def test_load_ssh_public_key_ecdsa_nist_p521(self, backend):
_skip_curve_unsupported(backend, ec.SECP521R1())
ssh_key = (
b"ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1"
b"MjEAAACFBAGTrRhMSEgF6Ni+PXNz+5fjS4lw3ypUILVVQ0Av+0hQxOx+MyozELon"
b"I8NKbrbBjijEs1GuImsmkTmWsMXS1j2A7wB4Kseh7W9KA9IZJ1+TMrzWUEwvOOXi"
b"wT23pbaWWXG4NaM7vssWfZBnvz3S174TCXnJ+DSccvWBFnKP0KchzLKxbg== "
b"root@cloud-server-01"
)
key = load_ssh_public_key(ssh_key, backend)
expected_x = int(
"54124123120178189598842622575230904027376313369742467279346415219"
"77809037378785192537810367028427387173980786968395921877911964629"
"142163122798974160187785455", 10
)
expected_y = int(
"16111775122845033200938694062381820957441843014849125660011303579"
"15284560361402515564433711416776946492019498546572162801954089916"
"006665939539407104638103918", 10
)
assert key.public_numbers() == ec.EllipticCurvePublicNumbers(
expected_x, expected_y, ec.SECP521R1()
)
def test_load_invalid_public_ec_key_from_numbers(self, backend):
_skip_curve_unsupported(backend, ec.SECP521R1())
# Bad X coordinate
numbers = ec.EllipticCurvePublicNumbers(
int(
"000003647356b91f8ace114c7247ecf4f4a622553fc025e04a178f179ef27"
"9090c184af678a4c78f635483bdd8aa544851c6ef291c1f0d6a241ebfd145"
"77d1d30d9903ce", 16),
int(
"000001499bc7e079322ea0fcfbd6b40103fa6a1536c2257b182db0df4b369"
"6ec643adf100eb4f2025d1b873f82e5a475d6e4400ba777090eeb4563a115"
"09e4c87319dc26", 16), ec.SECP521R1())
with pytest.raises(ValueError):
numbers.public_key(backend)
# Bad Y coordinate
numbers = ec.EllipticCurvePublicNumbers(
int(
"0000019aadc221cc0525118ab6d5aa1f64720603de0be128cbfea0b381ad8"
"02a2facc6370bb58cf88b3f0c692bc654ee19d6cad198f10d4b681b396f20"
"d2e40603fa945b", 16),
int(
"0000025da392803a320717a08d4cb3dea932039badff363b71bdb8064e726"
"6c7f4f4b748d4d425347fc33e3885d34b750fa7fcd5691f4d90c89522ce33"
"feff5db10088a5", 16), ec.SECP521R1())
with pytest.raises(ValueError):
numbers.public_key(backend)
def build_csr(self):
if not self.private_key:
if self.key_type == KeyTypes.RSA:
self.private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=self.key_length,
backend=default_backend())
elif self.key_type == KeyTypes.ECDSA:
if self.key_curve == "P521":
curve = ec.SECP521R1()
elif self.key_curve == "P384":
curve = ec.SECP384R1()
elif self.key_curve == "P256":
curve = ec.SECP256R1()
elif self.key_curve == "P224":
curve = ec.SECP224R1()
else:
curve = ec.SECP521R1()
self.private_key = ec.generate_private_key(
curve, default_backend())
else:
raise ClientBadData
self.public_key_from_private()
csr_builder = x509.CertificateSigningRequestBuilder()
subject = [
x509.NameAttribute(
NameOID.COMMON_NAME,
self.common_name,
)
]
csr_builder = csr_builder.subject_name(x509.Name(subject))
alt_names = []
if self.ip_addresses:
for ip in self.ip_addresses:
alt_names.append(x509.IPAddress(ipaddress.IPv4Address(ip)))
if self.san_dns:
for ns in self.san_dns:
alt_names.append(x509.DNSName(ns))
if self.email_addresses:
for mail in self.email_addresses:
alt_names.append(x509.RFC822Name(mail))
csr_builder = csr_builder.add_extension(
x509.SubjectAlternativeName(alt_names),
critical=False,
)
csr_builder = csr_builder.sign(self.private_key, hashes.SHA256(),
default_backend())
self.csr = csr_builder.public_bytes(
serialization.Encoding.PEM).decode()
return
def test_autodetect_keytype(self):
"""
Test the autodetection of the key type
"""
private_key = generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
ec_private_key = ec.generate_private_key(ec.SECP256R1(),
default_backend())
# Test when we give it the wrong algorithm type
with self.assertRaises(scitokens.scitokens.UnsupportedKeyException):
token = scitokens.SciToken(key=private_key, algorithm="ES256")
# Test when we give it the wrong algorithm type
with self.assertRaises(scitokens.scitokens.UnsupportedKeyException):
token = scitokens.SciToken(key=ec_private_key, algorithm="RS256")
# Test when we give an unsupported algorithm
unsupported_private_key = ec.generate_private_key(
ec.SECP521R1(), default_backend())
with self.assertRaises(scitokens.scitokens.UnsupportedKeyException):
token = scitokens.SciToken(key=unsupported_private_key)
token = scitokens.SciToken(key=ec_private_key, algorithm="ES256")
token.serialize(issuer="local")
def gen_key(alg):
if alg == 'rsa':
print('Generating new private key')
size = int(input('Choose a bit size between [2048-4096]: '))
while not size >= 2048 and size <= 4096:
print('Choose 2048, 3072, or 4096.')
