def with_signing_key(self, signing_key):
        # type: (bytes) -> EncryptionMaterials
        """Get new encryption materials that also include this signing key.

        .. versionadded:: 1.5.0

        :param bytes signing_key: Signing key
        :rtype: EncryptionMaterials
        :raises AttributeError: if signing key is already set
        :raises SignatureKeyError: if algorithm suite does not support signing keys
        """
        if self.signing_key is not None:
            raise AttributeError("Signing key is already set.")

        if self.algorithm.signing_algorithm_info is None:
            raise SignatureKeyError("Algorithm suite does not support signing keys.")

        new_materials = copy.copy(self)

        # Verify that the signing key matches the algorithm
        Signer.from_key_bytes(algorithm=new_materials.algorithm, key_bytes=signing_key)

        new_materials._setattr("signing_key", signing_key)  # simplify access to copies pylint: disable=protected-access

        return new_materials
def test_f_signer_from_key_bytes():
    check = Signer(algorithm=ALGORITHM, key=VALUES['ecc_private_key_prime'])
    test = Signer.from_key_bytes(
        algorithm=ALGORITHM,
        key_bytes=VALUES['ecc_private_key_prime_private_bytes'])
    assert check.key.private_numbers(
    ).private_value == test.key.private_numbers().private_value
Beispiel #3
0
    def _prep_message(self):
        """Performs initial message setup.

        :raises MasterKeyProviderError: if primary master key is not a member of supplied MasterKeyProvider
        :raises MasterKeyProviderError: if no Master Keys are returned from key_provider
        """
        validate_commitment_policy_on_encrypt(self.config.commitment_policy,
                                              self.config.algorithm)

        try:
            plaintext_length = self.stream_length
        except NotSupportedError:
            plaintext_length = None
        encryption_materials_request = EncryptionMaterialsRequest(
            algorithm=self.config.algorithm,
            encryption_context=self.config.encryption_context.copy(),
            frame_length=self.config.frame_length,
            plaintext_rostream=aws_encryption_sdk.internal.utils.streams.
            ROStream(self.source_stream),
            plaintext_length=plaintext_length,
            commitment_policy=self.config.commitment_policy,
        )
        self._encryption_materials = self.config.materials_manager.get_encryption_materials(
            request=encryption_materials_request)

        if self.config.algorithm is not None and self._encryption_materials.algorithm != self.config.algorithm:
            raise ActionNotAllowedError(
                ("Cryptographic materials manager provided algorithm suite"
                 " differs from algorithm suite in request.\n"
                 "Required: {requested}\n"
                 "Provided: {provided}").format(
                     requested=self.config.algorithm,
                     provided=self._encryption_materials.algorithm))

        if self._encryption_materials.signing_key is None:
            self.signer = None
        else:
            self.signer = Signer.from_key_bytes(
                algorithm=self._encryption_materials.algorithm,
                key_bytes=self._encryption_materials.signing_key)
        aws_encryption_sdk.internal.utils.validate_frame_length(
            frame_length=self.config.frame_length,
            algorithm=self._encryption_materials.algorithm)

        message_id = aws_encryption_sdk.internal.utils.message_id(
            self._encryption_materials.algorithm.message_id_length())

        self._derived_data_key = derive_data_encryption_key(
            source_key=self._encryption_materials.data_encryption_key.data_key,
            algorithm=self._encryption_materials.algorithm,
            message_id=message_id,
        )

        self._header = self.generate_header(message_id)

        self._write_header()
        if self.content_type == ContentType.NO_FRAMING:
            self._prep_non_framed()
        self._message_prepped = True
def test_signer_key_bytes_cycle():
    key = ec.generate_private_key(curve=ec.SECP384R1, backend=default_backend())
    signer = Signer(algorithm=aws_encryption_sdk.Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, key=key)
    key_bytes = signer.key_bytes()
    new_signer = Signer.from_key_bytes(
        algorithm=aws_encryption_sdk.Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, key_bytes=key_bytes
    )
    assert new_signer.key.private_numbers().private_value == signer.key.private_numbers().private_value
def test_signer_from_key_bytes(patch_default_backend, patch_serialization,
                               patch_build_hasher):
    _algorithm = MagicMock()
    signer = Signer.from_key_bytes(algorithm=_algorithm,
                                   key_bytes=sentinel.key_bytes)

    patch_serialization.load_der_private_key.assert_called_once_with(
        data=sentinel.key_bytes,
        password=None,
        backend=patch_default_backend.return_value)
    assert isinstance(signer, Signer)
    assert signer.algorithm is _algorithm
    assert signer.key is patch_serialization.load_der_private_key.return_value