def post(self, request):
form = USF(request.POST)
if not form.is_valid():
raise RuntimeError("Invalid HTML Form submitted")
password = form.cleaned_data['password']
pseudonym = form.cleaned_data['pseudonym']
kdf = KDF(
algorithm=hashes.Whirlpool(),
length=int(
32 + 32), # 32: Edwards25519 seed, second 32: Curve25519 seed
salt=whirlpool(pseudonym.encode()),
iterations=int(1e6),
backend=default_backend())
key = kdf.derive(password.encode())
edkey = signfool.SigningKey(
key[0:32]
) # Use the first 32-bytes of the derived key as Edwards25519 seed
cvkp = pubfool.PrivateKey(
key[32:64]) # Use the second half as Curve25519 seed
try:
sig = db.get('gks').sign(cvkp.public_key.encode(encoder=b64))
except KeyError:
return render(request, 'freakedup.html',
{'err': "You are not part of a group, yet"})
db.set("user-edkeys", edkey)
db.set("user-cvkeys", cvkp)
db.set("user-keysig", sig)
edkey_fingerprint = base64.b64encode(whirlpool(
edkey._signing_key)).decode()
cvkey_fingerprint = base64.b64encode(whirlpool(
cvkp._private_key)).decode()
ctx = dict(edkey_fp=edkey_fingerprint,
cvkey_fp=cvkey_fingerprint,
sig=base64.b64encode(sig).decode())
return render(request, 'user.post.html', ctx)
def from_raw_key(cls, filename, comment=None):
"""
Load an Ed25519 (private) signing key (actually, the seed for the key) from a raw file of 32 bytes length.
This can be any random byte sequence, such as generated from Python code like
os.urandom(32)
or from the shell
dd if=/dev/urandom of=client02.key bs=1 count=32
:param filename: Filename of the key.
:type filename: unicode
:param comment: Comment for key (optional).
:type comment: unicode or None
"""
if not (comment is None or type(comment) == six.text_type):
raise Exception("invalid type {} for comment".format(
type(comment)))
if type(filename) != six.text_type:
raise Exception(
"invalid type {} for filename".format(filename))
with open(filename, 'rb') as f:
keydata = f.read()
if len(keydata) != 32:
raise Exception("invalid key length {}".format(len(keydata)))
key = signing.SigningKey(keydata)
return cls(key, comment)
def test_get_key_of_expected_type(self):
raw_seed = os.urandom(32)
signing_key = ed25519.SigningKey(raw_seed)
verify_key = signing_key.verify_key
assert _get_key_of_expected_type(signing_key,
ed25519.SigningKey) == signing_key
assert _get_key_of_expected_type(verify_key,
ed25519.VerifyKey) == verify_key
def __init__(self):
"""Load or initialize crypto keys."""
try:
with open("key", "rb") as keys_file:
keys = keys_file.read()
except IOError:
keys = None
if keys:
self.pkey = public.PrivateKey(keys, STORE_ENC)
self.skey = signing.SigningKey(keys, STORE_ENC)
else:
kp = public.PrivateKey.generate()
with open("key", "wb") as keys_file:
keys_file.write(kp.encode(STORE_ENC))
self.pkey = kp
self.skey = signing.SigningKey(bytes(self.pkey),
nacl.encoding.RawEncoder)
def from_key_bytes(cls, keydata, comment=None):
if not (comment is None or type(comment) == six.text_type):
raise ValueError("invalid type {} for comment".format(type(comment)))
if len(keydata) != 32:
raise ValueError("invalid key length {}".format(len(keydata)))
key = signing.SigningKey(keydata)
return cls(key, comment)
def from_raw_ed25519_seed(cls, raw_seed: bytes) -> "Keypair":
"""Generate a :class:`Keypair` object from ed25519 secret key seed raw bytes.