size = int(input(''))
key = rsa.generate_private_key(
public_exponent=65537,
key_size=size,
backend=default_backend()
)
elif alg == 'ecc':
curve = input('Use a p256, p384, or p521 curve? ')
while not curve in ['p256','p384','p521']:
colorize('red')
curve = input('Use a p256, p384, or p521 curve? ')
colorize_edit('reset')
if curve == 'p256':
key = ec.generate_private_key(ec.SECP256R1(), default_backend())
elif curve == 'p384':
key = ec.generate_private_key(ec.SECP384R1(), default_backend())
elif curve == 'p521':
key = ec.generate_private_key(ec.SECP521R1(), default_backend())
return key
def get_key_type_from_ec_curve(curve_name):
"""
Give an EC curve name, return the matching key_type.
:param: curve_name
:return: key_type
"""
_CURVE_TYPES = {
ec.SECP192R1().name: "ECCPRIME192V1",
ec.SECP256R1().name: "ECCPRIME256V1",
ec.SECP224R1().name: "ECCSECP224R1",
ec.SECP384R1().name: "ECCSECP384R1",
ec.SECP521R1().name: "ECCSECP521R1",
ec.SECP256K1().name: "ECCSECP256K1",
ec.SECT163K1().name: "ECCSECT163K1",
ec.SECT233K1().name: "ECCSECT233K1",
ec.SECT283K1().name: "ECCSECT283K1",
ec.SECT409K1().name: "ECCSECT409K1",
ec.SECT571K1().name: "ECCSECT571K1",
ec.SECT163R2().name: "ECCSECT163R2",
ec.SECT233R1().name: "ECCSECT233R1",
ec.SECT283R1().name: "ECCSECT283R1",
ec.SECT409R1().name: "ECCSECT409R1",
ec.SECT571R1().name: "ECCSECT571R2",
}
if curve_name in _CURVE_TYPES.keys():
return _CURVE_TYPES[curve_name]
else:
return None
def generateCertClient(self, client_id):
password = "******"
#self.privKey = rsa.generate_private_key(65537, 2048, default_backend())
self.privKey = ec.generate_private_key(ec.SECP521R1(),
default_backend())
self.pubKey = self.privKey.public_key()
#encoding_privKey = self.privKey.private_bytes(serialization.Encoding.PEM, serialization.PrivateFormat.PKCS8, serialization.BestAvailableEncryption(bytes(password, "utf-8")))
encoding_privKey = self.privKey.private_bytes(
serialization.Encoding.PEM, serialization.PrivateFormat.PKCS8,
serialization.NoEncryption())
#encoding_pubKey = self.pubKey.public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo)
encoding_pubKey = self.pubKey.public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.SubjectPublicKeyInfo)
# Guardar chaves
file = open("security/KEYS/privKeyClient" + str(client_id) + ".PEM",
"wb")
file.write(encoding_privKey)
file.close()
# Guardar certificados num ficheiro (publico)
file = open("security/KEYS/pubKeyClient" + str(client_id) + ".PEM",
"wb")
file.write(encoding_pubKey)
file.close()
key = {'pubKey': encoding_pubKey, 'privKey': encoding_privKey}
return key
def _load_ssh_ecdsa_public_key(expected_key_type, decoded_data, backend):
curve_name, rest = _read_next_string(decoded_data)
data, rest = _read_next_string(rest)
if expected_key_type != b"ecdsa-sha2-" + curve_name:
raise ValueError(
'Key header and key body contain different key type values.'
