def test_array(self):
# Generate Bob's private key, as we've done in the Box example
private = PrivateKey.generate()
public = private.public_key
private_bytes = bytes(private)
public_bytes = bytes(public)
f = open(os.path.join(os.getcwd(), 'private.key'), 'wb')
f.write(private_bytes)
f.close()
f = open(os.path.join(os.getcwd(),'public.key'), 'wb')
f.write(public_bytes)
f.close()
with open(os.path.join(os.getcwd(), "private.key"), "rb") as f:
priv_byte = f.read()
with open(os.path.join(os.getcwd(), "public.key"), "rb") as pubf:
pubf_byte = pubf.read()
public_key = PublicKey(pubf_byte)
private_key = PrivateKey(priv_byte)
test_message = "This a test message!"
sealed_box = SealedBox(public_key)
encrypted_text = sealed_box.encrypt(bytes(test_message, "utf-8"))
unseal = SealedBox(private_key)
result = unseal.decrypt(encrypted_text)
print(result.decode("utf-8"))
self.assertEqual(result.decode("utf-8"),test_message)
def test_sealed_box_too_short_msg():
empty_plaintext = b''
k = PrivateKey.generate()
enc_box = SealedBox(k.public_key)
dec_box = SealedBox(k)
msg = enc_box.encrypt(empty_plaintext)
with pytest.raises(CryptoError):
dec_box.decrypt(msg[:-1])
def test_sealed_box_zero_length_plaintext():
empty_plaintext = b''
k = PrivateKey.generate()
enc_box = SealedBox(k.public_key)
dec_box = SealedBox(k)
msg = enc_box.encrypt(empty_plaintext)
decoded = dec_box.decrypt(msg)
assert decoded == empty_plaintext
def test_sealed_box_creation():
pub = PublicKey(
b"ec2bee2d5be613ca82e377c96a0bf2220d823ce980cdff6279473edc52862798",
encoder=HexEncoder,
)
priv = PrivateKey(
b"5c2bee2d5be613ca82e377c96a0bf2220d823ce980cdff6279473edc52862798",
encoder=HexEncoder,
)
SealedBox(priv)
SealedBox(pub)
def test_sealed_box_encryption(privalice, pubalice, plaintext, _encrypted):
pubalice = PublicKey(pubalice, encoder=HexEncoder)
privalice = PrivateKey(privalice, encoder=HexEncoder)
box = SealedBox(pubalice)
encrypted = box.encrypt(binascii.unhexlify(plaintext), encoder=HexEncoder,)
assert encrypted != _encrypted
# since SealedBox.encrypt uses an ephemeral sender's keypair
box2 = SealedBox(privalice)
decrypted = box2.decrypt(encrypted, encoder=HexEncoder,)
assert binascii.hexlify(decrypted) == plaintext
assert bytes(box) == bytes(box2)
def complete_distance_verification(self, db_challenge, db_response, epoch, voting_group, distance_result):
# derive secret key from db_challenge/db_response
secret_key = db_response # TODO not quite right but ok
# kinda shady caching -- *should* return some value that the distance verifier can pass
if self._cached_voting_group_hash is not None:
voting_group_hash = self._cached_voting_group_hash
else:
voting_group_hash = makehash(voting_group)
self._cached_voting_group = set(voting_group)
self._cached_voting_group_hash = voting_group_hash
# verification
user_public_key = self.db_to_pk.get(secret_key)
if user_public_key is None:
raise Exception('KeyAuthority: could not find DB Key -> PK mapping')
user_public_key_str = get_key_string(user_public_key)
if user_public_key_str not in self._cached_voting_group:
raise Exception('KeyAuthority: user PK not in voting group')
user_token = makehash((epoch, voting_group_hash, user_public_key_str, secret_key))
pdp = self.signing_key.sign(obj2bytes((distance_result, voting_group_hash, user_token)))
sdp = self.signing_key.sign(obj2bytes((user_public_key_str, pdp)))
esdp = SealedBox(user_public_key).encrypt(sdp)
return esdp
