def _export_subjectPublicKeyInfo(self, compress):
# See 2.2 in RFC5480 and 2.3.3 in SEC1
# The first byte is:
# - 0x02: compressed, only X-coordinate, Y-coordinate is even
# - 0x03: compressed, only X-coordinate, Y-coordinate is odd
# - 0x04: uncompressed, X-coordinate is followed by Y-coordinate
#
# PAI is in theory encoded as 0x00.
order_bytes = _curve.order.size_in_bytes()
if compress:
first_byte = 2 + self.pointQ.y.is_odd()
public_key = (bchr(first_byte) +
self.pointQ.x.to_bytes(order_bytes))
else:
public_key = (bchr(4) +
self.pointQ.x.to_bytes(order_bytes) +
self.pointQ.y.to_bytes(order_bytes))
unrestricted_oid = "1.2.840.10045.2.1"
return _create_subject_public_key_info(unrestricted_oid,
public_key,
DerObjectId(_curve.oid))
def test_update(self):
pieces = [bchr(10) * 200, bchr(20) * 300]
h = self.shake.new()
h.update(pieces[0]).update(pieces[1])
digest = h.read(10)
h = self.shake.new()
h.update(pieces[0] + pieces[1])
self.assertEqual(h.read(10), digest)
def test_update(self):
pieces = [bchr(10) * 200, bchr(20) * 300]
h = keccak.new(digest_bytes=64)
h.update(pieces[0]).update(pieces[1])
digest = h.digest()
h = keccak.new(digest_bytes=64)
h.update(pieces[0] + pieces[1])
self.assertEqual(h.digest(), digest)
def test_nonce_length(self):
# nonce can be of any length (but not empty)
self.assertRaises(ValueError, AES.new, self.key_128, AES.MODE_GCM,
nonce=b(""))
for x in range(1, 128):
cipher = AES.new(self.key_128, AES.MODE_GCM, nonce=bchr(1) * x)
cipher.encrypt(bchr(1))
def _definite_form(length):
"""Build length octets according to BER/DER
definite form.
"""
if length > 127:
encoding = long_to_bytes(length)
return bchr(len(encoding) + 128) + encoding
return bchr(length)
def test_nonce_length(self):
self.assertRaises(ValueError, AES.new, self.key_128, AES.MODE_CCM,
nonce=b(""))
self.assertRaises(ValueError, AES.new, self.key_128, AES.MODE_CCM,
nonce=bchr(1) * 6)
self.assertRaises(ValueError, AES.new, self.key_128, AES.MODE_CCM,
nonce=bchr(1) * 14)
for x in range(7, 13 + 1):
AES.new(self.key_128, AES.MODE_CCM, nonce=bchr(1) * x)
def encode(self):
"""Return the DER INTEGER, fully encoded as a
binary string."""
number = self.value
self.payload = b''
while True:
self.payload = bchr(int(number & 255)) + self.payload
if 128 <= number <= 255:
self.payload = bchr(0x00) + self.payload
if -128 <= number <= 255:
break
number >>= 8
return DerObject.encode(self)
def runTest(self):
self.assertRaises(ValueError, ARC2.new, bchr(0) * 4, ARC2.MODE_ECB)
self.assertRaises(ValueError, ARC2.new, bchr(0) * 129, ARC2.MODE_ECB)
self.assertRaises(ValueError,
ARC2.new,
bchr(0) * 16,
ARC2.MODE_ECB,
effective_keylen=39)
self.assertRaises(ValueError,
ARC2.new,
bchr(0) * 16,
ARC2.MODE_ECB,
effective_keylen=1025)
def test_seek_tv(self):
# Test Vector #4, A.1 from
# http://tools.ietf.org/html/draft-nir-cfrg-chacha20-poly1305-04
key = bchr(0) + bchr(255) + bchr(0) * 30
nonce = bchr(0) * 8
cipher = ChaCha20.new(key=key, nonce=nonce)
cipher.seek(64 * 2)
expected_key_stream = unhexlify(b(
"72d54dfbf12ec44b362692df94137f32"
"8fea8da73990265ec1bbbea1ae9af0ca"
"13b25aa26cb4a648cb9b9d1be65b2c09"
"24a66c54d545ec1b7374f4872e99f096"
))
ct = cipher.encrypt(bchr(0) * len(expected_key_stream))
self.assertEqual(expected_key_stream, ct)
def adjust_key_parity(key_in):
"""Set the parity bits in a TDES key.
