recent call last):
    ...
VerificationFailure
>>> verify_sig(certdata, sig01, [], sn)
Traceback (most recent call last):
    ...
InvalidKey
>>> verify_sig(certdata, sig01, ['key01: badbad\n'], sn)
Traceback (most recent call last):
    ...
InvalidKey

Now let's check some sig02 signatures.

>>> sig02 = 'sig02: sha256 8f18fbb8971dfd8f9978f1473d571eb1d7392568acb982f5cf89790203010001 20080624T160000Z 0bbd45629c0b402f1149733bfb7d52b1f78b5910a2226e86bd3fd895e49b323bf296b57b0288383a3dbb82143b48bf414371cc77478e73353e519c91a98a1c2408155558ed15466c0bb6a5745dd52c66a30a1a997017971ec1e8fb21072ce7f3f739aba7c1108df9e58f00a062816bc181a8c32cedf9431ef9dd501805c5175c60a6340254a2da7fe6c00522fb4dc9954c13ad3b02651c8ffeab150f039da87c5bf8206147840f988709dd59f6a50d421255b45efaae4ebab3ee7f8a7c90b65b079ff4484656b388c1c32fbe4d63c5535dfe95b26170d1aba2ad3d7d9e2a9f8b2c5e06cb1c3858f1d89a99ca70a9e872905241464cfd848f4fa6a8544195f82b sha256 3082010a028201010096c5d76bf233a2cb210d7d759b67c4b01bce7c3ee4cd8b12184be5289bf6bc375a388e4e506b9214414ddb569e1cb6f84bb73dd8f23416a4c95fd0ec3b8a85310d40a0a12c80fb1bba23d6ed317b4a4828094b011081e650d4f7e2510fc8b2b41d57f96385155f441911b6a6883c1702ebe492772d9d2af45514b3d9526ff2247539fe76435f75b19b2caefdc219e6d143701065566e8cac3ff989535e6b561d97c961a8443c921a560cf418d1c2cae7fe8e16ab5a05e317ee0cc1576eb68682837152d21aac49e1d8100bf1d62db7592c7bb2716755510e34bb4c3380c00ae2262b36a1f1d4cfbd3e580b061a6e1f55be163e6593b14b972378a0b15100be5b0203010001 00000000T000000Z 24c09f5286bd91244cb4a3e210b828e4c776a234d59edb7e61b26226501043a67ff9aa006f62179957f283456375c2bd3ab49d7daf67e7b5d188c9714b2e1cba15eb9c0d312d79740b3702a772be6532a25c0731b9c2cd1b0195f855ba74debab6c75477ad7f8bcbbd3f743f413e0b54cb82fb390fbbbb42213f404e2ec4d157cf144912e1491fa956dfb2da182a73529de5835b36307d9bc659a89e93995b0e73bf8b006d91e9cc210258eba4606ffd5e5ef28b3de5d4550f5cf1e0f113e9cbd005fd145e8e8c1c60633576664c8c574b9854d56a39128d5052418f40864c8d5c61981643e20e229ea22fe17d54b640547fc10a6dbf5fe3288f947005c5deff\n'
>>> verify_sig(certdata, sig02, keylist, sn)
'20080624T160000Z'
>>> verify_sig(certdata, sig02, ['key01: baddata\n']+keylist, sn)
'20080624T160000Z'

And verify that the signature doesn't validate if we screw with the certified data or the signature:

>>> verify_sig(certdata+'x', sig02, keylist, sn)
Traceback (most recent call last):
    ...
VerificationFailure
>>> verify_sig(certdata, sig02[:-2]+'e\n', keylist, sn)
Traceback (most recent call last):
    ...
VerificationFailure
>>> verify_sig(certdata, sig02, [], sn)
Traceback (most recent call last):
    ...
InvalidKey
>>> verify_sig(certdata, sig02, ['key01: badbad\n'], sn)
Traceback (most recent call last):
    ...
InvalidKey
>>> verify_sig(certdata, sig02.replace(' 20080624T',' 20090624T'), keylist, sn)
Traceback (most recent call last):
    ...
VerificationFailure
>>> verify_sig(certdata, sig02.replace(' 00000000T',' 20080624T'), keylist, sn)
Traceback (most recent call last):
    ...
VerificationFailure