def read_secret_msg(receiver_private_key, msg):
try:
key = receiver_private_key.to_curve25519_private_key()
unseal_box = SealedBox(key)
return unseal_box.decrypt(msg)
except nacl.exceptions.CryptoError:
return "wrong secret key"
def asymmetric_decrypt(prv_key, data):
"""
Perform asymmetric decryption using libsodium sealedbox (Curve25519, XSalsa20-Poly1305)
"""
prv_key = PrivateKey(prv_key, RawEncoder)
data = _convert_to_bytes(data)
return SealedBox(prv_key).decrypt(data)
def _poll_handshake_file(self):
"""Check if a client has created a handshake file. If so, parse the file and store
the session key"""
# check for file with valid name
with self.xmit_lock:
files = list_files(self.ftps)
for f in files:
s_id, direction, seq = parse_tunnel_filename(f[0])
if s_id is not None and direction == 0 and seq == 0:
# check if contents of file is encrypted with this proxy's public key
data = get_file_contents(self.ftps, f[0])
try:
# attempt to decrypt the received message
unseal_box = SealedBox(self.private_key)
self.session_key = unseal_box.decrypt(data)
self.session_id = s_id
return
except Exception as e:
# file contents not encrypted with proxy's key
continue
# update heartbeat if needed
if self.heart + PROXY_HEARTBEAT_TIMEOUT < time.time():
upload_binary_data(self.ftps, self.my_proxy_id, generate_proxy_descriptor(self.public_key))
self.heart = time.time()
def test_sealed_box_decryption(privalice, pubalice, plaintext, encrypted):
pubalice = PublicKey(pubalice, encoder=HexEncoder)
privalice = PrivateKey(privalice, encoder=HexEncoder)
box = SealedBox(privalice)
decrypted = box.decrypt(encrypted, encoder=HexEncoder,)
assert binascii.hexlify(decrypted) == plaintext
def handle(self, *args, **options): # pylint: disable=too-many-locals, too-many-branches, too-many-statements
if options['key'] is None:
options['key'] = getpass.getpass('Enter private key: ')
box = SealedBox(PrivateKey(base64.b64decode(options['key'])))
original_path = options['file']
try:
with open(original_path, 'rb') as original_file:
print('Decrypting ' + str(original_path) + '...')
try:
cleartext = box.decrypt(original_file.read())
filename = original_path.replace('.encrypted', '')
with open(filename, 'wb') as file_obj:
file_obj.write(cleartext)
print('Decrypted ' + str(original_path) + ' to ' +
filename + '.')
except CryptoError:
print('Unable to decrypt ' + str(original_path) +
' (CryptoError). Please investigate manually.')
if options['file_pk'] > 0:
traceback.print_exc()
except MemoryError:
print('Unable to decrypt ' + str(original_path) +
' (MemoryError). Please investigate manually.')
except IOError:
traceback.print_exc()
print('Unable to decrypt ' + str(original_path) +
' (IOError). Please investigate manually.')
def rx_privatemessage(self):
print("privatemessage api called")
target_username = cherrypy.request.json["target_username"]
print("received: " + target_username)
print("actual: " + username)
target_pubkey = cherrypy.request.json["target_pubkey"]
print("received: " + target_pubkey)
print("actual: " + pubkey_hex_str)
time_str = str(time.time())
if (username == target_username and pubkey_hex_str == target_pubkey):
certificate = cherrypy.request.json["loginserver_record"]
sender_username = certificate[0:7]
try:
private_key_curve = signing_key.to_curve25519_private_key()
unseal_box = SealedBox(private_key_curve)
message_encrypted = bytes(
cherrypy.request.json["encrypted_message"],
encoding='utf-8')
message_decrypted = unseal_box.decrypt(