:param key_in: the TDES key whose bits need to be adjusted
:type key_in: byte string
:returns: a copy of ``key_in``, with the parity bits correctly set
:rtype: byte string
:raises ValueError: if the TDES key is not 16 or 24 bytes long
:raises ValueError: if the TDES key degenerates into Single DES
"""
def parity_byte(key_byte):
parity = 1
for i in range(1, 8):
parity ^= (key_byte >> i) & 1
return (key_byte & 0xFE) | parity
if len(key_in) not in key_size:
raise ValueError("Not a valid TDES key")
key_out = b"".join([bchr(parity_byte(bord(x))) for x in key_in])
if key_out[:8] == key_out[8:16] or key_out[-16:-8] == key_out[-8:]:
raise ValueError("Triple DES key degenerates to single DES")
return key_out
def _export_private_der(self, include_ec_params=True):
assert self.has_private()
# ECPrivateKey ::= SEQUENCE {
# version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
# privateKey OCTET STRING,
# parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
# publicKey [1] BIT STRING OPTIONAL
# }
# Public key - uncompressed form
order_bytes = _curve.order.size_in_bytes()
public_key = (bchr(4) +
self.pointQ.x.to_bytes(order_bytes) +
self.pointQ.y.to_bytes(order_bytes))
seq = [1,
DerOctetString(self.d.to_bytes(order_bytes)),
DerObjectId(_curve.oid, explicit=0),
DerBitString(public_key, explicit=1)]
if not include_ec_params:
del seq[2]
return DerSequence(seq).encode()
def test_nonce_length(self):
# nonce can be of any length (but not empty)
self.assertRaises(ValueError, AES.new, self.key_256, AES.MODE_SIV,
nonce=b(""))
for x in range(1, 128):
cipher = AES.new(self.key_256, AES.MODE_SIV, nonce=bchr(1) * x)
cipher.encrypt_and_digest(b'\x01')
def encode(self):
"""Return this DER element, fully encoded as a binary byte string."""
# Concatenate identifier octets, length octets,
# and contents octets
output_payload = self.payload
# In case of an EXTERNAL tag, first encode the inner
# element.
if hasattr(self, "_inner_tag_octet"):
output_payload = (bchr(self._inner_tag_octet) +
self._definite_form(len(self.payload)) +
self.payload)
return (bchr(self._tag_octet) +
self._definite_form(len(output_payload)) + output_payload)
def encode(self):
"""Return the DER OBJECT ID, fully encoded as a
binary string."""
comps = [int(x) for x in self.value.split(".")]
if len(comps) < 2:
raise ValueError("Not a valid Object Identifier string")
self.payload = bchr(40 * comps[0] + comps[1])
for v in comps[2:]:
if v == 0:
enc = [0]
else:
enc = []
while v:
enc.insert(0, (v & 0x7F) | 0x80)
v >>= 7
enc[-1] &= 0x7F
self.payload += b''.join([bchr(x) for x in enc])
return DerObject.encode(self)
def _export_openssh(self, compress):
if self.has_private():
raise ValueError("Cannot export OpenSSH private keys")
desc = "ecdsa-sha2-nistp256"
order_bytes = _curve.order.size_in_bytes()
if compress:
first_byte = 2 + self.pointQ.y.is_odd()
public_key = (bchr(first_byte) +
self.pointQ.x.to_bytes(order_bytes))
else:
public_key = (bchr(4) +
self.pointQ.x.to_bytes(order_bytes) +
self.pointQ.y.to_bytes(order_bytes))
comps = (tobytes(desc), b("nistp256"), public_key)
blob = b("").join([ struct.pack(">I", len(x)) + x for x in comps])
return desc + " " + tostr(binascii.b2a_base64(blob))