:param raw_seed: ed25519 secret key seed raw bytes
:return: A new :class:`Keypair` instance derived by the ed25519 secret key seed raw bytes
"""
signing_key = ed25519.SigningKey(raw_seed)
verify_key = signing_key.verify_key
return cls(verify_key, signing_key)
def from_key_bytes(cls, keydata, comment=None):
if not (comment is None or type(comment) == str):
raise ValueError("invalid type {} for comment".format(type(comment)))
if type(keydata) != bytes:
raise ValueError("invalid key type {} (expected binary)".format(type(keydata)))
if len(keydata) != 32:
raise ValueError("invalid key length {} (expected 32)".format(len(keydata)))
key = signing.SigningKey(keydata)
return cls(key, comment)
def to_public_key(mnemonic):
"""
Return the public key for the mnemonic.
Args:
mnemonic (str): mnemonic of the public key
Returns:
str: public key in base32
"""
key_bytes = _to_key(mnemonic)
key = signing.SigningKey(key_bytes)
return encoding.encode_address(key.verify_key.encode())
def to_private_key(mnemonic):
"""
Return the private key for the mnemonic.
Args:
mnemonic (str): mnemonic of the private key
Returns:
str: private key in base64
"""
key_bytes = _to_key(mnemonic)
key = signing.SigningKey(key_bytes)
return base64.b64encode(key.encode() + key.verify_key.encode()).decode()
def __init__(self,
keypair: Optional[nacl.public.PrivateKey] = None) -> None:
"""Create a new keypair instance.
Generate random keypair if no keypair is provided. Initialize class variables.
"""
if keypair is None:
# the PrivateKey object comes with a public key too
self._keypair = nacl.public.PrivateKey.generate()
else:
self._keypair = keypair
verify_key = signing.SigningKey(bytes(self._keypair)).verify_key
self._public_key = solana.publickey.PublicKey(verify_key)
def from_raw(cls, filename, comment=None):
"""
Load a Ed25519 private key (actually, the seed for the key) from a raw file of 32 bytes length.
This can be any random byte sequence, such as generated from Python code like
os.urandom(32)
or from the shell
dd if=/dev/urandom of=client02.key bs=1 count=32
"""
with open(filename, 'rb') as f:
keydata = f.read()
# key = public.PrivateKey(keydata)
key = signing.SigningKey(keydata)
return cls(key, comment, True)
def sign(self, msg: bytes) -> signing.SignedMessage:
"""Sign a message with this account.
:param msg: message to sign.
:returns: A signed messeged object.
>>> secret_key = bytes([1] * 32)
>>> acc = Account(secret_key)
>>> msg = b"hello"
>>> signed_msg = acc.sign(msg)
>>> signed_msg.signature.hex()
'e1430c6ebd0d53573b5c803452174f8991ef5955e0906a09e8fdc7310459e9c82a402526748c3431fe7f0e5faafbf7e703234789734063ee42be17af16438d08'
>>> signed_msg.message.decode('utf-8')
'hello'
""" # pylint: disable=line-too-long
return signing.SigningKey(self.secret_key()).sign(msg)
def from_ssh_data(cls, keydata):
"""
Load an Ed25519 key from SSH key file. The key file can be a (private) signing
key (from a SSH private key file) or a (public) verification key (from a SSH
public key file). A private key file must be passphrase-less.
"""
SSH_BEGIN = u'-----BEGIN OPENSSH PRIVATE KEY-----'
if keydata.startswith(SSH_BEGIN):
# OpenSSH private key
keydata, comment = _read_ssh_ed25519_privkey(keydata)
key = signing.SigningKey(keydata, encoder=encoding.RawEncoder)
else:
# OpenSSH public key
keydata, comment = _read_ssh_ed25519_pubkey(keydata)
key = signing.VerifyKey(keydata)
return cls(key, comment)
def FromBytes(cls, key_bytes: bytes) -> IPrivateKey:
"""
Construct class from key bytes.