message_encrypted, encoder=nacl.encoding.HexEncoder)
message = message_decrypted.decode('utf-8')
print(message)
database.add_message(username, sender_username, message,
time_str)
return {'response': 'ok'}
except nacl.exceptions.CryptoError:
return {'response': 'not decrypted'}
return {'response': 'wrong target user'}
def generate_token(self,
private_key,
metadata=None,
enc_key=None,
token_type=None):
claims = {}
metadata = json.loads(metadata)
#create token_id
if 'aud' in metadata:
claims['aud'] = metadata['aud']
if 'sub' in metadata:
claims['sub'] = metadata['sub']
if 'exp' in metadata:
claims['exp'] = metadata['exp']
if 'nbf' in metadata:
claims['nbf'] = metadata['nbf']
claims['jti'] = random.getrandbits(256)
token = jwt.encode(claims, private_key, algorithm='RS256')
if enc_key:
public_key = nacl.public.PublicKey(enc_key,
nacl.encoding.HexEncoder)
sealed_box = SealedBox(public_key)
token = sealed_box.encrypt(token)
token = base64.urlsafe_b64encode(token)
#return 200, {'code':200,'message':token.decode('utf-8')}
return token, claims
def _box():
try:
nonce = nacl.utils.random(Box.NONCE_SIZE)
box = SealedBox(PublicKey(pubKey))
return box.encrypt(msg, nonce)
except Exception:
return
def asymmetric_encrypt(pub_key, data):
"""
Perform asymmetric encryption using libsodium sealedbox (Curve25519, XSalsa20-Poly1305)
"""
pub_key = PublicKey(pub_key, RawEncoder)
data = _convert_to_bytes(data)
return SealedBox(pub_key).encrypt(data)
async def test_valid_auth_code_ecn_token():
privateKeyHex = 'd686cb5b1e7866c657af66b6c365dd8f1523678dbf1a9d0344c5e9c38847c034'
publicKeyHex = '34a0d7e2c95b24c9c87e47ce4e528c3814a8516528b4095c84b49908390b7a24'
nbf = time.mktime(datetime.datetime(2020, 4, 1, 00, 00).timetuple())
exp = time.mktime(datetime.datetime(2020, 4, 1, 23, 59).timetuple())
payload = {
'grant-type': 'auth_code',
'grant': 'shared_secret_key',
'metadata': json.dumps({
'aud': 'sofie-iot.eu',
'nbf': nbf,
'exp': exp
}),
'enc-key': publicKeyHex
}
response = requests.post("http://localhost:9001/gettoken",
data=payload).text
response = json.loads(response)
enc64 = response['message']
enc = base64.urlsafe_b64decode(enc64)
private_key = nacl.public.PrivateKey(privateKeyHex,
nacl.encoding.HexEncoder)
sealed_box = SealedBox(private_key)
msg = sealed_box.decrypt(enc)
assert (response['code'] == 200)
def _retrieve_service_generated_cert(self, request, dek_info):
"""
:param CertificateRequest request:
:param EdgeEncryptionKey dek_info:
:rtype: Certificate
"""
box = SealedBox(dek_info.public_key)
encrypted_key_pass = box.encrypt(request.key_password)
body = {
'exportFormat':
'PEM',
'encryptedPrivateKeyPassphrase':
base64.b64encode(encrypted_key_pass).decode('utf-8'),
'encryptedKeystorePassphrase':
'',
'certificateLabel':
''
}
url = URLS.CERTIFICATE_KEYSTORE_BY_ID.format(request.cert_guid)
status, data = self._post(url, data=body)
if status not in (HTTPStatus.OK, HTTPStatus.CREATED,
HTTPStatus.ACCEPTED):
log.error("Some error")
raise VenafiError
cert, chain, private_key = zip_to_pem(data, request.chain_option)
return Certificate(cert=cert, chain=chain, key=private_key)
def generate_zos_keys(self, node_public_key):
"""
Generate a new set of wireguard key pair and encrypt
the private side using the public key of a 0-OS node.
This implementation match the format 0-OS except to be able
to read wireguard keys into network reservations.
:param node_public_key: hex encoded public key of 0-OS node.
