def decrypt_work_order_data_json(self, data_objects, session_key, session_iv=None): """ Function to decrypt inData/outData of workorder Function iterate through the inData/outData items and decrypt the data using DataEncryptionKey/Session key. inData/outData data field is updated with decrypted data. Parameters: data_objects: inData/outData elements within the work order request or response as per Trusted Compute EEA API 6.1.7 Work Order Data Formats. session_key: The key used to decrypt the encrypted data of the response. session_iv: initialization vector corresponding to session_key. """ i = 0 do_decrypt = True for item in data_objects: data = item['data'] if 'encryptedDataEncryptionKey' in item: e_key = item['encryptedDataEncryptionKey'] else: e_key = None if not e_key or (e_key == "null"): data_key = session_key iv = session_iv elif e_key == "-": do_decrypt = False else: if 'iv' in item: iv = item['iv'] else: iv = None # Decrypt data key data_key = self.decrypt_data_encryption_key( e_key, iv, sesssion_key) if not do_decrypt: item['data'] = crypto_utility.base64_to_byte_array(data) else: # Decrypt output data item_data_bytes = crypto_utility.base64_to_byte_array(data) data_in_plain = self.decrypt_data(item_data_bytes, data_key, iv) item['data'] = data_in_plain i = i + 1 return data_objects
def verify_create_receipt_signature(self, input_json): """ Function to verify the signature of work order receipt create Parameters: input_json: Dictionary which contains request payload of WorkOrderReceiptRetrieve API as define EEA spec 7.2.2 Returns: enum type SignatureStatus """ input_json_params = input_json['params'] concat_string = input_json_params["workOrderId"] + \ input_json_params["workerServiceId"] + \ input_json_params["workerId"] + \ input_json_params["requesterId"] + \ str(input_json_params["receiptCreateStatus"]) + \ input_json_params["workOrderRequestHash"] + \ input_json_params["requesterGeneratedNonce"] concat_hash = bytes(concat_string, "UTF-8") final_hash = bytes(crypto_utility.compute_message_hash(concat_hash)) signature = input_json_params["requesterSignature"] verification_key = \ input_json_params["receiptVerificationKey"].encode("ascii") decoded_signature = crypto_utility.base64_to_byte_array(signature) return self.verify_signature_from_pubkey(decoded_signature, final_hash, verification_key)
def _verify_wo_verification_key_signature(self, wo_response, wo_verification_key, requester_nonce): """ Function to verify the work order response signature Parameters: wo_response : Dictionary which contains work order response as per Trusted Compute EEA API 6.1.2 Work Order Result Payload wo_verification_key : ECDSA/SECP256K1 public key used to verify work order verification key signature. requester_nonce : requester generated nonce passed in work order request. Required in 2 step verification. Returns: enum type SignatureStatus """ if requester_nonce is None: logger.error("Missing requester_nonce argument") return SignatureStatus.FAILED concat_string = wo_response["extVerificationKey"] + requester_nonce v_key_sig = wo_response["extVerificationKeySignature"] v_key_hash = crypto_utility.compute_message_hash( bytes(concat_string, 'UTF-8')) decoded_v_key_sig = crypto_utility.base64_to_byte_array(v_key_sig) return self.verify_signature_from_pubkey(decoded_v_key_sig, v_key_hash, wo_verification_key)
def _verify_wo_response_signature(self, wo_response, wo_res_verification_key): """ Function to verify the work order response signature Parameters: @param wo_response - dictionary contains work order response as per Trusted Compute EEA API 6.1.2 Work Order Result Payload @param wo_res_verification_key - ECDSA/SECP256K1 public key used to verify work order response signature. Returns enum type SignatureStatus """ worker_nonce = wo_response["workerNonce"] signature = wo_response['workerSignature'] response_hash = self.calculate_response_hash(wo_response) try: _verifying_key = VerifyingKey.from_pem(wo_res_verification_key) except Exception as error: logger.error("Error in verification key of " "work order response : %s", error) return SignatureStatus.INVALID_VERIFICATION_KEY decoded_signature = crypto_utility.base64_to_byte_array(signature) try: sig_result = _verifying_key.verify_digest(decoded_signature, response_hash, sigdecode=sigdecode_der) if sig_result: return SignatureStatus.PASSED except Exception as er: if("Malformed formatting of signature" in str(er)): return SignatureStatus.INVALID_SIGNATURE_FORMAT return SignatureStatus.FAILED