Args:
key_bytes (bytes): Key bytes
Returns:
IPrivateKey: IPrivateKey object
Raises:
ValueError: If key bytes are not valid
"""
try:
return cls(signing.SigningKey(key_bytes))
except (exceptions.RuntimeError, exceptions.ValueError) as ex:
raise ValueError("Invalid private key bytes") from ex
def from_ssh_key(cls, filename):
"""
Load an Ed25519 key from a SSH key file. The key file can be a (private) signing
key (from a SSH private key file) or a (public) verification key (from a SSH
public key file). A private key file must be passphrase-less.
"""
SSH_BEGIN = u'-----BEGIN OPENSSH PRIVATE KEY-----'
with open(filename, 'r') as f:
keydata = f.read().strip()
if keydata.startswith(SSH_BEGIN):
# OpenSSH private key
keydata, comment = _read_ssh_ed25519_privkey(keydata)
key = signing.SigningKey(keydata, encoder=encoding.RawEncoder)
else:
# OpenSSH public key
keydata, comment = _read_ssh_ed25519_pubkey(filename)
key = public.PublicKey(keydata, encoder=encoding.RawEncoder)
return cls(key, comment)
def sign(self, msg: bytes) -> signing.SignedMessage:
"""Sign a message with this keypair.
Args:
msg: message to sign.
Returns:
A signed messeged object.
Example:
>>> seed = bytes([1] * 32)
>>> keypair = Keypair.from_seed(seed)
>>> msg = b"hello"
>>> signed_msg = keypair.sign(msg)
>>> signed_msg.signature.hex()
'e1430c6ebd0d53573b5c803452174f8991ef5955e0906a09e8fdc7310459e9c82a402526748c3431fe7f0e5faafbf7e703234789734063ee42be17af16438d08'
>>> signed_msg.message.decode('utf-8')
'hello'
""" # pylint: disable=line-too-long
return signing.SigningKey(self.seed).sign(msg)
def _maybe_generate_node_key(cbdir, privfile='key.priv', pubfile='key.pub'):
privkey_path = os.path.join(cbdir, privfile)
pubkey_path = os.path.join(cbdir, pubfile)
# node private key seems to exist already: read and check!
if os.path.exists(privkey_path):
# read all tags, including private tags
priv_tags = _parse_node_key(privkey_path, private=True)
# check mandatory tags - the following tags are optional:
# - node-authid
# - node-cluster-ip
# - public-adr-eth
# - private-key-eth
for tag in [
'creator', 'created-at', 'machine-id', 'public-key-ed25519',
'private-key-ed25519'
]:
if tag not in priv_tags:
raise Exception(
"Corrupt node private key file {} - {} tag not found".
format(privkey_path, tag))
privkey_hex = priv_tags['private-key-ed25519']
privkey = signing.SigningKey(privkey_hex, encoder=encoding.HexEncoder)
pubkey = privkey.verify_key
pubkey_hex = pubkey.encode(encoder=encoding.HexEncoder).decode('ascii')
# check that the public key in the key file matches the private key therein
if priv_tags['public-key-ed25519'] != pubkey_hex:
raise Exception((
"Inconsistent node private key file {} - public-key-ed25519 doesn't"
" correspond to private-key-ed25519").format(privkey_path))
eth_pubadr = None
eth_privkey_seed_hex = priv_tags.get('private-key-eth', None)
if eth_privkey_seed_hex:
eth_privkey_seed = binascii.a2b_hex(eth_privkey_seed_hex)
eth_privkey = KeyAPI(NativeECCBackend).PrivateKey(eth_privkey_seed)
eth_pubadr = eth_privkey.public_key.to_checksum_address()
if 'public-adr-eth' in priv_tags:
if priv_tags['public-adr-eth'] != eth_pubadr:
raise Exception((
"Inconsistent node private key file {} - public-adr-eth doesn't"
" correspond to private-key-eth").format(privkey_path))
if os.path.exists(pubkey_path):
pub_tags = _parse_node_key(pubkey_path, private=False)
# node-authid and node-cluster-ip are optional!
for tag in [
'creator', 'created-at', 'machine-id', 'public-key-ed25519'
]:
if tag not in pub_tags:
raise Exception(
"Corrupt node public key file {} - {} tag not found".