def test_degradation(self):
sub_key1 = bchr(1) * 8
sub_key2 = bchr(255) * 8
# K1 == K2
self.assertRaises(ValueError, DES3.adjust_key_parity,
sub_key1 * 2 + sub_key2)
# K2 == K3
self.assertRaises(ValueError, DES3.adjust_key_parity,
sub_key1 + sub_key2 * 2)
# K1 == K2 == K3
self.assertRaises(ValueError, DES3.adjust_key_parity,
sub_key1 * 3)
# K1 == K2 (with different parity)
self.assertRaises(ValueError, DES3.adjust_key_parity,
sub_key1 + strxor_c(sub_key1, 1) + sub_key2)
def runTest(self):
key = RSA.generate(1024)
hashed = SHA1.new(b("Test"))
good_signature = PKCS1_PSS.new(key).sign(hashed)
verifier = PKCS1_PSS.new(key.publickey())
self.assertEqual(verifier.verify(hashed, good_signature), True)
# Flip a few bits in the signature
bad_signature = strxor(good_signature, bchr(1) * len(good_signature))
self.assertEqual(verifier.verify(hashed, bad_signature), False)
def runTest(self):
key = RSA.importKey(PKCS1_15_NoParams.rsakey)
hashed = SHA1.new(b("Test"))
good_signature = PKCS1_v1_5.new(key).sign(hashed)
verifier = PKCS1_v1_5.new(key.publickey())
self.assertEqual(verifier.verify(hashed, good_signature), True)
# Flip a few bits in the signature
bad_signature = strxor(good_signature, bchr(1) * len(good_signature))
self.assertEqual(verifier.verify(hashed, bad_signature), False)
def _generate_domain(L, randfunc):
"""Generate a new set of DSA domain parameters"""
N = {1024: 160, 2048: 224, 3072: 256}.get(L)
if N is None:
raise ValueError("Invalid modulus length (%d)" % L)
outlen = SHA256.digest_size * 8
n = (L + outlen - 1) // outlen - 1 # ceil(L/outlen) -1
b_ = L - 1 - (n * outlen)
# Generate q (A.1.1.2)
q = Integer(4)
upper_bit = 1 << (N - 1)
while test_probable_prime(q, randfunc) != PROBABLY_PRIME:
seed = randfunc(64)
U = Integer.from_bytes(SHA256.new(seed).digest()) & (upper_bit - 1)
q = U | upper_bit | 1
assert (q.size_in_bits() == N)
# Generate p (A.1.1.2)
offset = 1
upper_bit = 1 << (L - 1)
while True:
V = [
SHA256.new(seed + Integer(offset + j).to_bytes()).digest()
for j in iter_range(n + 1)
]
V = [Integer.from_bytes(v) for v in V]
W = sum([V[i] * (1 << (i * outlen)) for i in iter_range(n)],
(V[n] & ((1 << b_) - 1)) * (1 << (n * outlen)))
X = Integer(W + upper_bit) # 2^{L-1} < X < 2^{L}
assert (X.size_in_bits() == L)
c = X % (q * 2)
p = X - (c - 1) # 2q divides (p-1)
if p.size_in_bits() == L and \
test_probable_prime(p, randfunc) == PROBABLY_PRIME:
break
offset += n + 1
# Generate g (A.2.3, index=1)
e = (p - 1) // q
for count in itertools.count(1):
U = seed + b"ggen" + bchr(1) + Integer(count).to_bytes()
W = Integer.from_bytes(SHA256.new(U).digest())
g = pow(W, e, p)
if g != 1:
break
return (p, q, g, seed)
def runTest(self):
key = b'0' * 16
h = SHA256.new()
for length in range(160):
nonce = '{0:04d}'.format(length).encode('utf-8')
data = bchr(length) * length
cipher = AES.new(key, AES.MODE_GCM, nonce=nonce, **self._extra_params)
ct, tag = cipher.encrypt_and_digest(data)
h.update(ct)
h.update(tag)
self.assertEqual(h.hexdigest(), "7b7eb1ffbe67a2e53a912067c0ec8e62ebc7ce4d83490ea7426941349811bdf4")
def _compute_nonce(self, mhash):
"""Generate k in a deterministic way"""
# See section 3.2 in RFC6979.txt
# Step a
h1 = mhash.digest()