def execute(self): serialized_byte_array = crypto.string_to_byte_array(self.work_order) encrypted_request = crypto.byte_array_to_base64(serialized_byte_array) logger.info( "------------------------sgx_work_order_request1------------------------------------" ) try: encoded_encrypted_response = self.enclave.HandleWorkOrderRequest( encrypted_request, self.ext_data) logger.info( "------------------------sgx_work_order_request2------------------------------------" ) assert encoded_encrypted_response except Exception as err: logger.info( "------------------------sgx_work_order_request3------------------------------------" ) logger.exception('workorder request invocation failed: %s', str(err)) raise logger.info( "------------------------sgx_work_order_request4------------------------------------" ) try: decrypted_response = crypto.base64_to_byte_array( encoded_encrypted_response) response_string = crypto.byte_array_to_string(decrypted_response) response_parsed = json.loads(response_string[0:-1]) except Exception as err: logger.exception('workorder response is invalid: %s', str(err)) raise return response_parsed
def test_verify_encryption_key_signature(): enc_key_sig_byte = crypto_utility.string_to_byte_array(worker_enc_key) enc_key_hash = crypto_utility.compute_message_hash(enc_key_sig_byte) try: # sign encryption key status, enc_key_signature = \ sig_obj.generate_signature(enc_key_hash, worker_signing_key) enc_key_signature = \ crypto_utility.base64_to_byte_array(enc_key_signature) enc_key_signature_hex = \ crypto_utility.byte_array_to_hex(enc_key_signature) status = sig_obj.verify_encryption_key_signature( enc_key_signature_hex, worker_enc_key, worker_verifying_key) if status == SignatureStatus.PASSED: logging.info("PASSED: verify_encryption_key_signature") return 0 else: logging.info("FAILED: verify_encryption_key_signature") return 1 except Exception as err: logging.info("FAILED: verify_encryption_key_signature") return 1
def calculate_wo_pre_proc_keys_hash(self, pre_proc_json): """ Computes hash on pre-processed work order keys(by KME worker) Parameters: pre_proc_json: Pre processed JSON(by KME worker) having work order keys needed in encrypted format to process client work order request Returns: Computed hash of pre-processed work order keys in bytes """ concat_hash = crypto_utility.byte_array_to_base64( self.encrypted_sym_key) + \ crypto_utility.byte_array_to_base64(self.encrypted_wo_key) + \ crypto_utility.byte_array_to_base64(self.encrypted_sig_key) hash_1 = worker_hash.WorkerHash().compute_message_hash( concat_hash.encode("utf-8")) hash_1_str = crypto_utility.byte_array_to_base64(hash_1) # Compute hash of input-data-keys in_data_key_hash_str = "" for key in pre_proc_json['input-data-keys']: in_data_key_hash_str += crypto_utility.byte_array_to_base64( worker_hash.WorkerHash().compute_message_hash( crypto_utility.base64_to_byte_array( key['encrypted-data-key']))) # Compute hash on output-data-keys out_data_key_hash_str = "" for key in pre_proc_json['output-data-keys']: out_data_key_hash_str += crypto_utility.byte_array_to_base64( worker_hash.WorkerHash().compute_message_hash( crypto_utility.base64_to_byte_array( key['encrypted-data-key']))) final_hash = hash_1_str.encode("utf-8") + \ in_data_key_hash_str.encode("utf-8") + \ out_data_key_hash_str.encode("utf-8") return worker_hash.WorkerHash().compute_message_hash(final_hash)
def _verify_wo_verification_key_signature(self, wo_response, wo_verification_key, requester_nonce): """ Function to verify the work order response signature Parameters: @param wo_response - dictionary contains work order response as per Trusted Compute EEA API 6.1.2 Work Order Result Payload @param wo_verification_key - ECDSA/SECP256K1 public key used to verify work order verification key signature. @param requester_nonce - requester generated nonce passed in work order request. Required in 2 step verification. Returns enum type SignatureStatus """ if requester_nonce is None: logger.error("Missing requester_nonce argument") return SignatureStatus.FAILED concat_string = wo_response["extVerificationKey"] + requester_nonce v_key_sig = wo_response["extVerificationKeySignature"] v_key_hash = crypto_utility.compute_message_hash( bytes(concat_string, 'UTF-8')) try: _verifying_key = VerifyingKey.from_pem(wo_verification_key) except Exception as error: logger.error("Error in verification key of" "verification key signature : %s", error) return SignatureStatus.INVALID_VERIFICATION_KEY decoded_v_key_sig = crypto_utility.base64_to_byte_array(v_key_sig) try: sig_result = _verifying_key.verify_digest( decoded_v_key_sig, bytes(v_key_hash), sigdecode=sigdecode_der) if sig_result: return SignatureStatus.PASSED except Exception as er: if("Malformed formatting of signature" in str(er)): return SignatureStatus.INVALID_SIGNATURE_FORMAT return SignatureStatus.FAILED