format(pubkey_path, tag))
if pub_tags['public-key-ed25519'] != pubkey_hex:
raise Exception((
"Inconsistent node public key file {} - public-key-ed25519 doesn't"
" correspond to private-key-ed25519 in private key file {}"
).format(pubkey_path, privkey_path))
if pub_tags.get('public-adr-eth', None) != eth_pubadr:
raise Exception((
"Inconsistent node public key file {} - public-adr-eth doesn't"
" correspond to private-key-eth in private key file {}"
).format(pubkey_path, privkey_path))
else:
log.info(
"Node public key file {pub_path} not found - re-creating from node private key file {priv_path}",
pub_path=pubkey_path,
priv_path=privkey_path,
)
pub_tags = OrderedDict([
('creator', priv_tags['creator']),
('created-at', priv_tags['created-at']),
('machine-id', priv_tags['machine-id']),
('node-authid', priv_tags.get('node-authid', None)),
('node-cluster-ip', priv_tags.get('node-cluster-ip', None)),
('public-key-ed25519', pubkey_hex),
('public-adr-eth', eth_pubadr),
])
msg = 'Crossbar.io node public key\n\n'
_write_node_key(pubkey_path, pub_tags, msg)
log.info(
'Node key files exist and are valid. Node public key is {pubkey}',
pubkey=hlid('0x' + pubkey_hex))
was_new = False
else:
# node private key does not yet exist: generate a new one
# Node key (Ed25519)
privkey = signing.SigningKey.generate()
privkey_hex = privkey.encode(
encoder=encoding.HexEncoder).decode('ascii')
pubkey = privkey.verify_key
pubkey_hex = pubkey.encode(encoder=encoding.HexEncoder).decode('ascii')
# Node Ethereum key
eth_privkey_seed = os.urandom(32)
eth_privkey_seed_hex = binascii.b2a_hex(eth_privkey_seed).decode()
eth_privkey = KeyAPI(NativeECCBackend).PrivateKey(eth_privkey_seed)
eth_pubadr = eth_privkey.public_key.to_checksum_address()
if 'CROSSBAR_NODE_ID' in os.environ and os.environ[
'CROSSBAR_NODE_ID'].strip() != '':
node_authid = os.environ['CROSSBAR_NODE_ID']
log.info(
'using node_authid from environment variable CROSSBAR_NODE_ID: "{node_authid}"',
node_authid=node_authid)
else:
node_authid = socket.gethostname()
log.info('using node_authid from hostname: "{node_authid}"',
node_authid=node_authid)
if 'CROSSBAR_NODE_CLUSTER_IP' in os.environ and os.environ[
'CROSSBAR_NODE_CLUSTER_IP'].strip() != '':
node_cluster_ip = os.environ['CROSSBAR_NODE_CLUSTER_IP']
log.info(
'using node_cluster_ip from environment variable CROSSBAR_NODE_CLUSTER_IP: "{node_cluster_ip}"',
node_cluster_ip=node_cluster_ip)
else:
node_cluster_ip = '127.0.0.1'
log.info(
'using node_cluster_ip for localhost (builtin): "{node_cluster_ip}"',
node_cluster_ip=node_cluster_ip)
# first, write the public file
tags = OrderedDict([
('creator', _creator()),
('created-at', utcnow()),
('machine-id', _machine_id()),
('node-authid', node_authid),
('node-cluster-ip', node_cluster_ip),
('public-key-ed25519', pubkey_hex),
('public-adr-eth', eth_pubadr),
])
msg = 'Crossbar.io node public key\n\n'
_write_node_key(pubkey_path, tags, msg)
# now, add the private key and write the private file
tags['private-key-ed25519'] = privkey_hex
tags['private-key-eth'] = eth_privkey_seed_hex
msg = 'Crossbar.io node private key - KEEP THIS SAFE!\n\n'
_write_node_key(privkey_path, tags, msg)
log.info(
'New node key pair generated! public-key-ed25519={pubkey}, node-authid={node_authid}, public-adr-eth={eth_pubadr}',
pubkey=hlid('0x' + pubkey_hex),
node_authid=node_authid,
eth_pubadr=hlid(eth_pubadr))
was_new = True
# fix file permissions on node public/private key files
# note: we use decimals instead of octals as octal literals have changed between Py2/3
#
if os.stat(
pubkey_path).st_mode & 511 != 420: # 420 (decimal) == 0644 (octal)
os.chmod(pubkey_path, 420)
log.info("File permissions on node public key fixed")
if os.stat(privkey_path
).st_mode & 511 != 384: # 384 (decimal) == 0600 (octal)
os.chmod(privkey_path, 384)
log.info("File permissions on node private key fixed")
log.info(
'Node key loaded from {priv_path}',
priv_path=hlid(privkey_path),
)
return was_new, cryptosign.CryptosignKey(privkey, can_sign=True)
import json
from base64 import b64decode
from nacl import signing
priv_val = json.load(open('priv_validator.json'))