Check another sig02 with a combination of expiration dates:

>>> sig02 = 'sig02: sha256 8f18fbb8971dfd8f9978f1473d571eb1d7392568acb982f5cf89790203010001 20080624T160000Z 534398afab5af503bc682c986e44f4541f94e62eb2d183b44a5f63107b1f86b5a7a463a7914ca106e6e8c98b3d56e826deb443112c931117b700ef651266b0ef7bbd0be2764273caf6c2feb10751484f5eb1d2de66c570929d52fa2ee3032222f45c9797e669fa3b938f6785638770d4a1a20c40eb7013d0d8145c81994a9b9498a3c0a68786fc54ba031529768fe4adb15a4a9042b99df2385381ae27bdd9cb4542de438eba7bd0a5b9f4cf46674167ce2c1169074c2f9e523030771231d043b57a06f63aded2def2a86aa5c2d20479762cf5ade03529c3a1a4fb4427998ea5552b6926c825e7faeb4c936da739442d8920545fbff241aac3051907cc7e4fab sha256 3082010a028201010096c5d76bf233a2cb210d7d759b67c4b01bce7c3ee4cd8b12184be5289bf6bc375a388e4e506b9214414ddb569e1cb6f84bb73dd8f23416a4c95fd0ec3b8a85310d40a0a12c80fb1bba23d6ed317b4a4828094b011081e650d4f7e2510fc8b2b41d57f96385155f441911b6a6883c1702ebe492772d9d2af45514b3d9526ff2247539fe76435f75b19b2caefdc219e6d143701065566e8cac3ff989535e6b561d97c961a8443c921a560cf418d1c2cae7fe8e16ab5a05e317ee0cc1576eb68682837152d21aac49e1d8100bf1d62db7592c7bb2716755510e34bb4c3380c00ae2262b36a1f1d4cfbd3e580b061a6e1f55be163e6593b14b972378a0b15100be5b0203010001 20080704T160000Z 2ee74a6311a419a561cff8f1111a9887fd71a834d6bd515d6765e0677ec840569237b76e656bc8bba26b3067343fc63a0805ee77face7cfdfb96c6a357efd246129ad828e8068098c84ffd1e196ce2b1cde561b8a616679ccc823885c4670642178956d8b98fae7c84333e22efcf1e42637a686fe20c4f38dab704028b5bc79e553198dcc8934edddf63d665d8bed8d02f86a3d76fab3d64cfee8dce4d2ff8eeecf89424cbe81c6f14bc313308bec837662bf3a23f109bae0becb08768b3267c62329a35bac82feef208945fe16a6e7f9e0eeb2b3e23a4e33aaac772c52298fc4c293c08aecf7b64bb6a01600fc113ebad4100c033dcfdfe11a3220f14512ed8\n'
>>> verify_sig(certdata, sig02, ['key01: baddata']+keylist, sn)
'20080624T160000Z'

_verify_act01(sn, uuid, lease, valid_keys)

source code 

Decode and validate a lease in the act01 format.

Format documented at http://wiki.laptop.org/go/Firmware_Key_and_Signature_Formats#Antitheft.2FActivation_Lease

verify_act(sn, uuid, lease, valid_keys)

source code 

Decode and verify an activation lease string, in a self-versioning format.

Verify that lease contains a valid signature by any key in list valid_keys and matches the serial number sn and uuid provided. Additionally extract an expiration date from the lease, present in all lease versions, and make sure the lease has not expired.