)
if rest:
raise ValueError('Key body contains extra bytes.')
if curve_name == b"nistp256":
curve = ec.SECP256R1()
elif curve_name == b"nistp384":
curve = ec.SECP384R1()
elif curve_name == b"nistp521":
curve = ec.SECP521R1()
if six.indexbytes(data, 0) != 4:
raise NotImplementedError(
"Compressed elliptic curve points are not supported"
)
# key_size is in bits, and sometimes it's not evenly divisible by 8, so we
# add 7 to round up the number of bytes.
if len(data) != 1 + 2 * ((curve.key_size + 7) // 8):
raise ValueError("Malformed key bytes")
x = _int_from_bytes(data[1:1 + (curve.key_size + 7) // 8], byteorder='big')
y = _int_from_bytes(data[1 + (curve.key_size + 7) // 8:], byteorder='big')
return ec.EllipticCurvePublicNumbers(x, y, curve).public_key(backend)
class ECDH:
_ec_groups = {
Transform.DhId.DH_19: ec.SECP256R1(),
Transform.DhId.DH_20: ec.SECP384R1(),
Transform.DhId.DH_21: ec.SECP521R1(),
}
backend = cryptography.hazmat.backends.openssl.backend
def __init__(self, group):
self.group = group
self._private_key = ec.generate_private_key(self._ec_groups[group], backend=self.backend)
# Trick to get the ceil of the division
self.key_len = (self._private_key.key_size + 7) // 8
self.shared_secret = None
public_numbers = self._private_key.public_key().public_numbers()
self.public_key = (public_numbers.x.to_bytes(self.key_len, 'big')
+ public_numbers.y.to_bytes(self.key_len, 'big'))
def compute_secret(self, peer_public_key):
x = int.from_bytes(peer_public_key[:self.key_len], 'big')
y = int.from_bytes(peer_public_key[self.key_len:], 'big')
peer_public_numbers = ec.EllipticCurvePublicNumbers(x, y, self._ec_groups[self.group])
peer_public_key = peer_public_numbers.public_key(self.backend)
self.shared_secret = self._private_key.exchange(ec.ECDH(), peer_public_key)
def pack_secp521r1(self) -> bytes:
private_key: ec.EllipticCurvePrivateKey = ec.generate_private_key(ec.SECP521R1(), default_backend())
public_key: ec.EllipticCurvePublicKey = private_key.public_key()
self.private = private_key
self.public = public_key.public_bytes(encoding=serialization.Encoding.X962,
format=serialization.PublicFormat.UncompressedPoint)
return self.public
class Curve(Enum):
P224 = ec.SECP224R1()
P256 = ec.SECP256R1()
P384 = ec.SECP384R1()
P521 = ec.SECP521R1()
@staticmethod
def from_label(label: int):
label = bytes([label])
if Curve.P224.value == label:
return Curve.P224.name
elif Curve.P256.value == label:
return Curve.P256.name
elif Curve.P384.value == label:
return Curve.P384.name
elif Curve.P521.value == label:
return Curve.P521.name
else:
raise SDKException(ErrorCode.unknown_asymmetric_key_type)
@staticmethod
def from_str_curve(str_curve: str):
if not isinstance(str_curve, str):
raise SDKException(ErrorCode.require_str_params)
if str_curve == 'P224':
return Curve.P224
elif str_curve == 'P256':
return Curve.P256
elif str_curve == 'P384':
return Curve.P384
elif str_curve == 'P521':
return Curve.P521
else:
raise SDKException(ErrorCode.unknown_asymmetric_key_type)
def from_jwk(jwk):
try:
if isinstance(jwk, str):
obj = json.loads(jwk)
elif isinstance(jwk, dict):
obj = jwk
else:
raise ValueError
except ValueError:
raise InvalidKeyError("Key is not valid JSON")
if obj.get("kty") != "EC":
raise InvalidKeyError("Not an Elliptic curve key")
if "x" not in obj or "y" not in obj:
raise InvalidKeyError("Not an Elliptic curve key")
x = base64url_decode(obj.get("x"))