# The *amino type* 954568A3288910 is 64 bytes long, where
# raw 32-byte priv key are concatenated to raw 32-byte pub key.
raw_key = b64decode(priv_val['priv_key']['value'])
signing_key_bytes, verifying_key_bytes = raw_key[:32], raw_key[32:]
signing_key = signing.SigningKey(signing_key_bytes)
verify_key = signing.VerifyKey(verifying_key_bytes)
signed = signing_key.sign(b'I love cats.')
# Will raise nacl.exceptions.BadSignatureError if the signature check fails
verify_key.verify(signed)
# The following code will raise the exception.
# signing.VerifyKey(verifying_key_bytes[:31] + b'\x00').verify(signed)
def __init__(self):
self._seed = os.urandom(32)
self._ed25519_secret = signing.SigningKey(self._seed)
def _maybe_generate_key(cbdir, privfile=u'key.priv', pubfile=u'key.pub'):
was_new = True
privkey_path = os.path.join(cbdir, privfile)
pubkey_path = os.path.join(cbdir, pubfile)
if os.path.exists(privkey_path):
# node private key seems to exist already .. check!
priv_tags = _parse_key_file(privkey_path, private=True)
for tag in [
u'creator', u'created-at', u'machine-id',
u'public-key-ed25519', u'private-key-ed25519'
]:
if tag not in priv_tags:
raise Exception(
"Corrupt node private key file {} - {} tag not found".
format(privkey_path, tag))
privkey_hex = priv_tags[u'private-key-ed25519']
privkey = signing.SigningKey(privkey_hex, encoder=encoding.HexEncoder)
pubkey = privkey.verify_key
pubkey_hex = pubkey.encode(encoder=encoding.HexEncoder).decode('ascii')
if priv_tags[u'public-key-ed25519'] != pubkey_hex:
raise Exception((
"Inconsistent node private key file {} - public-key-ed25519 doesn't"
" correspond to private-key-ed25519").format(pubkey_path))
if os.path.exists(pubkey_path):
pub_tags = _parse_key_file(pubkey_path, private=False)
for tag in [
u'creator', u'created-at', u'machine-id',
u'public-key-ed25519'
]:
if tag not in pub_tags:
raise Exception(
"Corrupt node public key file {} - {} tag not found".