>>> sn = 'SHF725001A0'
>>> uuid = '414737D8-2312-9241-9C7B-9886CB74403C'
>>> keylist = [ 'key01: badbad\n', 'key01: 3082010a0282010100e5d987ad765aa8df3d502776681ac298e01b309372a62df6106e4015848bd1d1fcacf079e242e888032d11d66919073682946e98d77c692e295e2123f9b2b86ae7aa29a1267ba7c91213cf297aad95f3760b538c483c4e0156e89ff1d9d10b75e6c9e342a46a8becb927e89a51af51dca70b8107ba95db1e7e94479ec1b08215dc5f97d797d44fe2afd89073463c05a99c15d468ab679f2b3ee6c0dd8c35987d24b4aeab9a2b1967ac20f88e29a0e4a4f6c849166ee7c0ed0d41963dcf4522f61f9c25dbc4d9e598e4d43299be1ad0e9419b4ea25aa4cd08d76798717617ab3123fbff46cbe842349e413bfd424426bdacd1cb46fd8e6c5e516ed80a8a849f410203010001\n' ]

First a lease with a sig01-format signature:

>>> act = 'act01: SHF725001A0 K 20380101T000000Z sig01: sha256 e842349e413bfd424426bdacd1cb46fd8e6c5e516ed80a8a849f410203010001 bef35cb7df96a770b00a93579c9f6981d739ed476eed3d5a530945b5ee7bdbc9860f0f934dfaad7d8fdb2592d73a51a432b9c9e7c8fbb8b7d196765fe96d9e7a4ec4d7b5feaad18f03c16b45c8989df07df7d37c937715c8bee37004d7ec8bf0e9ecc6cd9dd5f53456e852953832d8b5ff7dfda57146dae34d97a3037f45150b5b2b773caa25f1ec9f010a6cf7e0845329df6914f38f70e426920e47ba280329aaff812a89fbf41b73366546c52edef71e33d2a3a5329d4c40c1a015884f4f6e08e9f3e8df504783ab4123fe654d0fa28b606418a25dc34b820a701a5c0906ee2f8caafcabbb829f87800a095c9b9ebb9a97f6b8a172a9644ab245e494d8d525\n'
>>> verify_act(sn, uuid, act, keylist)
'OK'
>>> verify_act(sn[:-1]+'1', uuid, act, keylist)
Traceback (most recent call last):
    ...
InvalidLeaseData
>>> verify_act(sn[:-1]+'1', uuid, act.replace(sn,sn[:-1]+'1'), keylist)
Traceback (most recent call last):
    ...
VerificationFailure
>>> verify_act(sn, uuid[:-1]+'0', act, keylist)
Traceback (most recent call last):
    ...
VerificationFailure
>>> verify_act(sn, uuid, act[:-2]+'0\n', keylist)
Traceback (most recent call last):
    ...
VerificationFailure

And an expired lease with a sig01-format signature:

>>> act = 'act01: SHF725001A0 K 19380101T000000Z sig01: sha256 e842349e413bfd424426bdacd1cb46fd8e6c5e516ed80a8a849f410203010001 76397b611f65604fabc55f74cc3addbe8a8d7d9c2e7a908ee4e181c31f07e2db0d65eccf8055fe8e698a5cf7185ce81a50188f6748c9428a994a9b3dab95c94be7f1205d73ca45c0fffdece0bca6358c904fd9baf357c4b08590b413829af7045a6166c03e4a9c5bfd245661f9ea9249d2044c9ec780f02a89e470119549143757c5405e51ac9ad432d1f5e9faf38bf48664e5c6378964fbc4ff284f7c89c7a9a507f61a2b0e32d264428b72c682aeb58889e2a177846a91482e25de93acd3a5b296491ffbe6e7db3f45482e5514286d2d4aa9dc65d325c0a5c6cbd907c6b488a591f390182a469b5751de617acc0abfafd40686db3ae4127a798c7f7258de3e\n'
>>> verify_act(sn, uuid, act, keylist)
Traceback (most recent call last):
    ...
LeaseExpired

Now we'll try a lease with a sig02-format signature:

>>> act = 'act01: SHF725001A0 K 20380101T000000Z sig02: sha256 e842349e413bfd424426bdacd1cb46fd8e6c5e516ed80a8a849f410203010001 20380624T160000Z 85b5e2229b249be4ff80c515f9b5ae6cafaff3d99a87621c42ee0508cdb0484b84809187fd1eb1188d2a38a6f3183d37b77bbf44f33abc2c150a9a6490ea1b4de6940d45f0daafd77eb370cad214b9f47229021c123897b58750d2e96082fa4a52c671f41ca2f45428262a74fc0610c2aeb2e9da596c506284976606ea58eacf008a11bc8765e028dfc0df601e2ccaa315d628581a4dd3277563caa0d55a078a020c3c17f2d88c167150378d7bc80791ea374dba49c7906b9badfb04ff3ae8edaac98f50a5d8f93baf137309c1f0a5615982a75ad8a279591e01ed254e56eebc8a04662475fd9502843e0cf041f26764cb659a63844e8c082c6610f20962865e sha256 3082010a028201010096c5d76bf233a2cb210d7d759b67c4b01bce7c3ee4cd8b12184be5289bf6bc375a388e4e506b9214414ddb569e1cb6f84bb73dd8f23416a4c95fd0ec3b8a85310d40a0a12c80fb1bba23d6ed317b4a4828094b011081e650d4f7e2510fc8b2b41d57f96385155f441911b6a6883c1702ebe492772d9d2af45514b3d9526ff2247539fe76435f75b19b2caefdc219e6d143701065566e8cac3ff989535e6b561d97c961a8443c921a560cf418d1c2cae7fe8e16ab5a05e317ee0cc1576eb68682837152d21aac49e1d8100bf1d62db7592c7bb2716755510e34bb4c3380c00ae2262b36a1f1d4cfbd3e580b061a6e1f55be163e6593b14b972378a0b15100be5b0203010001 20370704T160000Z 19e99369e514a2ae2fe5d3e3c572c22e9709be0ec8d9fb71344ed358bbff3e67e78d4879899d34d37e0e0dfdebd3dafd9d70eeba7f2fa5648cf0994fe89eeea0ae1786f65ed5ca258ba9f51ce577a085d2d34e7f0e3a70f245408af63f289894a589090d3c0236f23e0c04bd294bbd7bd265d3966e7f8b302e0eb2633c348760568e8c04abb5d6151fffadb8551d0fafd3dd37aa0eb30b2895c0329d882f6d4d3344c4073281f3b26eafde2a0f9ccefcf11657ed418824c3774b068df85af330ea81a71ad485d8e86199ea8b5560086f22504555d9543ee269a4cbf875aa2c073b508db9e32be6b3ba9952d59c58e1be2fac8662519f341045905102a38f117b\n'
>>> verify_act(sn, uuid, act, keylist)
'OK'
>>> verify_act(sn[:-1]+'1', uuid, act, keylist)
Traceback (most recent call last):
    ...
InvalidLeaseData
>>> verify_act(sn[:-1]+'1', uuid, act.replace(sn,sn[:-1]+'1'), keylist)
Traceback (most recent call last):
    ...
VerificationFailure
>>> verify_act(sn, uuid[:-1]+'0', act, keylist)
Traceback (most recent call last):
    ...
VerificationFailure
>>> verify_act(sn, uuid, act[:-2]+'0\n', keylist)
Traceback (most recent call last):
    ...
VerificationFailure

And an expired lease with a sig02-format signature -- note that in this case it is the delegation which is expired, not the lease:

>>> act = 'act01: SHF725001A0 K 20380101T000000Z sig02: sha256 e842349e413bfd424426bdacd1cb46fd8e6c5e516ed80a8a849f410203010001 20080624T160000Z 872d5775bd90bade74a3a6561ca9c36b9c10bb3e9b158e1f9fba5867631e891718f56912ae40f5dd2349196eca047d51cc67c9dbf389689c9920e42c2e1c7e295faa61ed83fbd8325f8a5abae5f6a9e13e9a9481bb28d0d822d5d12864efc8a6172066931d9cb050fc1c27a68385e3e684e0e1295a7c31c12cdffb04cbaafc477f4d30ffc9e5f597f3a716695e42769196c18a6cec3061c05140f26348c0625c5209925aedb28e9aae0e72ae4e0b057bc75e28b9cafd1d52a086f7e12e1f27a0e345113163221fd6cc692fdadde8eb2d763feadfc28aba422f57ac9fde7d11e2eedfe0fd2d5075c4e089f64519e0c5ab895038152ae2edcc9b782ae6d6754be6 sha256 3082010a028201010096c5d76bf233a2cb210d7d759b67c4b01bce7c3ee4cd8b12184be5289bf6bc375a388e4e506b9214414ddb569e1cb6f84bb73dd8f23416a4c95fd0ec3b8a85310d40a0a12c80fb1bba23d6ed317b4a4828094b011081e650d4f7e2510fc8b2b41d57f96385155f441911b6a6883c1702ebe492772d9d2af45514b3d9526ff2247539fe76435f75b19b2caefdc219e6d143701065566e8cac3ff989535e6b561d97c961a8443c921a560cf418d1c2cae7fe8e16ab5a05e317ee0cc1576eb68682837152d21aac49e1d8100bf1d62db7592c7bb2716755510e34bb4c3380c00ae2262b36a1f1d4cfbd3e580b061a6e1f55be163e6593b14b972378a0b15100be5b0203010001 20070704T160000Z 3de446b2d3f5ee2bcccaf1a74fc9a323915a08f3bb442db369d536e1a59af98421eafada1c3daac3cdbe0f10672ab5dde3f19c10a9c16c6a24598740e6733fafc2cc740c94eacfb95646d7773e33d00a01f00d3db079d053294490251d51f82a29b3ebd517f10d0cd32f91515cb81e0af7a61e0da2a62cb84b851497495ae3baf556cfefdac2c6bd8bb1215841b967d16bb1d8b24a07ecd9eab91a13e015f34417900a444c8b1cc06f958355b9abd67b42c1158e29ea47a4fa0782269afc06e8e84d0328ea03a5419fb305f154bd32585049471d7ea2be0f91a98f293a8bd13e6176e2a55b0dcdb5de575c7bcfd0efcd618a9ec2777519f644b319b45648533f\n'
>>> verify_act(sn, uuid, act, keylist)
Traceback (most recent call last):
    ...
LeaseExpired

_verify_dev01(sn, uuid, devkey, valid_keys)

source code 

Decode and validate a developer key in the dev01 format.

Format documented at http://wiki.laptop.org/go/Firmware_Key_and_Signature_Formats#Developer_key

verify_dev(sn, uuid, devkey, valid_keys)

source code 

Decode and verify a developer key, in a self-versioning format.

Verify that the developer key contains a valid signature by any key in list valid_keys and matches the serial number sn and uuid provided. If the developer key signature uses delegation, make sure the developer key has not expired.

>>> sn = 'SHF725001A0'
>>> uuid = '414737D8-2312-9241-9C7B-9886CB74403C'
>>> keylist = [ 'key01: badbad\n', 'key01: 3082010a0282010100abc095a01ad5ee5026f89d966b1b75df8a30c9d5b9722f0caaeec20b4c9ecdf7fe645904ce7bbb69e100b7ac47831228400e9b210fbf3e7a0850e347fbce20d703af33268db2b3aa5401583a84995b98f9e3cf47476e3744646b88a036efe59db19baff5d9f505b7a49c60df3fea03077abfb26fb47b2af63dbd96d6bf43c6c9c3e3dbcad53e880ca945319201188c32fa86cd01ace4173a6f92e5f785dbb21fb2615e8db79a80fddc1bbaefbf195d705450f23bfc5d8425e51eb5b49e0ff22c72bc478c9c967643ecf9c35c03c6ecfa1d5512e01b238c1c7ce3bf5376e186ed66b80787bb8f18fbb8971dfd8f9978f1473d571eb1d7392568acb982f5cf89790203010001\n' ]

First a dev key with a sig01-format signature:

>>> dev = 'dev01: SHF725001A0 A 00000000T000000Z sig01: sha256 8f18fbb8971dfd8f9978f1473d571eb1d7392568acb982f5cf89790203010001 6f822fd21e1fa4838a6163d62944fc899370332a699b8cf2262c3714819193306f62352f434ea8cf63e0f6277f49fd42bd296c76fa3acf74b50a38043e1681561c26cb4a0a8ac70a2983362197774300b7589347ad3dcb44007afa08cd4546761be7c1ab9c1ffc41c2aa96ddeb11ae2551e39e4e0344fc6f2d635b79c9afcf2b153baf40c4ca631359916f8406ef18f4364b662b978280e05a23eb0d83ef8b7c2a404983fce454dbba4d0e80187143480a4c573374b05d804e365eb82a59070e6dc8839d2e081abf855d18fb4cc1b05c963635fc0aee944ebcba9f8fb4a451d37a760b5d13a8e9c1f99d66c9bc01b9dd60e069d418408d551c16e61e4a0dd2d1\n'
>>> verify_dev(sn, uuid, dev, keylist)
'OK'
>>> verify_dev(sn[:-1]+'1', uuid, dev, keylist)
Traceback (most recent call last):
    ...
InvalidDevKeyData
>>> verify_dev(sn[:-1]+'1', uuid, dev.replace(sn,sn[:-1]+'1'), keylist)
Traceback (most recent call last):
    ...
VerificationFailure
>>> verify_dev(sn, uuid[:-1]+'0', dev, keylist)
Traceback (most recent call last):
    ...
VerificationFailure
>>> verify_dev(sn, uuid, dev[:-2]+'0\n', keylist)
Traceback (most recent call last):
    ...
VerificationFailure
>>> verify_dev(sn, uuid, dev.replace('00000000T','20370101T'), keylist)
Traceback (most recent call last):
    ...
InvalidDevKeyData

Now we'll try a dev key with a sig02-format signature:

>>> dev = 'dev01: SHF725001A0 A 00000000T000000Z sig02: sha256 8f18fbb8971dfd8f9978f1473d571eb1d7392568acb982f5cf89790203010001 20380624T160000Z a65ca9e3e745e29ea7424517fae411d81244272ceff82604288a7652e47272e0bed81dfb2a505a40d3f8061ca92e134455c27f7a8663efd07e61f68b199e4e84478b0f1324c93722b4588e3a0b2077e71b8e3739b1e61b41dd6305816ef2f358ca0df708f853b97df59e54faafb446b303bba6c55e0ceb10108f48934ac7a0f9a0dfbbc8cf83e21159263d3c6172d0aeffd4e1d7e00759507783a48f4ecfbb6920ff4209255c7eefe26add81480c93d7dc552db9fa56fb0b2376b54a008d91023fa24154ea6cc35359a23a38cb87741dfd8651835dc8d94a06bea8778e8f5742a3b236447b7d5102dd6500cc8aef64d11fc3a245228c84738c4cf2bd55cec9fe sha256 3082010a0282010100bdfbaf3dbaba6f42612483b13dd9bb9397ce2b7780c2bf2a31ea68ed2e2b4bf02a634e409117036619805bd2109465b0a9b0d919f645185e814e8521fb661993edb325cac80b59ce6b194be5237364dce3afc2b41f94a614b2aa5510d1c09a6e55160850a53eb6c54ebb35fc98e8139e98bf20bed6208d1f37676020d58789060a1723120b8d954c85915dbba9b5008e1a4b663ab0f0cd0fbaf7cd38828d3265a779bc9f1e17e89eb173a17c6e51b03ca9c0f9c0aabaaec04a7d32320933ee3c412f17c611569297761d9ef9f38b0ec8378e4aaccac2f9cf9e41aacb9b13bd989dab5a62f5818b43f57163054b5a383513a9aa2bf97d54320cc849dc466177d10203010001 20370704T160000Z 977742153eb93426daa180584fedab37cd8a592486ebaca13da0e51774d80a155527b11cd20b0ae5a667adb2438ae720f5d031d428093c7396cb4118db6a61a0942b04b8331d29a1a4ed18565de355323697535a0809e67519372f5aac71c1af1ab43c0df93874a61d426152e020a7aa6cf870abd78dc27a4092944866e71ab7e660c6c5f34731a811ae71ef9527206059d0d8cc63e2e09045e490b91b8a12abe5ce86e2b8862144a8a9466a321d12a67205ac7a4fea1610125073eed30d67f37551c4262c44301bf459d4eecdb01a0d3820f131f4ebec141c20ef8dacac7f9b58696d44bfd928aa5a609df544c3ed83a61f24d94b20b3b9286d7eaf9efdd56e\n'
>>> verify_dev(sn, uuid, dev, keylist)
'OK'
>>> verify_dev(sn[:-1]+'1', uuid, dev, keylist)
Traceback (most recent call last):
    ...
InvalidDevKeyData
>>> verify_dev(sn[:-1]+'1', uuid, dev.replace(sn,sn[:-1]+'1'), keylist)
Traceback (most recent call last):
    ...
VerificationFailure
>>> verify_dev(sn, uuid[:-1]+'0', dev, keylist)
Traceback (most recent call last):
    ...
VerificationFailure
>>> verify_dev(sn, uuid, dev[:-2]+'0\n', keylist)
Traceback (most recent call last):
    ...
VerificationFailure
>>> verify_dev(sn, uuid, dev.replace('00000000T','20370101T'), keylist)
Traceback (most recent call last):
    ...
InvalidDevKeyData