# Step b
mask_v = bchr(1) * mhash.digest_size
# Step c
nonce_k = bchr(0) * mhash.digest_size
for int_oct in 0, 1:
# Step d/f
nonce_k = HMAC.new(
nonce_k, mask_v + bchr(int_oct) +
self._int2octets(self._private_key) + self._bits2octets(h1),
mhash).digest()
# Step e/g
mask_v = HMAC.new(nonce_k, mask_v, mhash).digest()
nonce = -1
while not (0 < nonce < self._order):
# Step h.C (second part)
if nonce != -1:
nonce_k = HMAC.new(nonce_k, mask_v + bchr(0), mhash).digest()
mask_v = HMAC.new(nonce_k, mask_v, mhash).digest()
# Step h.A
mask_t = b("")
# Step h.B
while len(mask_t) < self._order_bytes:
mask_v = HMAC.new(nonce_k, mask_v, mhash).digest()
mask_t += mask_v
# Step h.C (first part)
nonce = self._bits2int(mask_t)
return nonce
def test3(self):
for keylen, taglen, result in self.tv3:
key = bchr(0) * (keylen // 8 - 1) + bchr(taglen)
C = b("")
for i in range(128):
S = bchr(0) * i
N = long_to_bytes(3 * i + 1, 12)
cipher = AES.new(key,
AES.MODE_OCB,
nonce=N,
mac_len=taglen // 8)
cipher.update(S)
C += cipher.encrypt(S) + cipher.encrypt() + cipher.digest()
N = long_to_bytes(3 * i + 2, 12)
cipher = AES.new(key,
AES.MODE_OCB,
nonce=N,
mac_len=taglen // 8)
C += cipher.encrypt(S) + cipher.encrypt() + cipher.digest()
N = long_to_bytes(3 * i + 3, 12)
cipher = AES.new(key,
AES.MODE_OCB,
nonce=N,
mac_len=taglen // 8)
cipher.update(S)
C += cipher.encrypt() + cipher.digest()
N = long_to_bytes(385, 12)
cipher = AES.new(key, AES.MODE_OCB, nonce=N, mac_len=taglen // 8)
cipher.update(C)
result2 = cipher.encrypt() + cipher.digest()
self.assertEqual(unhexlify(b(result)), result2)
def runTest(self):
sub_key1 = bchr(1) * 8
sub_key2 = bchr(255) * 8
# K1 == K2
self.assertRaises(ValueError, DES3.new,
sub_key1 * 2 + sub_key2,
DES3.MODE_ECB)
# K2 == K3
self.assertRaises(ValueError, DES3.new,
sub_key1 + sub_key2 * 2,
DES3.MODE_ECB)
# K1 == K2 == K3
self.assertRaises(ValueError, DES3.new,
sub_key1 *3,
DES3.MODE_ECB)
# K2 == K3 (parity is ignored)
self.assertRaises(ValueError, DES3.new,
sub_key1 + sub_key2 + strxor_c(sub_key2, 0x1),
DES3.MODE_ECB)
def test_asn1_encoding(self):
"""Verify ASN.1 encoding"""
self.description = "ASN.1 encoding test"
hash_obj = SHA256.new()
signer = DSS.new(self.key_priv, 'fips-186-3', 'der')
signature = signer.sign(hash_obj)
# Verify that output looks like a DER SEQUENCE
self.assertEqual(bord(signature[0]), 48)
signer.verify(hash_obj, signature)
# Verify that ASN.1 parsing fails as expected
signature = bchr(7) + signature[1:]
self.assertRaises(ValueError, signer.verify, hash_obj, signature)
def random(cls, **kwargs):
"""Generate a random natural integer of a certain size.
:Keywords:
exact_bits : positive integer
The length in bits of the resulting random Integer number.
The number is guaranteed to fulfil the relation:
2^bits > result >= 2^(bits - 1)
max_bits : positive integer
The maximum length in bits of the resulting random Integer number.
The number is guaranteed to fulfil the relation:
2^bits > result >=0
randfunc : callable
A function that returns a random byte string. The length of the
byte string is passed as parameter. Optional.
If not provided (or ``None``), randomness is read from the system RNG.