y = base64url_decode(obj.get("y"))
curve = obj.get("crv")
if curve == "P-256":
if len(x) == len(y) == 32:
curve_obj = ec.SECP256R1()
else:
raise InvalidKeyError(
"Coords should be 32 bytes for curve P-256")
elif curve == "P-384":
if len(x) == len(y) == 48:
curve_obj = ec.SECP384R1()
else:
raise InvalidKeyError(
"Coords should be 48 bytes for curve P-384")
elif curve == "P-521":
if len(x) == len(y) == 66:
curve_obj = ec.SECP521R1()
else:
raise InvalidKeyError(
"Coords should be 66 bytes for curve P-521")
else:
raise InvalidKeyError(f"Invalid curve: {curve}")
public_numbers = ec.EllipticCurvePublicNumbers(
x=int.from_bytes(x, byteorder="big"),
y=int.from_bytes(y, byteorder="big"),
curve=curve_obj,
)
if "d" not in obj:
return public_numbers.public_key()
d = base64url_decode(obj.get("d"))
if len(d) != len(x):
raise InvalidKeyError("D should be {} bytes for curve {}",
len(x), curve)
return ec.EllipticCurvePrivateNumbers(
int.from_bytes(d, byteorder="big"),
public_numbers).private_key()
def verify(self, message, signature):
if self[-1] != 1:
raise ValueError("Unsupported elliptic curve")
ec.EllipticCurvePublicNumbers(bytes2int(self[-2]), bytes2int(self[-3]),
ec.SECP521R1()).public_key(
default_backend()).verify(
signature, message,
ec.ECDSA(self._HASH_ALG))
def load_ec_pub_key():
with open(os.path.join(BASE_PATH, 'jwk_ec_pub.json'), 'r') as infile:
keyobj = json.load(infile)
return ec.EllipticCurvePublicNumbers(x=decode_value(keyobj['x']),
y=decode_value(keyobj['y']),
curve=ec.SECP521R1()).public_key(
default_backend())
def _crv_to_curve(cls, crv: str) -> ec.EllipticCurve:
# crv is case-sensitive
if crv == 'P-256':
return ec.SECP256R1()
if crv == 'P-384':
return ec.SECP384R1()
if crv == 'P-521':
return ec.SECP521R1()
raise errors.DeserializationError()
def _get_curve_by_name(self, name):
if name == 'P-256':
return ec.SECP256R1()
elif name == 'P-384':
return ec.SECP384R1()
elif name == 'P-521':
return ec.SECP521R1()
else:
raise InvalidJWKValue('Unknown Elliptic Curve Type')
def load_ec_pub_key_p_521():
with open(os.path.join(BASE_PATH, "jwk_ec_pub_P-521.json")) as infile:
keyobj = json.load(infile)
return ec.EllipticCurvePublicNumbers(
x=decode_value(keyobj["x"]),
y=decode_value(keyobj["y"]),
curve=ec.SECP521R1(),
).public_key()
def _create_single_token(cls,
user,
fingerprint,
issuer_ip_address,
token_type='access',
meta=None):
token_id = str(uuid.uuid4())
private_key = ec.generate_private_key(ec.SECP521R1(),
default_backend())
public_key = private_key.public_key()
rsa_pem = public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo).decode()
if meta is not None:
device = meta.get('device')
platform = meta.get('platform')
browser = meta.get('browser')
else:
device, platform, browser = None, None, None
payload = {
"userid":
user.id,
"username":
user.username,
'exp':
datetime.datetime.utcnow() +
datetime.timedelta(minutes=settings.TOKEN_MINUTES),
"iss":
"ceteus:security",
"type":
token_type,
'iat':
datetime.datetime.utcnow()
}
token = jwt.encode(payload,
private_key,
algorithm='ES512',
headers={'tokenid': token_id})
cls.objects.create(user=user,
token_id=token_id,
token_type=token_type,
token_secret=rsa_pem,
fingerprint=fingerprint,
device=device,
platform=platform,
browser=browser,
issuer_ip_address=issuer_ip_address)
return token
def generate_private_key(key_type):
"""
Generates a new private key based on key_type.