format(pubkey_path, tag))
if pub_tags[u'public-key-ed25519'] != pubkey_hex:
raise Exception((
"Inconsistent node public key file {} - public-key-ed25519 doesn't"
" correspond to private-key-ed25519").format(pubkey_path))
else:
log.info(
"Node public key file {pub_path} not found - re-creating from node private key file {priv_path}",
pub_path=pubkey_path,
priv_path=privkey_path,
)
pub_tags = OrderedDict([
(u'creator', priv_tags[u'creator']),
(u'created-at', priv_tags[u'created-at']),
(u'machine-id', priv_tags[u'machine-id']),
(u'public-key-ed25519', pubkey_hex),
])
msg = u'Crossbar.io node public key\n\n'
_write_node_key(pubkey_path, pub_tags, msg)
log.info(
'Node key files exist and are valid. Node public key is {pubkey}',
pubkey=hlid('0x' + pubkey_hex))
was_new = False
else:
# node private key does not yet exist: generate one
privkey = signing.SigningKey.generate()
privkey_hex = privkey.encode(
encoder=encoding.HexEncoder).decode('ascii')
pubkey = privkey.verify_key
pubkey_hex = pubkey.encode(encoder=encoding.HexEncoder).decode('ascii')
# first, write the public file
tags = OrderedDict([
(u'creator', _creator()),
(u'created-at', utcnow()),
(u'machine-id', _machine_id()),
(u'public-key-ed25519', pubkey_hex),
])
msg = u'Crossbar.io node public key\n\n'
_write_node_key(pubkey_path, tags, msg)
# now, add the private key and write the private file
tags[u'private-key-ed25519'] = privkey_hex
msg = u'Crossbar.io node private key - KEEP THIS SAFE!\n\n'
_write_node_key(privkey_path, tags, msg)
log.info('New node key pair generated! Public key is {pubkey}',
pubkey=hlid('0x' + pubkey_hex))
# fix file permissions on node public/private key files
# note: we use decimals instead of octals as octal literals have changed between Py2/3
#
if os.stat(
pubkey_path).st_mode & 511 != 420: # 420 (decimal) == 0644 (octal)
os.chmod(pubkey_path, 420)
log.info("File permissions on node public key fixed")
if os.stat(privkey_path
).st_mode & 511 != 384: # 384 (decimal) == 0600 (octal)
os.chmod(privkey_path, 384)
log.info("File permissions on node private key fixed")
log.info(
'Node key loaded from {priv_path}',
priv_path=hlid(privkey_path),
)
return was_new, cryptosign.SigningKey(privkey)
def keypair(self) -> bytes:
"""The 64 byte keypair for this account (base 58 encoded)."""
return b58encode(
self.secret_key() +
bytes(signing.SigningKey(self.secret_key()).verify_key))
def public_key(self) -> PublicKey:
"""The public key for this account."""
verify_key = signing.SigningKey(self.secret_key()).verify_key
return PublicKey(bytes(verify_key))
def load_key(private):
private = signing.SigningKey(private.encode(),
encoder=encoding.URLSafeBase64Encoder)
public = private.verify_key.encode(encoding.Base32Encoder).decode()
database.write(public, 'keypair', 'public')
database.write(private, 'keypair', 'private')
def post(self, request):
form = GSF(request.POST)
pubk = None
privk = None
pubfp = None
privfp = None
edseed = None
if not form.is_valid():
raise RuntimeError("Invalid HTML form submitted")
seed = form.cleaned_data['seed']
if seed == 'none':
gke = pubfool.PrivateKey.generate()
gks = signfool.SigningKey.generate()
db.set('gke', gke)
db.set('gks', gks)
seed = base64.b64encode(
json.dumps(
dict(gke={
'public_key':
base64.b64encode(gke.public_key._public_key).decode(),
'private_key':
base64.b64encode(gke._private_key).decode()
},
gks={'seed': base64.b64encode(gks._seed).decode()
})).encode()).decode()
pubk = gke.public_key._public_key
privk = gke._private_key
edseed = gks._seed
sk = gks.verify_key.encode(encoder=b64)
ek = gke.public_key.encode(encoder=b64)
gkfp = base64.b64encode(whirlpool(sk + ek))
db.set('gkfp', gkfp.decode())