:Return: a Integer object
"""
exact_bits = kwargs.pop("exact_bits", None)
max_bits = kwargs.pop("max_bits", None)
randfunc = kwargs.pop("randfunc", None)
if randfunc is None:
randfunc = Random.new().read
if exact_bits is None and max_bits is None:
raise ValueError(
"Either 'exact_bits' or 'max_bits' must be specified")
if exact_bits is not None and max_bits is not None:
raise ValueError(
"'exact_bits' and 'max_bits' are mutually exclusive")
bits = exact_bits or max_bits
bytes_needed = ((bits - 1) // 8) + 1
significant_bits_msb = 8 - (bytes_needed * 8 - bits)
msb = bord(randfunc(1)[0])
if exact_bits is not None:
msb |= 1 << (significant_bits_msb - 1)
msb &= (1 << significant_bits_msb) - 1
return cls.from_bytes(bchr(msb) + randfunc(bytes_needed - 1))
def encode(self):
"""Return the DER OBJECT ID, fully encoded as a
binary string."""
comps = list(map(int, self.value.split(".")))
if len(comps) < 2:
raise ValueError("Not a valid Object Identifier string")
self.payload = bchr(40 * comps[0] + comps[1])
for v in comps[2:]:
enc = []
while v:
enc.insert(0, (v & 0x7F) | 0x80)
v >>= 7
enc[-1] &= 0x7F
self.payload += b('').join(map(bchr, enc))
return DerObject.encode(self)
def _export_openssh(self, compress):
if self.has_private():
raise ValueError("Cannot export OpenSSH private keys")
desc = self._curve.openssh
modulus_bytes = self.pointQ.size_in_bytes()
if compress:
first_byte = 2 + self.pointQ.y.is_odd()
public_key = (bchr(first_byte) +
self.pointQ.x.to_bytes(modulus_bytes))
else:
public_key = (b'\x04' + self.pointQ.x.to_bytes(modulus_bytes) +
self.pointQ.y.to_bytes(modulus_bytes))
middle = desc.split("-")[2]
comps = (tobytes(desc), tobytes(middle), public_key)
blob = b"".join([struct.pack(">I", len(x)) + x for x in comps])
return desc + " " + tostr(binascii.b2a_base64(blob))
def test_wrap_around(self):
# Counter is only 8 bits, so we can only encrypt/decrypt 256 blocks (=4096 bytes)
counter = Counter.new(8, prefix=bchr(9) * 15)
max_bytes = 4096
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=counter)
cipher.encrypt(b'9' * max_bytes)
self.assertRaises(OverflowError, cipher.encrypt, b'9')
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=counter)
self.assertRaises(OverflowError, cipher.encrypt,
b'9' * (max_bytes + 1))
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=counter)
cipher.decrypt(b'9' * max_bytes)
self.assertRaises(OverflowError, cipher.decrypt, b'9')
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=counter)
self.assertRaises(OverflowError, cipher.decrypt,
b'9' * (max_bytes + 1))
def to_bytes(self, block_size=0):
"""Convert the number into a byte string.
This method encodes the number in network order and prepends
as many zero bytes as required. It only works for non-negative
values.
:Parameters:
block_size : integer
The exact size the output byte string must have.
If zero, the string has the minimal length.
:Returns:
A byte string.
:Raise ValueError:
If the value is negative or if ``block_size`` is
provided and the length of the byte string would exceed it.
"""
if self < 0:
raise ValueError("Conversion only valid for non-negative numbers")
buf_len = (_gmp.mpz_sizeinbase(self._mpz_p, 2) + 7) // 8
if buf_len > block_size > 0:
raise ValueError("Number is too big to convert to byte string"
"of prescribed length")
buf = create_string_buffer(buf_len)
_gmp.mpz_export(
buf,
null_pointer, # Ignore countp
1, # Big endian
c_size_t(1), # Each word is 1 byte long
0, # Endianess within a word - not relevant
c_size_t(0), # No nails
self._mpz_p)
return bchr(0) * max(0, block_size - buf_len) + get_raw_buffer(buf)
def func(x):
if (bord(x[0]) & 0x80):
return bchr(0) + x
else:
return x