This is the format you find in the explorer
:type node_public_key: str
:return: tuple containing 3 fields (private key, private key encrypted, public key)
:rtype: typle
"""
wg_private_base64, wg_public_base64 = self.generate_key_pair()
node_public_bin = j.data.hash.hex2bin(node_public_key)
node_public = VerifyKey(node_public_bin)
box = SealedBox(node_public.to_curve25519_public_key())
wg_private_encrypted = box.encrypt(wg_private_base64)
wg_private_encrypted_hex = j.data.hash.bin2hex(wg_private_encrypted)
return (wg_private_base64.decode(), wg_private_encrypted_hex.decode(),
wg_public_base64.decode())
def serialise(self, signing_key: SigningKey):
# Create buffer
buffer = BytesIO()
# Write magic number
buffer.write(Frame.MAGIC_NUMBER)
# Write the destination key
buffer.write(self.destination.serialise().read())
# Write the origin key
buffer.write(self.origin.serialise().read())
# Write the via field
buffer.write(self.via.serialise().read())
# Create a box to send the signed data in
box = SealedBox(self.destination.public_key)
# Sign the payload
signed = signing_key.sign(self.payload.read())
# Encrypt and write the data to the buffer
buffer.write(box.encrypt(signed))
# Rewind the buffer
buffer.seek(0, 0)
# Return the buffer
return buffer
def encrypt_password(password, public_key):
node_public_bin = j.data.hash.hex2bin(public_key)
node_public = VerifyKey(node_public_bin)
box = SealedBox(node_public.to_curve25519_public_key())
pasword_encrypted = box.encrypt(password.encode())
pasword_encrypted_hex = j.data.hash.bin2hex(pasword_encrypted)
return pasword_encrypted_hex
def decrypt_sealed_box(encrypted, secret):
secret = check_key(secret)
secret = bytes.fromhex(secret)
secret = PrivateKey(private_key=secret)
unseal_box = SealedBox(secret)
encrypted = base64.b64decode(encrypted)
plaintext = unseal_box.decrypt(encrypted)
return plaintext.decode('utf-8')
def encrypt_sealed_box(message, public_rec):
message = message.encode('utf-8')
public_rec = check_key(public_rec)
public_rec = bytes.fromhex(public_rec)
public_rec = PublicKey(public_key=public_rec)
sealed_box = SealedBox(public_rec)
encrypted = sealed_box.encrypt(message)
return base64.b64encode(encrypted).decode('utf-8')
def encrypt(message, key, output):
message_bytes = message.encode('ascii')
with open(key, mode="rb") as key_file:
key_bytes = key_file.read()
with open(output, "wb") as output_file:
pub_key = PublicKey(key_bytes)
sealed_box = SealedBox(pub_key)
output_file.write(sealed_box.encrypt(message_bytes))
def upload_side_effect(encrypted_filename, encrypted_data, file_type):
"""Verify the encrypted file exists at this point"""
# verify the upload was triggered with the expected encrypted filename and that file exists
assert SealedBox(private_key).decrypt(
encrypted_data) == file_contents
assert encrypted_filename == expected_encrypted_filename
assert file_type == 'sometype'
return expected_encrypted_keypath
def decrypt():
encrypted_bin = read_file('encrypted.txt', True)
secret_key_bin = read_file('secret_key.txt', True)
secret_key = PrivateKey(secret_key_bin)
sealed_box = SealedBox(secret_key)
decrypted_bin = sealed_box.decrypt(encrypted_bin)
decrypted_utf8 = decrypted_bin.decode('utf-8')
write_file("decrypted.txt", decrypted_utf8)
def encrypt():
decrypted_utf8 = read_file('decrypted.txt')
decrypted_bin = bytes(decrypted_utf8, 'utf-8')
public_key_bin = read_file('public_key.txt', True)
public_key = PublicKey(public_key_bin)
sealed_box = SealedBox(public_key)
encrypted_bin = sealed_box.encrypt(decrypted_bin)
write_file("encrypted.txt", encrypted_bin, True)
def privateMessage(self, message, targetUsername, apiKey, prikey):
#self, message, targetusername, apikey, prikey
client_saved_at = str(time.time())
sqlite.insertPM(self, self.username, targetUsername, self.username,
targetUsername, message, client_saved_at)
data = sqlite.getOnline(self)
for i in range(len(data["name"])):
if (data["name"][i] == targetUsername):
address = data["address"][i]
url = "http://" + address + "/api/rx_privatemessage"