And an expired dev key with a sig02-format signature -- note that in this case it is the delegation which is expired, not the dev key:

>>> dev = 'dev01: SHF725001A0 A 00000000T000000Z sig02: sha256 8f18fbb8971dfd8f9978f1473d571eb1d7392568acb982f5cf89790203010001 19020304T050607Z 4cc3770bbdf571738e3da40a894399c360ace414115c800039988d09f55a86d55c3e4670fdf69a3a1aebd0bbf1224944a5e229b6c29d0a08facd1cda46fa6bb5a3459b959125a75db87ab6d18d819cfcfd5318c0da97bd8535a240ec7e38f265da46f8caddf048f8d1f79881b9e1430d1890e116ff8222ba77611e8115e6a526c82679c197ce05fcd9e3566254de2964f9be1e67664be46fe2e1bfc81e93a8720ff8f6858b16b2cbecd418a22370d05b6a0d8f8a867f1c887860b0c3f07363dd46de8e8cf0437f039a5fd02f1cdbb80637de270970520a80fd3f7d6b03861c1e57b85e4171216aacb2132fdb6719ab0ad3db21e085f3c5370b3e30906c934aeb sha256 3082010a0282010100bdfbaf3dbaba6f42612483b13dd9bb9397ce2b7780c2bf2a31ea68ed2e2b4bf02a634e409117036619805bd2109465b0a9b0d919f645185e814e8521fb661993edb325cac80b59ce6b194be5237364dce3afc2b41f94a614b2aa5510d1c09a6e55160850a53eb6c54ebb35fc98e8139e98bf20bed6208d1f37676020d58789060a1723120b8d954c85915dbba9b5008e1a4b663ab0f0cd0fbaf7cd38828d3265a779bc9f1e17e89eb173a17c6e51b03ca9c0f9c0aabaaec04a7d32320933ee3c412f17c611569297761d9ef9f38b0ec8378e4aaccac2f9cf9e41aacb9b13bd989dab5a62f5818b43f57163054b5a383513a9aa2bf97d54320cc849dc466177d10203010001 00000000T000000Z b70a48e178882bf8ecf225106e6e8d9116ff42ccf26328726cee0ebe28b4d3a69b54e93d7c0b654076c0e0e1d21da7eb22e775071c43aad3747a12d7ed5d9ad09ad330978998bbb5312a8164a2736bdb5bb46133f3dcab4bd792bfd641cec3ce3804d25de897f93fbfeb529f9c00ec898f21cf6e4a63d27730ae338a879fdc3851478791c7d8a3a11c23af81ea1b54ce36d3361fa8880b074f922c137dbe4bc7f05865a7c7c79f4dc0d04dad697a9c35ac54e00c0ab06efe9f9f330a66d2473e0a1402ebaf0e31d4eae3b5a7f2f1ec9c6c6043ce6b6af18585da0f4e55474ced9100c8e1b12936aa723a2f5130021022b0de9a84641a6202e1e622ae3901e830\n'
>>> verify_dev(sn, uuid, dev, keylist)
Traceback (most recent call last):
    ...
LeaseExpired

verify_lease(sn, uuid, lease, valid_keys)

source code 
Alias for verify_act for backwards compatibility.