Valid key types: RSA2048, RSA4096', 'ECCPRIME192V1', 'ECCPRIME256V1', 'ECCSECP192R1',
'ECCSECP224R1', 'ECCSECP256R1', 'ECCSECP384R1', 'ECCSECP521R1', 'ECCSECP256K1',
'ECCSECT163K1', 'ECCSECT233K1', 'ECCSECT283K1', 'ECCSECT409K1', 'ECCSECT571K1',
'ECCSECT163R2', 'ECCSECT233R1', 'ECCSECT283R1', 'ECCSECT409R1', 'ECCSECT571R2'
:param key_type:
:return:
"""
_CURVE_TYPES = {
"ECCPRIME192V1": ec.SECP192R1(),
"ECCPRIME256V1": ec.SECP256R1(),
"ECCSECP192R1": ec.SECP192R1(),
"ECCSECP224R1": ec.SECP224R1(),
"ECCSECP256R1": ec.SECP256R1(),
"ECCSECP384R1": ec.SECP384R1(),
"ECCSECP521R1": ec.SECP521R1(),
"ECCSECP256K1": ec.SECP256K1(),
"ECCSECT163K1": ec.SECT163K1(),
"ECCSECT233K1": ec.SECT233K1(),
"ECCSECT283K1": ec.SECT283K1(),
"ECCSECT409K1": ec.SECT409K1(),
"ECCSECT571K1": ec.SECT571K1(),
"ECCSECT163R2": ec.SECT163R2(),
"ECCSECT233R1": ec.SECT233R1(),
"ECCSECT283R1": ec.SECT283R1(),
"ECCSECT409R1": ec.SECT409R1(),
"ECCSECT571R2": ec.SECT571R1(),
}
if key_type not in CERTIFICATE_KEY_TYPES:
raise Exception("Invalid key type: {key_type}. Supported key types: {choices}".format(
key_type=key_type,
choices=",".join(CERTIFICATE_KEY_TYPES)
))
if 'RSA' in key_type:
key_size = int(key_type[3:])
return rsa.generate_private_key(
public_exponent=65537,
key_size=key_size,
backend=default_backend()
)
elif 'ECC' in key_type:
return ec.generate_private_key(
curve=_CURVE_TYPES[key_type],
backend=default_backend()
)
def generate_ec_private_key(cls, crv, **properties):
if crv == PbWKTypeECCurve.P_256:
curve = ec.SECP256R1()
elif crv == PbWKTypeECCurve.P_384:
curve = ec.SECP384R1()
elif crv == PbWKTypeECCurve.P_521:
curve = ec.SECP521R1()
else:
raise TypeError()
key = ec.generate_private_key(curve, default_backend())
return cls.from_key(key, **properties)
def from_jwk(jwk):
try:
obj = json.loads(jwk)
except ValueError:
raise InvalidKeyError('Key is not valid JSON')
if obj.get('kty') != 'EC':
raise InvalidKeyError('Not an Elliptic curve key')
if 'x' not in obj or 'y' not in obj:
raise InvalidKeyError('Not an Elliptic curve key')
x = base64url_decode(force_bytes(obj.get('x')))
y = base64url_decode(force_bytes(obj.get('y')))
curve = obj.get('crv')
if curve == 'P-256':
if len(x) == len(y) == 32:
curve_obj = ec.SECP256R1()
else:
raise InvalidKeyError(
"Coords should be 32 bytes for curve P-256")
elif curve == 'P-384':
if len(x) == len(y) == 48:
curve_obj = ec.SECP384R1()
else:
raise InvalidKeyError(
"Coords should be 48 bytes for curve P-384")
elif curve == 'P-521':
if len(x) == len(y) == 66:
curve_obj = ec.SECP521R1()
else:
raise InvalidKeyError(
"Coords should be 66 bytes for curve P-521")
else:
raise InvalidKeyError("Invalid curve: {}".format(curve))
public_numbers = ec.EllipticCurvePublicNumbers(
x=int_from_bytes(x, 'big'),
y=int_from_bytes(y, 'big'),
curve=curve_obj)
if 'd' not in obj:
return public_numbers.public_key(default_backend())
d = base64url_decode(force_bytes(obj.get('d')))
if len(d) != len(x):
raise InvalidKeyError("D should be {} bytes for curve {}",
len(x), curve)
return ec.EllipticCurvePrivateNumbers(int_from_bytes(
d, 'big'), public_numbers).private_key(default_backend())
def test_for_curve(self):
self.assertEqual(ALGORITHM.for_curve(ec.SECP224R1()), ALGORITHM.EC_P224)