loginserver_record = self.LoginServerRecord(apiKey)
target_pubkey = str(sqlite.findOnline(self, str(targetUsername)))
print(target_pubkey)
pubkey = nacl.signing.VerifyKey(target_pubkey,
encoder=nacl.encoding.HexEncoder)
curvedrxpubkey = pubkey.to_curve25519_public_key()
sealed_box = SealedBox(curvedrxpubkey)
message = bytes(message, encoding='utf-8')
encrypted = sealed_box.encrypt(message,
encoder=nacl.encoding.HexEncoder)
signed = bytes(loginserver_record + target_pubkey + targetUsername +
encrypted.decode('utf-8') + client_saved_at,
encoding='utf-8')
signature = prikey.sign(signed, encoder=nacl.encoding.HexEncoder)
headers = {
'X-username': self.username,
'X-apikey': apiKey,
'Content-Type': 'application/json; charset=utf-8',
}
payload = {
"loginserver_record": loginserver_record,
"target_pubkey": target_pubkey,
"target_username": targetUsername,
"encrypted_message": encrypted.decode('utf-8'),
"sender_created_at": client_saved_at,
"signature": signature.signature.decode('utf-8')
}
payload_str = json.dumps(payload)
json_payload = payload_str.encode("utf-8")
try:
req = urllib.request.Request(url,
data=json_payload,
headers=headers)
response = urllib.request.urlopen(req)
data = response.read()
encoding = response.info().get_content_charset('utf-8')
response.close()
except urllib.error.HTTPError as error:
print("$$$$$$$$$$$$$$$$$$")
print(error.read())
exit()
print("##############33")
print(data)
print("#################")
JSON_object = json.loads(str(data.decode(encoding)))
print(JSON_object)
def test_sealed_box_public_key_cannot_decrypt(_privalice, pubalice,
_plaintext, encrypted):
pubalice = PublicKey(pubalice, encoder=HexEncoder)
box = SealedBox(pubalice)
with pytest.raises(TypeError):
box.decrypt(
encrypted,
encoder=HexEncoder,
)
def auth():
auth_host = '10.50.8.128'
#with open('private_key', 'rb') as f:
#f.write('Hello\n')
with open('private_key') as f:
encoded_private_key = f.read()
with open('public_key') as f:
encoded_public_key = f.read()
loaded_public_key = PublicKey(encoded_public_key,
encoder=nacl.encoding.Base64Encoder)
loaded_private_key = PrivateKey(encoded_private_key,
encoder=nacl.encoding.Base64Encoder)
# assert loaded_public_key.encode() == loaded_private_key.public_key.encode()
#assert loaded_public_key.encode() == loaded_private_key.public_key.encode()
print(loaded_public_key.encode())
print(loaded_private_key.public_key.encode())
private_key = loaded_private_key
public_key = loaded_public_key
# return 1
# private_key = private_key_b64.decode('base64')
# public_key = public_key_b64.decode('base64')
# with open('public_key', 'rb') as f:
# f.write(encoded_public_key)
# with open('x.py') as f: s = f.read()
# # Generate Bob's private key, as we've done in the Box example
# skbob = PrivateKey.generate()
# pkbob = skbob.public_key
#return private_key
# Alice wishes to send a encrypted message to Bob,
# but prefers the message to be untraceable
#sealed_box = SealedBox(pkbob)
sealed_box = SealedBox(private_key)
# This is Alice's message
message = b"Kill all kittens"
# Encrypt the message, it will carry the ephemeral key public part
# to let Bob decrypt it
encrypted = sealed_box.encrypt(message)
msg = base64.b64encode(encrypted)
msg = encoded_public_key
#data = {'name': 'jtest', 'ipaddr': '192.168.0.2' 'public_key': b'\x8e\x05{\xe2\xcby:\x0b\xeb\xe69\xac|\x96\xff\xa4\xdaE\x89^\xa7\xaf\x90\x83\x14)bP\x0c\n\x85l'}
#data = {'msg': ''}
data = {'msg': msg}
print(data)
#return 1
#r = requests.post('https://stats.rchain.me:30443/auth', data = data)
r = requests.post(f'https://{auth_host}:30443/auth', data=data)
print(r)
text = r.text
content = r.content
print(text)
print(content)
def test_wrong_types():
priv = PrivateKey.generate()
check_type_error(("SealedBox must be created from a PublicKey"
" or a PrivateKey"), SealedBox, priv.encode())
check_type_error(("SealedBox must be created from a PublicKey"
" or a PrivateKey"), SealedBox, priv.public_key.encode())
with pytest.raises(TypeError):
SealedBox(priv, priv.public_key)