def _verify_wo_response_signature(self, wo_response, wo_res_verification_key): """ Function to verify the work order response signature Parameters: @param wo_response - dictionary contains work order response as per Trusted Compute EEA API 6.1.2 Work Order Result Payload @param wo_res_verification_key - ECDSA/SECP256K1 public key used to verify work order response signature. Returns enum type SignatureStatus """ if "workerSignature" not in wo_response: logger.error("workerSignature not present in reponse json") return False signature = wo_response['workerSignature'] response_hash = worker_hash.WorkerHash().calculate_response_hash( wo_response) decoded_signature = crypto_utility.base64_to_byte_array(signature) return self.verify_signature_from_pubkey(decoded_signature, response_hash, wo_res_verification_key)
def verify_create_receipt_signature(self, input_json): """ Function to verify the signature of work order receipt create Parameters: - input_json is dictionary contains request payload of WorkOrderReceiptRetrieve API as define EEA spec 7.2.2 Returns enum type SignatureStatus """ input_json_params = input_json['params'] concat_string = input_json_params["workOrderId"] + \ input_json_params["workerServiceId"] + \ input_json_params["workerId"] + \ input_json_params["requesterId"] + \ str(input_json_params["receiptCreateStatus"]) + \ input_json_params["workOrderRequestHash"] + \ input_json_params["requesterGeneratedNonce"] concat_hash = bytes(concat_string, "UTF-8") final_hash = bytes(crypto_utility.compute_message_hash(concat_hash)) signature = input_json_params["requesterSignature"] verification_key = \ input_json_params["receiptVerificationKey"].encode("ascii") try: _verifying_key = VerifyingKey.from_pem(verification_key) except Exception as error: logger.info("Error in verification key : %s", error) return SignatureStatus.INVALID_VERIFICATION_KEY decoded_signature = crypto_utility.base64_to_byte_array(signature) try: sig_result = _verifying_key.verify_digest(decoded_signature, bytes(final_hash), sigdecode=sigdecode_der) if sig_result: return SignatureStatus.PASSED except Exception as er: if("Malformed formatting of signature" in str(er)): return SignatureStatus.INVALID_SIGNATURE_FORMAT return SignatureStatus.FAILED
def _verify_wo_response_signature(self, wo_response, wo_res_verification_key): """ Function to verify the work order response signature Parameters: @param wo_response - dictionary contains work order response as per Trusted Compute EEA API 6.1.2 Work Order Result Payload @param wo_res_verification_key - ECDSA/SECP256K1 public key used to verify work order response signature. Returns enum type SignatureStatus """ worker_nonce = (wo_response["workerNonce"]).encode('UTF-8') signature = wo_response['workerSignature'] hash_string_1 = self.__calculate_hash_on_concatenated_string( wo_response, worker_nonce) data_objects = wo_response['outData'] hash_string_2 = self.calculate_datahash(data_objects) concat_string = hash_string_1 + hash_string_2 concat_hash = bytes(concat_string, 'UTF-8') final_hash = crypto_utility.compute_message_hash(concat_hash) try: _verifying_key = VerifyingKey.from_pem(wo_res_verification_key) except Exception as error: logger.error( "Error in verification key of " "work order response : %s", error) return SignatureStatus.INVALID_VERIFICATION_KEY decoded_signature = crypto_utility.base64_to_byte_array(signature) try: sig_result = _verifying_key.verify_digest(decoded_signature, bytes(final_hash), sigdecode=sigdecode_der) if sig_result: return SignatureStatus.PASSED except Exception as er: if ("Malformed formatting of signature" in str(er)): return SignatureStatus.INVALID_SIGNATURE_FORMAT return SignatureStatus.FAILED
def verify_update_receipt_signature(self, input_json): """ Function to verify the signature of work order receipt update Parameters: - input_json is dictionary contains payload returned by the WorkOrderReceiptUpdateRetrieve API as define EEA spec 7.2.7 Returns enum type SignatureStatus """ input_json_params = input_json concat_string = input_json_params["workOrderId"] + \ str(input_json_params["updateType"]) + \ input_json_params["updateData"] concat_hash = bytes(concat_string, 'UTF-8') final_hash = worker_hash.WorkerHash().compute_message_hash(concat_hash) signature = input_json_params["updateSignature"] verification_key = \ input_json_params["receiptVerificationKey"].encode("ascii") decoded_signature = crypto_utility.base64_to_byte_array(signature) return self.verify_signature_from_pubkey(decoded_signature, final_hash, verification_key)