self.assertEqual(ALGORITHM.for_curve(ec.SECP256R1()), ALGORITHM.EC_P256)
self.assertEqual(ALGORITHM.for_curve(ec.SECP384R1()), ALGORITHM.EC_P384)
self.assertEqual(ALGORITHM.for_curve(ec.SECP521R1()), ALGORITHM.EC_P521)
self.assertEqual(ALGORITHM.for_curve(ec.SECP256K1()), ALGORITHM.EC_K256)
self.assertEqual(ALGORITHM.for_curve(BRAINPOOLP256R1()),
ALGORITHM.EC_BP256)
self.assertEqual(ALGORITHM.for_curve(BRAINPOOLP384R1()),
ALGORITHM.EC_BP384)
self.assertEqual(ALGORITHM.for_curve(BRAINPOOLP512R1()),
ALGORITHM.EC_BP512)
def test_private_numbers_ne(self):
pub = ec.EllipticCurvePublicNumbers(1, 2, ec.SECP192R1())
priv = ec.EllipticCurvePrivateNumbers(1, pub)
assert priv != ec.EllipticCurvePrivateNumbers(
2, ec.EllipticCurvePublicNumbers(1, 2, ec.SECP192R1()))
assert priv != ec.EllipticCurvePrivateNumbers(
1, ec.EllipticCurvePublicNumbers(2, 2, ec.SECP192R1()))
assert priv != ec.EllipticCurvePrivateNumbers(
1, ec.EllipticCurvePublicNumbers(1, 3, ec.SECP192R1()))
assert priv != ec.EllipticCurvePrivateNumbers(
1, ec.EllipticCurvePublicNumbers(1, 2, ec.SECP521R1()))
assert priv != object()
def extract_key(self):
if self.kty == PbWKType.EC:
if self.kty_prop_ec.crv == PbWKTypeECCurve.P_256:
key_size = 256
x = BitArray(bytes=self.kty_prop_ec.x, length=key_size).uint
y = BitArray(bytes=self.kty_prop_ec.y, length=key_size).uint
public_numbers = ec.EllipticCurvePublicNumbers(
x, y, ec.SECP256R1())
elif self.kty_prop_ec.crv == PbWKTypeECCurve.P_384:
key_size = 384
x = BitArray(bytes=self.kty_prop_ec.x, length=key_size).uint
y = BitArray(bytes=self.kty_prop_ec.y, length=key_size).uint
public_numbers = ec.EllipticCurvePublicNumbers(
x, y, ec.SECP384R1())
elif self.kty_prop_ec.crv == PbWKTypeECCurve.P_521:
key_size = 521
x = BitArray(bytes=self.kty_prop_ec.x, length=key_size).uint
y = BitArray(bytes=self.kty_prop_ec.y, length=key_size).uint
public_numbers = ec.EllipticCurvePublicNumbers(
x, y, ec.SECP521R1())
# return private_key or public_key
if self.kty_prop_ec.d:
d = BitArray(bytes=self.kty_prop_ec.d, length=key_size).uint
private_numbers = ec.EllipticCurvePrivateNumbers(
d, public_numbers)
key = private_numbers.private_key(default_backend())
else:
key = public_numbers.public_key(default_backend())
elif self.kty == PbWKType.RSA:
n = BitArray(bytes=self.kty_prop_rsa.n).uint
e = BitArray(bytes=self.kty_prop_rsa.e).uint
public_numbers = rsa.RSAPublicNumbers(e, n)
# return private_key or public_key
if self.kty_prop_rsa.d:
d = BitArray(bytes=self.kty_prop_rsa.d).uint
p = BitArray(bytes=self.kty_prop_rsa.p).uint
q = BitArray(bytes=self.kty_prop_rsa.q).uint
dmp1 = BitArray(bytes=self.kty_prop_rsa.dp).uint
dmq1 = BitArray(bytes=self.kty_prop_rsa.dq).uint
iqmp = BitArray(bytes=self.kty_prop_rsa.qi).uint
private_numbers = rsa.RSAPrivateNumbers(
p, q, d, dmp1, dmq1, iqmp, public_numbers)
key = private_numbers.private_key(default_backend())
else:
key = public_numbers.public_key(default_backend())
elif self.kty == PbWKType.OCT:
key_size = len(self.kty_prop_oct.k) * 8
assert (key_size % 8 == 0)
key = BitArray(bytes=self.kty_prop_oct.k, length=key_size).bytes
else:
raise TypeError()
return key
def test_signer_es512():
payload = "Please take a moment to register today"