sendgroup(gkfp, sk, ek)
else:
seed = base64.b64decode(seed).decode()
seed = json.loads(seed)
# Format of seed:
# {'public_key': 'base64-encoded PublicKey', 'private_key': 'base64-encoded PrivateKey'}
pub = pubk = base64.b64decode(seed['gke']['public_key'])
if len(pub) != 32:
return "Error: Public key's length should be 32 bytes, check your input"
priv = privk = base64.b64decode(seed['gke']['private_key'])
if len(priv) != 32:
return "Error: Private key's length should be 32 bytes, check your input tool"
# Construct a PublicKey object
pub = pubfool.PublicKey(pub)
# Construct a Private Key object
priv = pubfool.PrivateKey(priv)
priv.public_key = pub
edseed = base64.b64decode(seed['gks']['seed'])
gks = signfool.SigningKey(seed=edseed)
sk = gks.verify_key.encode(encoder=b64)
ek = priv.public_key.encode(encoder=b64)
gkfp = base64.b64encode(whirlpool(sk + ek))
# Save the key
db.set('gke', priv)
db.set('gks', gks)
db.set('gkfp', gkfp.decode())
# I think it's already sent to the server because it was off a seed
# Create a seed
pubfp = base64.b64encode(whirlpool(pubk)).decode()
privfp = base64.b64encode(whirlpool(privk)).decode()
edseed = base64.b64encode(whirlpool(edseed)).decode()
return render(request, 'group.post.html', {
'edseed': edseed,
'pubfp': pubfp,
'privfp': privfp,
'seed': seed,
})
# dd if=/dev/urandom of=my-secret-seed bs=1 count=32
seed = open("/home/00/d861703/Nextcloud/projects/scripts/my-secret-seed",
"rb").read()
keydata = {}
keydata['ssh-rsa'] = RSA.generate(4096, randfunc=PRNG(seed))
keydata['ecdsa-sha2-nistp521'] = ecdsa.SigningKey.generate(
entropy=PRNG(seed), curve=ecdsa.NIST521p)
# Convert ecdsa key to format used by OpenSSH
ecdsa_pub = commands.getoutput(
"echo '%s' | ssh-keygen -i -m PKCS8 -f /dev/stdin" %
keydata['ecdsa-sha2-nistp521'].get_verifying_key().to_pem())
keydata['ssh-ed25519'] = ed25519.SigningKey(seed)
ed25519_base64 = codecs.encode(putEd25519Key(keydata['ssh-ed25519'], comment),
'base64').rstrip()
# Write key data to disk
f = open('ssh_host_rsa_key', 'wb+')
f.write(keydata['ssh-rsa'].exportKey('PEM'))
f.write("\n")
f.close()
f2 = open('ssh_host_rsa_key.pub', 'wb+')
f2.write(keydata['ssh-rsa'].publickey().exportKey('OpenSSH'))
f2.write("\n")
f2.close()
f3 = open('ssh_host_ecdsa_key', 'wb+')
#!/usr/bin/env python3
import argparse
from nacl import encoding, signing
import os
parser = argparse.ArgumentParser()
parser.add_argument('--key', help='location of signing key file, default ./keys/sign')
parser.add_argument('file', nargs='+', help='files to sign')
args = parser.parse_args()
if args.key is None:
args.key = os.path.dirname(os.path.realpath(__file__)) + "/keys/sign"
sign_key_f = os.open(args.key, os.O_RDONLY)
sign_key_hex = os.read(sign_key_f, 64)
os.close(sign_key_f)
sign_key = signing.SigningKey(sign_key_hex, encoder=encoding.HexEncoder)
for arg in args.file:
with open(arg, "rb") as f:
signed = sign_key.sign(f.read())
with open(arg + ".signed", "wb") as f:
f.write(signed)
def __init__(self, access_key: str, signing_key_seed: bytes):
self.access_key = access_key
self.signing_key = signing.SigningKey(signing_key_seed)
def __init__(self, private_key: bytes):
self._signing_key = signing.SigningKey(private_key)
def get_pub_key_from_priv(priv_key: UserIDSecretKey,
raw_encoding: bool = False) -> UserID:
return signing.SigningKey(
priv_key, encoder=encoding.Base32Encoder).verify_key.encode(
encoding.Base32Encoder)
def sign_message(message, passphrase):
priv_key = signing.SigningKey(sha256(str.encode(passphrase)).digest())
signature = hexlify(priv_key.sign(str.encode(message))).decode()
pub_key = priv_key.verify_key.encode(encoder=encoding.HexEncoder).decode()
return (signature, pub_key)