eck = ec.generate_private_key(ec.SECP521R1(), default_backend())
_key = ECKey().load_key(eck)
keys = [_key]
# keys[0]._keytype = "private"
_jws = JWS(payload, alg="ES512")
_jwt = _jws.sign_compact(keys)
_pubkey = ECKey().load_key(eck.public_key())
_rj = JWS()
info = _rj.verify_compact(_jwt, [_pubkey])
assert info == payload
def _get_curve_by_name(self, name):
if name == 'P-256':
return ec.SECP256R1()
elif name == 'P-384':
return ec.SECP384R1()
elif name == 'P-521':
return ec.SECP521R1()
elif name == 'secp256k1':
return ec.SECP256K1()
elif name in _OKP_CURVES_TABLE:
return name
else:
raise InvalidJWKValue('Unknown Elliptic Curve Type')
def ecc_key(self,key_size_length_change,key_name):
if key_size_length_change == 1:
curve = ec.SECP256R1()
elif key_size_length_change == 2:
curve = ec.SECP384R1()
elif key_size_length_change == 3:
curve = ec.SECP521R1()
key = ec.generate_private_key(curve=curve,backend=default_backend())
with open(key_name+".key","wb") as f:
f.write(key.private_bytes(encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),))
def _curve_from_curve_id(cid: int) -> EllipticCurve:
if cid == TPM_ECC_NIST_P192:
return crypto_ec.SECP192R1()
if cid == TPM_ECC_NIST_P224:
return crypto_ec.SECP224R1()
if cid == TPM_ECC_NIST_P256:
return crypto_ec.SECP256R1()
if cid == TPM_ECC_NIST_P384:
return crypto_ec.SECP384R1()
if cid == TPM_ECC_NIST_P521:
return crypto_ec.SECP521R1()
raise ValueError(f"Invalid curve id {cid} requested")
def _load_ecdsa(key, is_verifier):
if key.get('kty') != 'EC':
raise JWKError('Not an Elliptic curve key')
if 'x' not in key or 'y' not in key:
raise JWKError('Not an Elliptic curve key')
x = base64.urlsafe_b64decode(key.get('x'))
y = base64.urlsafe_b64decode(key.get('y'))
curve = key.get('crv')
if curve == 'P-256':
if len(x) == len(y) == 32:
alg = 'ES256'
curve_obj = ec.SECP256R1()
else:
raise JWKError("Coords should be 32 bytes for curve P-256")
elif curve == 'P-384':
if len(x) == len(y) == 48:
alg = "ES384"
curve_obj = ec.SECP384R1()
else:
raise JWKError("Coords should be 48 bytes for curve P-384")
elif curve == 'P-521':
if len(x) == len(y) == 66:
alg = "ES512"
curve_obj = ec.SECP521R1()
else:
raise JWKError("Coords should be 66 bytes for curve P-521")
else:
raise JWKError("Invalid curve: {}".format(curve))
public_numbers = ec.EllipticCurvePublicNumbers(x=int_from_bytes(x, 'big'),
y=int_from_bytes(y, 'big'),
curve=curve_obj)
if not is_verifier:
if 'd' not in key:
raise JWKError("Signing ECDSA keys must contain private key")
d = base64.urlsafe_b64decode(key.get('d'))
if len(d) != len(x):
raise JWKError("D should be {} bytes for curve {}", len(x), curve)
key = ec.EllipticCurvePrivateNumbers(int_from_bytes(
d, 'big'), public_numbers).private_key(default_backend())
else:
key = public_numbers.public_key(default_backend())
return alg, key
def to_curve(self):
if self == TpmEccCurve.NONE:
raise ValueError("No such curve")
elif self == TpmEccCurve.NIST_P192:
return ec.SECP192R1()
elif self == TpmEccCurve.NIST_P224:
return ec.SECP224R1()
elif self == TpmEccCurve.NIST_P256:
return ec.SECP256R1()
elif self == TpmEccCurve.NIST_P384:
return ec.SECP384R1()
elif self == TpmEccCurve.NIST_P521:
return ec.SECP521R1()
raise ValueError("curve is not supported", self)
